Social Engineering for SecurityBy CIOinsight | Posted 08-22-2003
CIO Insight: What is social engineering?
Mogull: Social engineering is the manipulation of people rather than electronic systems in a security attack. The reality of it is that we all use it on a day-to-day basis-to get a discount at a store, to maybe get into a concert that we're not supposed to get into, and so forth. Successful social engineering can completely circumvent all of our security.
Here's an example: How hard do you think it is to get a UPS uniform? You can buy one on eBay for $50 bucks with 48-hour delivery. How much access do we give the UPS guys? Say this UPS guy comes in early in the morning before anyone else is in the office and he's got a delivery for so-and-so. He walks into the data center with a PDA, plugs it into the computer, and voila. He can suck down anything. Obviously, there are a lot of tools at the disposal of somebody who wants to perpetuate these kinds of problems.
Another example: The cleaning and maintenance staff have access to your entire organization overnight while they're cleaning and maintaining. How do you know that they don't have a Ph.D. in computer science and malicious intent? You don't.
Here's a great story, and it's true: A CEO of a company goes on vacation. The day after he leaves, a consultant, wearing a suit, carrying all the right references, walks in the door of the office and says, "Mr. Johnson hired me and asked me to take a look at your engineering plans. Apparently, there was a technical problem." Someone says, "Oh, he just went on vacation, he's not here." The consultant responds: "Well, you know, I came from out-of-town, I'm only here for basically the one day. This is pretty important, and, frankly, you guys already paid me a lot of money. Is there anyone I could talk to about this?" So this person sits down, spends an entire day going over the engineering plan, and walks out with copies because there are some issues that he needs to work on later. Meanwhile, the CEO gets back from vacation and says: "What consultant?"
A further example. A company went out and did scanning over public networks, and they did it legally. They wanted to find out how much information they could find out about the CIA by just using Internet tools only-no phone calls, nothing else. Know what they found? Phone numbers and the names of people at those desks, internal lines, through DNS registers and through network scanning. They mapped the topology of the network, and then they were able to figure out who was in charge of many of those network sectors. Now you get that information and you make a phone call, and you know now the person's name, you know their internal extension, and you can use that to manipulate: "Hey, Bob, this is Jim over from network engineering. We're having a problem. Can you send me this e-mail, how about this, how about that?" And that's an example of this scanning of the physical and the electronic worlds to gain information.
So we're basically talking about cyber-crime-not necessarily digital break-ins, but also physical break-ins?
Right. Social engineering is a scam, it's a con, and whether it's digital or physical, it depends on what the attack is. When I talk about it, I talk about it in the terms of electronic attacks and how it's used to perpetuate those particular kinds of attacks. Oftentimes, it's manipulation to get the user name and the password. Direct manipulations of corporations for credit card information, other account information. Insider attacks-somebody within an organization that's got some kind of malicious intent-are very large. I also classify former employees in the same vein because they'll often take advantage of another employee to do some kind of internal attack.
How much more of an issue are these kinds of attacks today than they were five or 10 years ago?
If there's a worse anything, it's just that organizations have a higher reliability on their electronic systems, and oftentimes, if you think about 20 years ago, more people have access to those systems than ever had access to them before. But social engineering is a very well-known issue in the security community. It's also one that's a bit more difficult to address than a lot of the traditional security issues because, you know, you can't stop people being from being people, and as much as you'd like, your users are going to make mistakes and they'll be manipulated and everything else. I think it's been a consistent problem.
What do CIOs and CISOs have in their arsenal to battle this problem?
I am not a fan of generic security training. It's useless, absolutely a waste of time. A wall poster about security won't do anything if you don't properly structure your program. So the first step is to get your governance in place. Then you can build you awareness and change your culture. You also train people on security issues. System administrators need a lot of different training than a developer, line employees or senior leadership needs. You need to teach them what to do, how to report problems, how to respond to problems. You have to have a hotline, and usually the help desk is the best place to put this. So if there's something they suspect, be it physical or electronic security, it doesn't matter, they've got one place to report it. I've often heard stories about people reporting laptop thefts to the IT department and not physical security. Is computer theft a technical or physical problem? It's both. Depending on their level of access, employers need to do background checks and not just a criminal background check. If they have access to the data center, I don't care if they've got a garbage can in their hands or if they've got a laptop in their hands, do the same background check. Especially when they're the guys who are there at 3 o'clock in the morning.
Terminated employees are a big problem. I hate to say this because you won't think it's nice, but you know what? Don't give anybody hints that you're going to fire them until you do, unless you really, really, really trust this person. If there's a sense that they're disgruntled at all, then you have to have employee-termination procedures. You have to change all their accounts, changing all their physical access and make sure that they can't go back and do stuff. Now again, it depends on their job role, it depends on what kind of information you have. Monitor usage patterns for unusual access or behavior. By the way, management hates it when I say this, but if you have a positive working environment, you have fewer disgruntled employees.
Are more companies beginning to adopt these policies?
I see some enterprises that are really good and very protective. Financial services is moving a lot more in this direction, some of the more highly security conscious organizations. But most people still can't get their basic security issues solved, and there are a lot of people out there who still just need to stick with the basics. That's because security is a cost center. It can be seen as an inconvenience. Think about security in real life in the rest of the world. It's not something that gets us profit. It's not necessarily where people put their first investments, which I think is unfortunate. If you built a house with no security, with no locks on the windows or doors, you're going to have a heck of a lot of work to do to retrofit it. It's less work and time and cost to integrate it in from the start.
And that's what we do in real life. We do integrate it. We know when we buy a house, we go ahead. Or, if you have a store, okay, you think about what other forms of security you'll need. Here's the safe, here are the door locks, here are the cameras, here are the security practices and policies, and we're going to get insurance if all this stuff fails. Trouble is, many companies haven't been all that great about implementing that same kind of design into their digital systems. Companies need to stop relegating security to a line item of the IT budget and really take a look at how they can best leverage all of their technology investments and use security as a positive tool. That involves the security guys working more closely with the business guys, and making sure that their wants and needs and everything else are aligned. They have to have strong communication. The role of a security department is to enable a business to take the greatest amount of risk it wants to take in the safest way possible.
The IT department is responsible for the overall running of IT systems, so they're the ones who make sure the firewalls are up and configured and are functioning in line with the security team. And then when there's some kind of a potential security incident, the security team is brought in, and they actually look at resolving what the issue is. The security team puts representatives on major projects so that the security needs of the project are dealt with very early on. But oftentimes it's the technology guys that are going to do the nuts and bolts implementation.
How does social engineering affect the culture of a company?
People have to have a modicum of caution. Let's face it, we as people are not naturally distrustful (even though I am, but I'm paranoid and delusional). We're not naturally distrustful, and as such we're open to manipulation, and there are specific psychological techniques that are actually used to manipulate people.
And how much is too much? When do you cross the line from being secure to being paranoid?
You don't need to make people paranoid, not at all. The line is when security interferes with your ability to do business. If you can't get your job done because the security's getting in the way and if it's inhibiting your growth, that's when you've gone too far.