Jenrick IT are specialists at providing cyber security professionals for organisations throughout the UK. Gavin Watson, Senior Security Engineer at 'Random Storm' has kindly contributed the following article about social engineering attacks and how companies can best protect themselves against such threats... When looking at the security of businesses today, you’d be forgiven for thinking that social engineering attacks are the latest cutting edge approach. Despite social engineering techniques pre-dating all forms of technical attack, the vast majority of businesses are still hopelessly ill-equipped to detect and prevent attacks against human nature. The reason for this, rather unsurprisingly, is also related to human nature itself. We find it much easier to manage ‘tangible’ security controls such as firewalls, passwords, locks and cameras than ‘intangible’ security issues, such as employees’ susceptibility to flattery, impersonation, or bullying. The vulnerable human nature that attackers target so effectively is also impeding our ability to devise effective defence measures. The typical approach by security conscious businesses is to roll out awareness and training material. Such material is designed to provide employees with the knowledge to spot an attack in progress and the skills to respond appropriately. Sadly, this approach will only detect the most clichéd of social engineering techniques. Additionally, if the business has weak procedures, vague security policies and broadcasts too much information publicly, the ‘aware’ employees will remain dangerously susceptible to attack. It is all too easy to denounce employees as the weakest link in the business’s security, and not consider that elements of the business itself may be contributing far more to the problem. As an example, consider the common password reset procedure of a help desk assistant requiring an authorisation email from management. This is a seriously weak form of caller identification and therefore aids the attacker. A social engineer could easily impersonate a management employee and send a spoofed authorisation email to the assistant. The compromised email account can then be used to launch convincing spear phishing emails. This could have devastating effects when considering all the information that could be leveraged from the email accounts of key personnel. Public information can also be used very effectively and no amount of awareness training is likely to protect the employees. If a social engineer examines employee social media pages, they may find snippets of information that could be used against them. Have you ever posted photos of yourself on a recent vacation? Consider a spear phishing attack whereby an employee receives an email, seemingly from a colleague, explaining that,
“...I’m tempted with this holiday package, it looks almost identical to the one you just went on, what do you think?”
A quick click of the link within could result in an encrypted backdoor into the corporate network. If you believe that you’d be safe from such an attack, as you secure your social media information, think again. Are you absolutely certain that everyone you have a connection to is who they appear to be? Attackers can create fake accounts to ‘bait’ employees into accepting connections. If the business has email addresses publicly available (which the vast majority do), has no clear policies associated with social media and doesn’t implement effective message filters, then this attack method becomes viable. In this case the employee was used to target the business, but it was weaknesses in the business itself that made it possible. If a business fails to examine its procedures, processes, policies, public information and physical controls from a social engineering perspective, then it is painting a metaphorical target on each and every employee. Even more concerning is that the weaknesses may be so significant that social engineering attacks could go completely unnoticed. Social engineers will leverage weak business procedures to manufacture ‘plausible’ situations that appear innocuous so that they don’t draw attention. These are the deadliest of all attacks. For example, if caller validation and contractor sign-in procedures are weak enough, a social engineer could arrange for a pass and legitimately enter the building. Impersonating an employee and arranging a meeting room to be free for a contractor can be all that is required to breach an organisation’s security, and no one is likely to notice or remember the event. Too many assessments consist of little more than attempts to ‘blag’ past reception holding a coffee cup, or wearing a hi-visibility vest with the hope of convincing receptionists that you have a valid reason to be entering the building. They attempt to target human nature and identify vulnerabilities associated with specific employees, such as the security guard who considered the coffee cup a clear sign that the “employee” had just stepped outside for a cigarette, or the receptionist who willingly provided too much information, believing the visitor to be a harmless workman from a nearby construction site. Whilst these techniques may well be effective in certain cases, we simply cannot base an entire assessment on them. An analogy would be for a network penetration tester to provide a report detailing a single vulnerability on a single server when the whole network was in scope. Such a report would likely cause outrage, because clients know what to expect from such an assessment. Therein lies the problem, the majority of clients don’t know what makes a good social engineering assessment, and this needs to change. An obvious solution would be to have professional security consultants perform an assessment to gain insights into the business’s weaknesses. As sensible as this may seem, the reality is that far too many social engineering assessments are poorly executed, rarely target the most relevant areas of a business and provide results that simply raise more questions rather than providing answers. The lack of effective assessments makes the overall situation infinitely worse. So why are social engineering assessment generally ineffective? The reason is that security companies have very little in the way of clear models and frameworks to follow, and clients have nothing to compare the assessment to. If the consultants were successful in breaching the security of the business then the client assumes that the consultants were competent and the test useful. However, they may have only leveraged a single vulnerability and executed a scenario that doesn’t align with the business’s most significant risks. The best expectation from both the security company and the client is for a confident silver-tongued devil to talk their way into the building and trick users into revealing passwords. The report would then detail how a specific employee fell victim to a certain psychological trick allowing the consultant to achieve their objective. It would certainly be an interesting read, but how do you remediate issues like this? Do you discipline all the employees that fell victim to the attacker? Do you roll out yet more awareness training? Neither are likely to make much difference to an organisation’s security in the long run, especially when you consider employee turnover. Social engineering assessments have huge potential to help businesses improve security and protect their data, providing that clear models are followed. The assessment scenarios should be designed to identify multiple vulnerabilities in all relevant aspects of the business, not just the employees themselves. The two most critical components of a social engineering assessment are:
• Threat Modelling.
It is critical that the security company engages with the client, prior to the assessment, to identify what the ‘actual’ risks to the business are. In too many cases the client will request the server room as the primary objective for the assessment. Is this realistic? If a real world attacker wanted to breach the corporate network, it would be far easier and less risky to use spear phishing emails or telephone calls. If they had an opportunity to breach the building’s security physically, then installing a remotely accessible device such as a 3G dropbox or KVM box in a free network port would yield just as much information, over a longer period, with less risk of the perpetrator being caught red handed. Perhaps the most likely attack would be calls attempting to retrieve customer information such as medical records or financial information. Whatever the likely risks are, these are the areas that need to be focused on first. It is important not to accept an assessment based solely on tailgating in and photographing access to a server cabinet, if the attackers’ point of least resistance is to telephone the employees and exploit weak procedures and policies.
• Pretext Design Mapping.
If a consultant is successful in convincing a receptionist to provide a contractor pass so that they can perform routine maintenance unescorted, then a set of specific vulnerabilities have been identified. For example, the most basic procedure of establishing an on-site contact may not have been in place. Therefore, using impersonation to gain access identifies certain issues with reception’s procedures and gaps in awareness training. It is possible to map out social engineering objectives, along with who would be targeted, what techniques could be used, what level of risk is associated and most importantly, what specific vulnerabilities would be identified in each combination. By mapping out scenarios (or pretexts), the assessment can provide a list of vulnerabilities that can potentially be identified. The client can then make a decision to either play out multiple scenarios to assess as many different aspects of the business as possible, or focus on a ‘relevant’ area of high risk and play out multiple scenarios designed to achieve the same objective. Either way, as long as both parties are clear on what specific vulnerabilities are being identified (be they in procedures, policies, processes, awareness training, public information or physical controls), a remediation plan can be devised. Using clear models and processes in assessments is the key to tackling the very real threat of social engineering. We are essentially changing the intangible into the tangible, focusing on the business as a whole rather than just the employees, allowing better decisions to be made, and most importantly of all, reducing the threat of social engineering to better protect your most valuable data. Article kindly contributed by Gavin Watson - Senior Security Engineer at Random Storm IMAGE SOURCES: With thanks to skorpionsecurity.com and wonderhowto.com FURTHER INFORMATION
- To visit the Random Storm website, please click here
- To purchase Gavin's new book on social engineering please click here
- Alternatively, you can purchase the book here
- Jenrick IT are specialists at providing cyber security professionals for organisations throughout the UK. If you wish to speak to the team on how we can assist in protecting your business from potential security threats, please call 01932 245 500.