Forgot your password?
typodupeerror
Privacy

Tips on the Prevention of Social Engineering? 23

Posted by Cliff
from the educating-your-employees dept.
SecGuy asks: "I'm constantly bombarded with news about gee-whiz security technology aimed at protecting the "front door" of an organization. Yet social engineering -- and, more broadly, human failures of various kinds -- lead to a large percentage of successful hacks. I'm curious about what systematic approaches (if any) have been successful at building up an organizational immunity towards social engineering attacks and generally reducing the types of human failure that lead to security compromises. A lot of approaches I've seen boil down to hectoring and punishing, which (a) doesn't seem to work well, and (b) generally pisses people off."
This discussion has been archived. No new comments can be posted.

How to Prevent Social Engineering?

Comments Filter:
  • > I guess a while back they had a red team test the effectiveness of this system: the team was able to get in by flashing a credit card that the guard just blindly touched.

    I used to work somewhere where the officer giving our initial security briefing told the story of someone who got in for a week flashing a piece of burnt toast - then lost his job when it was spotted. We weren't told what happened to the guards involved, the intended moral of the story was "if you lose your pass, report it - we won't be pleased, but we'll be much more angry if you lose it and try and cover it up".

    > they were doing war games, so he snuck into the "enemy" camp right past the guards and under the Colonel's tent

    Almost the opposite of a time I remember on a cadet training camp. We were half expecting an attack one night. About 4am, someone in charge decided that if nothing was happening, we ought to have a practice alert. So we all got out of bed and waited to see what the movement allegedly spotted was. A while later (in daylight) when nothing had happened, we were told it was a drill.

    Still later we found out that an attack _was_ planned, and that when our drill alert was called, the attackers thought "How the fuck did they spot us at _this_ distance!" and gave up and went away.
    (We had sentries with radios out, but, being an exercise, they actually knew where our sentries were, and that they didn't have night vision equipment).

    Another night I thought I was in a position to capture someone, but it turned out he just hadn't bothered putting on his referee armband yet.
  • you should create your security policies based on the assumption that any of your lusers might be a spy from a different company/working for the NSA/about to go on a destructive rampage when they find out they've lost their job/etc.


    What happens when one of your head IT people find out they've lost their job/etc.?


    Not everything is as cut-and-dried as you're assuming...


    - A.P.

    --
    Forget Napster. Why not really break the law?

  • Social engineering can also be called conning. A con man is the classic social engineer. Con men play on psychological and sociological patterns. These patterns dictate how people act in certian situations. Essentially, they are fairly deterministic. As programmers know, anything that is deterministic can be measured and manipulated.

    The safeguards that maggard noted above work not because they solve the problem of social engineering, but because they prevent the attacker from getting access to either an individual or information about individuals. They should be considered your first line of defense.

    But, the real culprit is predictability. If I can predict how you are going to act in a particular situation, I can manipulate that situation and measure the results. If most people act in the same manner in particular situations, I can repeat the experiment to get a general rule. The way to prevent social engineering attacks is to reduce the predictability.

    Unfortunately, predictibility and routine are important to both life and business. Your fellow employees like knowing that if they need to get an application installed, they call you on the phone. If you start randomly making up procedures about how to get a piece of software installed, you will reduce social engineering, but infuriate your users. "What do you mean I need to fill out a paper and get a signature from my supervisor? Last week I just needed to call you. John just installed some software and he needed to fax you. Debbie said she needed to fill out a web form."

    Of course, the unpredictable model only works if one person is in control. Once you have two people, it makes the problem even worse.

    In short, use maggard's suggestions to remove the person from the equation where possible and, when not, remove the personal information. Other than that, you are dealing with people. There will always be con men.

    Dave
  • For a while I worked IT at Miami International Airport. They take physical security very seriously. Everyone in the controlled section of the airport (with the single exception of pilots, who are treated specially, since they have to have physical access to planes, but don't actually work in the airport) is required to wear their badge above the waist, picture out, at all times. All doors have card swipes, and everyone who goes through the door has to swipe. Nothing particularly interesting yet, but there are two things that make it effective.

    First, they rotate through people whose job it is to go around breaking regulations and seeing if they get reported - BTW, seeing someone break a regulation and not reporting it is considered just as bad as breaking the regulation yourself.

    Second is the punishment. First offence, of any type, I believe is just a warning of some sort. Second, you have to go to a 4 hour security course. Third, you and your boss have to go to the course. Fourth, you and the president of your company have to go to the course (and if you work for, say, Delta or American Airlines or some large company like that, that's unlikely to happen.) After that, they just don't let you back in the airport.

    It seemed to work very well. First off, because no one has gotten a bomb in there yet, and a lot have tried. Second because it's the only place I've ever seen where no one ever held a door for anyone - or got upset when someone didn't hold one for them.
  • a guy at the last place i worked dutifully sent out warnings of the lovebug virus to everyone in the company, then promptly opened the first one that came to him...
  • See, thats were your wrong.. I will tell you have a social-engineering attack I did on a certain orginizatino (yes, it was legal, the IT department got me to do it).

    Firstly, I got to know some of the higher-up staff members.. then, one day, I went into his office with my laptop to 'show him something'. Blugged into his ethernet port, and was able to sniff all packets, and redirect SSH using the MITM attack. After the hour I was there, I had root access to almost all servers (it was a carefuly chosen day when the upgrade the software on each box).

    But, since they ahve several networks vlan'd, if the network port I got was very high, and hence if I had of plugged into 'any old lan' I wouldnt have been able to do what I did.

    That is an example of how socail engineering can work.
  • Every user with access has to be apprised of the threat, and to know the appropriate channels for handling things like password resets, system failures, etc. They should be made wary of any attempt to garner information that appears to be from the inside, and be told that it isn't poor service to refer requests for sensitive information to an appropriate security manager.

    Note that in the consumer realm, AOL and similar services have made great strides in indoctrinating users with "No one at AOL will ever ask you for your password or credit card information . . ." Nothing will help the truly clueless, but while AOL can't let those people go or deny them access, you can.

  • Announce to your emplyees that there will be security drills, just like there are fire drills. Once or twice a year, hire some people to do their very best to steal something/get access to something. It should be as realistic as possible, perhaps with just a little extra inside information to the attackers, just to be on the safe side.

    They will very likely succeed. After a drill, inform everybody about how the attack was staged, and whether it succeded. This should open their eyes. If people spotted and/or stopped the attack, give them the credit they deserve. You probably won't need any other rewards.
  • we're not concerned about powered network drops (for our unclassified net at least) to unused offices in my building because I work in a secured government facility protected by guards, gates & guns.

    I don't know about your facility but most of the "secure" ones I know do have guests and such come within them. I can't imagine it would be too hard to create a plausable reason to have a meeting, get into some 'secured' part of the building & pop in a wireless repeater. As I noted conference rooms with live drops are great places to leave something plugged in, or better yet an empty office with a device popped behind the trash bin, broadcasting away.

    Firewalls, armed guards & such are great to keep folks out without a reason to be inside. The concern is that if a person can generate a reason to be inside they can find a weakness. The Trojans learned this with a horse, but it could just as well be a salesdroid, "reporter" or other guest. Leaving ports live unnecessarily is not a prudent practice.

  • I forgot one other strategy that is usually rather easy to implement & often popular: 1st & 2nd rate email addresses:
    1. First-rate addresses are a person's primary address, used for "official" business, high-priority contacts. One's address might be "jrandomuser_direct@mycorphq.com" Of course mycorphq.com is only a mail-server, everything else is redirected to the traditionial address. Thus it's clearly a real address but different enough not to be trivially guessed / forged.
    2. Second-rate addresses are used for mailing lists, NYT-signups, buying via Amazon, given out to buddies, used for generic stuff. One's address for these is usually a plausable but different address then the primary one, "jrandomuser@mycorp.com". This address is easily discovered but peers know it's not your primary address, material from it is suspect.
    The advantage of this is that folks can use it to pre-sort what kind of mail they're likely to get and how important what they're sending / using is. Sales-sheet to a customer: first-class. Latest pass-around-joke: second-class. Memo to whomever: first-class. Registration for /.: second-class.

  • Sometimes I think users go out of their way to be stupid. One of my friends who heads up IT for a medium-sized, nation-wide company sent out a warning to everyone to watch out for this new trojan horse because one machine in the company had already been infected. One of the employees got curious about this trojan horse, so he did a web search for it, clicked the first link that popped up and the site was kind enough to automatically download & install the trojan on his machine. I think that one tops the free drink holder story if only because I know it's true.

    -"Zow"

  • i think one of the biggest security problems with security in the workplace today is sticky notes, they are an ideal place to write passwords, and people take advantage of this. Ban sticky notes!
  • The current crop of email .VBS viruses ought to be considered as examples of social engineering, since they fool the user into screwing up his own system. If you want to drop your IT costs, it's worthwhile to make sure your organization doesn't have to deal with cleaning up after an infestation.

    I've found that education is useless to combat these; you can tell people a million times how to recognize a virus, but they still open the attachment because "I didn't know". (There's a very interesting version I've seen recently: it watches the SMTP port, waits for you to send an email, then sends a copy of itself to the same person. No subject, just an attachment. The response from people who got infected? "See what you did to me by using a public computer!")

    Anyway, ranting about stupidity aside, has anyone seen a policy that successfully reduces the damage from email worms?
  • Social engineering shouldn't be a problem. The worst that a stupid luser can do is limited to what a malicious luser can do, and you should create your security policies based on the assumption that any of your lusers might be a spy from a different company/working for the NSA/about to go on a destructive rampage when they find out they've lost their job/etc.

    Security ==> Correctness: If you can't break something deliberately, you can't break it by accident.
  • and you should create your security policies based on the assumption that any of your lusers might be a spy from a different company/working for the NSA/about to go on a destructive rampage when they find out they've lost their job/etc.

    Onee problem with that is the the "lusers" have jobs to do that require access well above what you describe. Another problem is that treating people that way tends to create a self-fulfilling prophecy.

  • Instead of doing a lot of steps, do one at a time.

    The first one is to ensure that, for any sensitive information, you do callbacks. If somebody is hesitant about giving a number, screw them. Once you have a callback response ingrained, then you can try more detailed measures, but you have to get people thinking about security first.

  • by "Zow" (6449) on Saturday May 05, 2001 @10:33AM (#244025) Homepage
    "Out of Office" auto responses are not allowed to propagate outside of the business if allowed at all. They are specifically flagged at creation and blocked at the company?s outbound servers.

    Yes, yes,yes!

    Whenever I post to Bugtraq I get back a ton of autoresponses, usually something to the effect of, "I'm on vacation, so if you need help with one of the servers call Ralph at 1234567." I responded to all of these once in bulk noting that:

    1. I know you're systems primary administrator isn't around
    2. I know the name and number of someone else that probably isn't a full time sysadmin, but has all the power of one (easily manipulated)
    3. I have a great story to tell that person: "I talked to Bill before he took off and he said if I kept having this access problem when he was gone I should call you."
    4. They were sending these autoreplies to anyone who posted to Bugtraq, which certainly contains some of the seediest people in Computer Security
    5. Be glad I, at least, am one of the good guys.

    The ones that responded to my message were generally pleased to hear from me: many noted that all the other responses they got from their autoresponses were downright rude if not just plain obscene (hence they were happy to give my advice more creedance). A couple also noted that they hated using autorepliers, but their management required it: one said he'd use my letter as evidence as to why the policy should be changed.

    So I have to agree 100% with maggard's recommendation here. Actually, they're all good, although some may need slight modifications depending on your environment. For example, we're not concerned about powered network drops (for our unclassified net at least) to unused offices in my building because I work in a secured government facility protected by guards, gates & guns. YMMV.

    -"Zow"

  • by "Zow" (6449) on Saturday May 05, 2001 @09:04PM (#244026) Homepage
    i've found that guards are no match for the evil power of 'looking like you belong there'.

    They are where I work. We don't have rent-a-guards, we have bonified State Police. We actually have multiple levels of security officers, ranging from the unarmed gate guards (I think the theory is to minimize the number of weapons, the same way that Bobbies in England don't carry firearms) to our protective security officers that tote GLOCs and M-16s - most of those are former military. And the arms aren't just for show either: every now and then (always after hours) they do both live-fire and blank-fire exercises.

    Our guards are required to touch the badge of every person coming in. I guess a while back they had a red team test the effectiveness of this system: the team was able to get in by flashing a credit card that the guard just blindly touched. Heads rolled big time over that. Now days they look at the pictures on the badges carefully: I really piss them off when I ride my bike in with my helmet and Oakleys: they actually take a minute (usually squinting) to see that my facial features match.

    I will admit that once inside, people normally get pretty lax: particularly about the badges being worn face out on the upper half of the body. But I saw a guy once who had lost his badge in the cafeteria and security kept him under armed escort like he was a prisoner as he went back to get it. Furthermore, a lot of the laxness comes from seeing the same people every day. If you go into an unfamiliar area usually someone will ask you, "Can I help you?" It's a lot more polite than a formal challenge, but the undertone is there.

    One way to look at it is that a lot of our security measures were adopted from the military. If you want to impliment good physical security, looking at how the military does it is a good place to start. I'm not saying they're perfect: there's always the proverbial corporal who gets busted down to private for falling asleep at his post. I think they've actually gotten better in recent years though as our armed forces has become almost purely volunteers typically of a fairly high calibur. My dad did some special ops during his tour back during the cold war and he loves to tell the story of how they were doing war games, so he snuck into the "enemy" camp right past the guards and under the Colonel's tent, then woke the Colonel up and said, "Excuse me sir, you're now a prisoner of war." You better believe some heads rolled over that one the next morning.

    Which actually brings me to another recommendation: red team. Use people who know how to do social engineering to do a site evaluation of your resistance. Depending on where you work, the size of your company, budget, etc, this could be done by an outside contractor, internal team acting as outsiders (which may in turn pose as insiders, but they aren't allowed to pose as their real persona), or even just get a bunch of your friends to do it (but management has to agree to it regardless: you wouldn't want to get your friends in trouble - this is really only a good idea if you work at a small, hip company anyway).

    -"Zow"

  • by mrzaph0d (25646) <zaph0d.curztech@com> on Saturday May 05, 2001 @02:39PM (#244027) Homepage
    wealthy enough to retire to an island, but too cheap to make an overseas call on his own dime?
  • by stevey (64018) on Sunday May 06, 2001 @06:35AM (#244028) Homepage

    I had a great time, a year or so ago, doing something similar - but in a more lo-tech way..

    I normally get a bus to work, and I've noticed that other bus drivers sometimes get onto the bus, speak to the driver for a while, then get free rides - probably a perk of the job

    So, one sunny Sunday afternoon I dressed up in a fair copy of a bus-drivers outfit - and just randomly got onto buses..

    As long as I said "hi" to the driver, and acted like I knew him/her I usually got away with it - sometimes I'd get strange looks, (hey, its not often somebody with a septum piercing drives busses ;), but nobody ever challenged me..


    Steve
    ---
  • i've found that guards are no match for the evil power of 'looking like you belong there'.

    i was a contractor at a major telephone company and i was asked one time to help move a bunch of laptops (brand new, still in their boxes) from one building to another. i had permission, but the bad part was that only after i'd taken about $24,000 worth of laptops out of the building was i asked where i was going. this was after about 20 trips (80 laptops, 80 monitors, 80 docking stations).

    sure, i had to have a badge to do get in and out of the doors, but there was always someone coming in or out who was willing to hold the door for me. would you make someone carrying a bunch of stuff stop to fumble with their card key when you know you could just stand there a few second longer and hold it open for them?

    when i left there i noticed that if i took my parking card from my new job and clipped it to my belt with the back facing out, i was never challenged as to whether or not i was supposed to be there. (the employees all had to wear badges, and regulations were supposed to be that the badges had to have the picture facing out.) which brings up another point, if you are supposed to wear a badge at a place, why doesn't anyone ever challenge you? because they're embarressed to try since you may be legit. i mean this place used to issue temp badges (stickers that were supposed to be worn at all times), but no one ever wore them because they were a nuisance.

    and security guards are no help unless they actually do something other than sit at their kiosk and read the paper/watch the video monitors..
  • by Deanasc (201050) on Saturday May 05, 2001 @12:05PM (#244030) Homepage Journal
    I'm embarassed to say that once I refused a collect call from the Dominican Republic that turned out to be a client. The thing is just that morning the office manager sent around a memo warning us of suspicious telephone activity from the Carribean. I thought "Ah Ha! Here's some of that suspicous telephone calls they warned me about." And boy was the client pissed off. If it hadn't been for the fact that I was a recent transfer to the department and nobody informed me there was a client in the DR I'd've been fired.

    The point is when you operate a business sometimes it's better to write off a couple thousand dollars of fraud then tick off someone wealthy enough to retire to a Carribean Island.

    Now that I get this off my chest it occurs to me that if the guy was rich enough to retire to an island he could've afforded a quick phone call to clear things up.

  • Social Engineering is effective because it starts with the folks most often overlooked - the front line.

    Clear company policies need to be set up regarding what information is divulged & how. This is of interest not only to IS but to HR (keeping away poachers) and to individuals (stalkers, toner salesmen.)

    Some basic strategies I've used are:

    • The switchboard never gives out direct lines numbers. If someone needs a direct number the person can give it himself or herself.
    • All staff is requested not to give out information regarding other employees. All such calls or emails are to be referred to HR. There calls are then screened, phone numbers are taken and callbacks used. Generally only a message is taken and passed along.
    • Generic accounts are set up for key positions on voicemail & email. Callers requesting the name or contact information for unspecified folks (job titles) are referred to these generic accounts where an AA can sift through them later.
    • Functional addresses & numbers are used where possible. Not only do these maintain privacy & security they also facilitate job turnover/movement (outsiders don't play chase only to discover the person has either left the company or moved to a different position, is no longer who they want.)
    • "Out of Office" auto responses are not allowed to propagate outside of the business if allowed at all. They are specifically flagged at creation and blocked at the company's outbound servers.
    • Identifying information is stripped from client-applications. This includes web-browsers not giving out names or other non-relevant information.
    • The corporate phone & email directories are not allowed to be visible outside of the company. Furthermore their printing or copying is discouraged, made difficult.
    • Laptops are heavily secured as they can provide invaluable information on a company's internals. This means using encrypted file systems, etc.
    • Support & security folks have access to up-to-the-moment company directories that indicate a employee & contractor's names and where they fit in the org chart. Outside calls requesting possibly sensitive information from folks not known personally to the support person are conference-called to someone knowing them to verify their identity. If in doubt a callback is arranged and some method of determining their identity is found even if it means their describing what's in their top left desk drawer.
    • Security is encouraged to be vigilant and backed up! Refusing access, even to a VIP or someone with a good story is respected and the employee commended if the refusal was warranted (doubt is in their favor.)
    • Paper-shredders are made availaible and easy-to-use. In cases of bulk-shreddings special bins (recycling bins sprayed an ugly color) can be used & the shredding will be done by someone else.
    • Outside trash containers are not hidden behind the building but in a secured and/or visible location. If necc. some sort of beautification can be undertaken but putting them where activity will be noted is important, more important then hiding them.
    • Outside access to company resources is heavily controlled. Some possible common-sense measures include not making VPN's full peers on the network but filtering them from sensitive areas, no use of direct-inbound-dialing-to-computers (PC-Anywhere etc.) Furthermore 'unreasonable' hours should be implemented; there's rarely a pressing need to work remotely at 4am even if one employee might want to do so once a month, it's not worth the hazards.
    • "Public" & unused parts of all facilities should not have live network drops without a specific need & their being kept in visible places. Network drops in unused parts of facilities are deactivated from the closet. Large-areas that are unused are completely deactivated. This means no drops behind the couch in the lobby and no working drops in the empty offices/floors.
    • Settings given to outsiders within the company (folks using conference rooms etc.) should be filtered to give only limited access. The handy how-to-get-on-our-network sheets posted on the walls of these rooms *only* give information to 'guest' settings.
    • "Honeypot"-like devices should be placed within the company firewall & monitored. SNMP, network scans or the like traffic should be flagged and correlated with a specific employee with a need / right to do such.
    In my experience many companies leak like sieves. Web pages are full of names & numbers, especially MS Office-created ones replete with embedded names, titles, server-addresses & other identifying information nuggets. Helpful folks are often all too willing to give out names & contact information, especially on weekends and off-hours. Help desks can be snowed by a "remote contractor" or "new employee, not in the directory yet" brandishing their supposed boss's name and demanding information so they can "get their job done".

    The best strategy? Cleaning up the leaks. Providing avenues of communication that are non-specific about their destination. Supporting folks when they refuse to give out information to unverifiable folks, defending them to those denied or their supervisors.

    Finally it's not just a matter of keeping the crackers at bay; it's also stalker ex-dates, aggressive sales-weasels & other unwelcome harassers. While protecting the company folks are also protecting themselves.

Serving coffee on aircraft causes turbulence.

Working...