It has been almost two years since I concluded my initial series of blog entries on “Tales of a Social Engineer” (http://tinyurl.com/ZPR-Tales). In that intervening period, it was my hope obsessive longing that data breaches precipitated by social engineering would be curtailed. It was my hope potentially misguided expectation that there would be calls to action throughout the business world which would lead to a broad increase in awareness with respect to information security and privacy.
But alas, and sadly, this has not been the case. Perhaps I was doing my best Nostradamus impersonation when I stated back in April, 2010:
“If you haven’t observed one of these events recently, just wait. It will happen.”
And it has in a very big way. There have been several significant data breaches since that time. Sony, Epsilon (remember them), etc. Granted, not every reported breach during this period was a result of weak controls and processes that lead to simplified social engineering and physical security penetration.
However, the world is changing. We see an increased reliance on mobile communication and social networks each and every day. It continues to amaze me that I can rather easily find my way into a secured building. And it is not just the organizations themselves that need to worry. Customers clearly are invested in the security and control of the companies with which they do business.
Clouding (every pun intended) the security equation a great deal is the fact that organizations are rushing head-first into the cloud. Cloud computing clearly offers organizations significant economies of scale. One of the most critical problems, though, is that many companies have not yet successfully integrated the necessary physical, logical, and administrative controls, as well as the overall management of security controls, into their repertoire when assessing their cloud risk factors. There are so many risk considerations with cloud computing that just are not taken into account.
And if you are a customer of Company ABC which places your confidential data into the cloud…somewhere…will you think twice about the safety and security of that data? If Company ABC has been around forever, have you (perhaps inappropriately) developed a false sense of security and trust about the company?
It might seem like I am digressing a bit from my desire to talk more about my ongoing concerns related to social engineering. However I beg to differ. With the speed with which our own personal data is being migrated by trusted corporations from secured locked-down facilities to “disconnected” and geographically diverse locations in the cloud, we have a significant increase in the available attack vectors for someone to socially engineer their way into a data container that houses our non-public, personal data. If I can successfully engineer my way into a building owned by one company, there may be an increased chance that I can find my way into a building that contains a cloud repository which houses your data.
One of my current clients recently hosted an (internal) event meant to help build awareness to privacy in general. I volunteered to sit at a table and discuss risks related to cloud computing. While there were a handful of people I spoke with who understood what cloud computing is at its core and what it means to their organization, many did not truly understand the serious nature of risk associated with cloud computing. To my query of “tell me what you think cloud computing is”, there were numerous responses similar to “isn’t that what my spouse and kids are doing with their iPhones and iPads?”
While Apple’s iCloud is in fact one simplified form of cloud computing, having that as the basis of so many people’s total understanding of cloud computing is rather troublesome, especially given the speed with which companies are taking on a myriad of cloud computing projects.
But back to social engineering. Not too long ago, we performed social engineering and physical security testing for another one of our clients. And not much has changed at all since my Tales series. There were 5 primary components to this “successful” testing. These included the following:
1. Physical Intrusion
2. Social Networking
3. Telephone Social Engineering
4. Portable Memory Device Test
5. Email Phishing
The tests provided for a number of head scratching moments. I should note that I don’t mean that from the perspective of the client in question. We were there to help them identify their weaknesses and they relished the opportunity to act on those which were identified. What concerns me the most is that I see no general improvement in awareness from one client to the next over the course of the last few years.
Either way, a few (sanitized) details should provide some points you may wish to internalize. Stretch your brain a bit and try and remember one of the things I noted back in my original series…In order to best flush out and identify weaknesses, you need to think like a criminal. Use that as the context for the following raw data.
With respect to Physical Intrusion, some of the key points to note include, but were not limited to, the following:
- Reconnaissance of two facilities in question was performed and key data was collected without being noticed by any single employee or guard/security. This included the corporate office and the data center.
- Diversionary tactics was utilized in conjunction with “piggy-backing” for two of our operatives to gain their way through the security checkpoints and into both facilities.
- Both operatives were able to spend the entire day in the building(s) without anyone questioning their presence. During this time, they observed multiple instances of non-public personal information items in plain view and at risk of breach.
For the Social Networking portion of the testing, our underlying purpose was to test the overall state of awareness with respect to secure and safe practices while engaging in on-line social networking activities. For a provided sample of employees, we attempted to determine if any engaged in the following:
- Publicized their affiliation with the client
- Posted any information related to the client
- Could be persuaded to reveal sensitive information related to the client
From our sample of employee names provided to us, we identified two who listed the client as their employer on Facebook. In one of the two instances, we were able to masquerade as a former employee of the client and used that as the basis for obtaining information (via chat) which would not normally be publically available. This also included information that related to telecommuting and remote login practices.
Clearly, a smiling face or open ear disarms many people and makes it much easier to obtain sensitive information.
For the Telephone Social Engineering portion of the testing, our underlying purpose was to test the security awareness of employees with respect to disclosing confidential and private information. For a provided sample of employees we performed the following:
- Made calls to the client’s customer service department claiming to be one of the client’s customers.
- In these calls our operatives attempted to persuade the client’s customer services representatives to perform actions and release information to a caller who could not provide the proper PIN and PIN-like information normally required of all customers seeking assistance.
All of our client’s customer service representatives who were engaged as part of our testing followed procedure and did not disclose any information. While this is a satisfactory result, it is not a cause for joy. With enough time, energy, persistence, and a larger sample population, someone would likely have divulged some piece of information to us. That’s just the way it is. You catch someone at the right time, during a moment of weakness, and you will obtain information.
For the Portable Memory Devices portion of the testing, our underlying purpose was to test the security awareness of employees with respect to safe use of portable memory devices. Twelve USB flash drives with interest-piquing labels and containing (innocuous) executable code were left in pubic areas of the client’s corporate office (again, this was after we had successfully penetrated the client’s physical security perimeter). If a drive were to be inserted into an employee’s USB port on their PC, a message would be generated to the client’s Security Officer indicating that the code on the drive had been executed.
This test also proved to be satisfactory for the client. In fact, several of the flash drives were brought to the attention of the client’s Security Officer. This is the kind of awareness and action that is required of every single employee. Flash drives are so ubiquitous today that safe handling and specific awareness training is mandatory in order to help mitigate the associated risks.
Our final piece of testing was the Email Phishing Attack. For this portion of our testing, our underlying purpose was to test the security awareness of a sample of employees with respect to safe email practices. A simple, typical tactic was utilized. An email was sent that noted the person was a finalist in a cruise contest and requested the person click on an embedded link in order to continue the processing of their award.
This test also proved to be satisfactory for the client.
In closing, I want to reiterate that the tests utilized for this one client are not complicated in nature and could be utilized with any company. And given the laws of probability, they would likely result in several remediation needs.
But that is where the problem lies with respect to social engineering. Social engineering is not a logical or binary attack vector. It is not a yes/no question. It is not a Boolean value. Social engineering relies on the manipulation of human emotions for “success”. As long as there is a fluid nature to the root causes, continual and rigorous awareness training is an absolute must. And don’t forget, social engineering is not limited to the corporate world…It happens on the home-front too.
Death and taxes are absolutes. Unless you are immortal and living in a cave they cannot be avoided. Sadly, social engineering isn’t going away any time soon. In our current society, it too appears to be an absolute. But that doesn’t mean you should raise your hands in frustration and not even try to mitigate the associated risks. There are penalties that can, and will, be levied against organizations and individuals when data breaches occur. As long as you, each and every one of you, make the effort to increase awareness, you at least help to distribute the risk and resulting impact of a data breach.
There are those who will say, “meh, companies like TJX, Sony, Heartland and others can take the hit associated with a breach.” Sure…they may very well be able to recover from the high financial cost of the post-breach paradigm. But what is often forgotten by us, as news readers, is that people have lost their jobs as a result of these breaches. There are countless unwritten stories of pain, hurt, and depression associated with job-loss. Jobs will be lost when a breach occurs.
I once experienced a period of 3 months without work that was a result of economic conditions facing my employer at the time. Those were the worst 3 months of my life. I cannot even imagine what it is like to try to deal with years of unemployment. I wish nothing like this on any of you. Please help prevent this from happening to others. Do your part in raising security awareness within your company, within you home, and wherever else you can. Not only will you feel a little better about yourself, but you will be helping someone else, even if they don’t realize it. Pay it forward…
- Jeff Bamberger