How to Fight Social Engineering
As an annual contest shows, social engineering can be an effective way for hackers to obtain sensitive data. Training is one of the best ways to fight social engineering.
Reuters broke news earlier this month that NSA whistleblower Edward Snowden apparently persuaded between 20 and 25 of his co-workers at the NSA to give him their passwords. With this additional insider access, Snowden was potentially able to obtain and leak more documents and data than he otherwise would have.
As sensational as the Snowden story is, social engineering is increasingly common. According to reports by Verizon, in 2011 only 7 percent of reported breaches involved social engineering or other social tactics. In 2012, this figure rose to 29 percent.
To raise awareness for this growing problem, Social-Engineer.org – rather presciently in light of the recent Snowden revelations – hosted its fifth annual Social Engineer Capture the Flag Contest (SECTF) at DEF CON 21 in Las Vegas this past August. SECTF organizers invited 20 volunteers – some with social engineering experience, some without – to attempt to obtain specific bits of insider information – or "flags" – from a list of major companies across various industries.
The value of this information could be immeasurable in the right – or, rather, wrong – hands. As the SECTF report highlights:
"[T]he top two most commonly obtained flags were [identification of company] browser and OS. With these two pieces of information, the simplest way to breach network security would be through a specific phish containing links that would either release malware or lead the target into clicking to a malicious website targeting specific browser/OS vulnerabilities. [Other] flags captured … would be highly useful in the development of strong pretexts, e.g., posing as a member of the janitorial staff to gain entry into an office and collect information that may have been improperly disposed of."
Trust No One?
First, the contestants gathered information from "open" sources (typically publicly accessible Internet sources) over the course of two weeks. Then contestants made live telephone calls to employees of the target company or other insiders. (SECTF organizers provided contestants the ability to spoof the phone number they were calling from for Caller ID purposes.)
During the phone call portion of the contest, the most successful contestants were those pretending to be co-workers. The SECTF report theorizes this is because of the level of trust often found in the co-worker relationship. Fear may also play a factor; one contestant (ultimately disqualified from SECTF for his unethical behavior) manipulated a target company employee by telling her she would lose her job if she didn't give him the information he wanted.
Even though Edward Snowden had the advantage of actually working with the people he was socially engineering, it's not difficult to fake it. "The malicious social engineer does not necessarily need exceptional skill or expertise to be successful," the report points out. All that is required is "good planning and the ability to conduct thorough research on their targets."
As this year's SECTF demonstrated, planning has become especially easy for social engineers because so much of the data they need is readily available on the Internet. One SECTF contestant was able to find an online employee portal and log in using an online help document. Additionally, contestants were collectively able to score more than twice as many points on "flags captured" during the "open source information" (OSI) portion of the contest than during the phone call portion – despite the fact that OSI flags were worth only half the number of points.
Salvo Against Social Engineering
Plugging these data leaks is the first step to good security from social engineering attacks. Social-Engineer.org thereby recommends a dual emphasis implementation of highly specific policies to keep information that can be used against an organization off of unsecured areas of the Internet. A practical element is also needed; a policy must allow employees a safe, repercussion-free environment in which to self-report the rare lapse.
"It needs to be realistic. It needs to be involved. It needs to be personal," says Chris Hadnagy, Social-Engineer.org's chief human hacker.
Training is a big part of this. Hadnagy suggests sending a phishing email to a large sample of employees , then requiring workers who open the phishing link to take a brief online training course on social engineering security. Using this method, Hadnagy claims, companies can see the success of phishing attacks drop by over 75 percent. Hadnagy also recommends regular social engineering risk assessment – to catalog, report data leakage and training needs – as well as actual penetration testing.
One company that could particularly benefit from this advice is Apple. The only big technology firm among this year's SECTF targets, Apple performed the worst by far. Contestants were able to score more than 33 percent more points on Apple "flags" than on those from the next worst-performing company (General Motors). This is especially concerning considering news last year that hackers were able to seize control of Gizmodo tech journalist Mat Honan's "entire digital life" by socially engineering Apple's tech support.
Apple employees, however, are far from the only ones who need to be educated about social engineering. "The companies who happened to do well did so accidentally or out of ignorance in they either couldn't answer the question or didn't know how, so the call shut down," says Michele Fincher, Social-Engineer.org's chief influencing agent. "Very few [employees] said, 'I am not allowed to give out this information.'"
You can download the full report here.
Joe Stanganelli is founder and principal of Beacon Hill Law, a Boston-based general practice law firm. His expertise on legal topics has been sought for several major publications, including U.S. News and World Report. He is also a technology writer, communications consultant and produced playwright. Follow Joe on Twitter at @JoeStanganelli.