Posts Tagged ‘social engineering


Security Awareness Training

With the growth in social engineering used to breach organizations, there has been a growing chorus of security professionals that are pushing for more and better security awareness programs.  However, Dave Aitel of Immunity, Inc. recently published an article that basically states that employee security awareness training is worthless and should not be done.  While I understand Mr. Aitel’s frustration with employees’ being a security issue, to stop security awareness training is extremely foolish.

“The clients we typically consult with are large enterprises in financial services or manufacturing.  All of them have sophisticated employee awareness and security training programs in place – and yet even with these programs, they still have an average click-through rate on client-side attacks of at least 5 to 10 percent.”

As someone in a consulting firm that also does social engineering assessments, I can confirm Mr. Aitel’s observation of 5 to 10 percent.  However, I can also tell you that organizations we test that do not have a security awareness program or have limited security awareness training are averaging in the 20 to 30 percent failure rate.  Based on our work in social engineering and discussions with other professionals that do social engineering, the 5 to 10 percent click through rate is unfortunately about the best you will get out of people.  People are fallible, some more than others.  So to just drop security awareness training is not a good idea unless you think doubling or tripling your risk is a good idea.

“Because they’re going to do so anyway, so you might as well plan for it.”

This statement is why Forrester recommends the “Zero Trust” security approach and why I developed the Ultra Secure Network.  But while I whole heartedly agree with Mr. Aitel’s statement, I differ with Mr. Aitel on what that statement means.

Mr. Aitel implies that by improving all of your other security measures you can eliminate the potential that employees will screw up.  Mr. Aitel naively believes that by auditing your periphery, improving monitoring, isolating and protecting critical data, segmenting your network, auditing employee access, improving incident response and instituting strong security leadership, organizations can prevent network threats and limit their potential range.  As I always like to say, “In theory, theory works.”

Yes, there is no doubt that organizations need to improve their security posture.  But Mr. Aitel seems to forget that employees are part and parcel of that security posture.  Ultimately, employees, as well as contractors, business partners and others, need to interact with an organization’s information.  Even if you significantly improve all of your other security controls, people still need to access and interact with an organization’s information assets.  The bad news for Mr. Aitel is that people are fallible.  To ignore that fact is foolish and to bury your head in the sand in the belief that you can prevent every social engineering attack with your other controls is sheer folly.

Security awareness training has its place, but it is not a silver bullet nor is any other security control or approach.  The world is full of risks and a security professional’s job is to minimize those risks and manage the remaining residual risk.  Any security professional that believes they can eliminate risk and sells management on that fact is not going to have a career for very long.

The ugly fact of life is that every security control only minimizes security risk and sometimes you get very lucky and the risk is minimized to zero.  In the vast majority of cases there is some amount of residual risk even when a security control is in place.  If your organization is unwilling to accept the remaining residual risk, then the business function causing that risk needs to be not performed.  As I like to tell people that complain about the PCI DSS, “If you don’t want to comply with the PCI DSS and want to totally avoid a card breach, then don’t accept credit/debit cards for payment.”

So continue to conduct security awareness training, but do not mistakenly believe that it will stop people from creating an incident.  Security awareness training only minimizes the risk that people will make a mistake, not eliminate that risk.  This is why security is done in layers, so that when people make that mistake, your other security controls catch the mistake quickly and minimize the impact.


Social Engineering Gains Ever More Credibility

ignosecond – ig no sec ond – \‘ig nə se kənd – The time between the moment one does something inherently stupid and the moment one realizes that it is too late to stop the results of that action.  Examples include pushing a locked car door closed and realizing that the keys are in the ignition or opening an attachment or clicking on a link in an email message from supposedly a business associate or friend and recognizing the telltale signs of a phishing scam.

It is turning out that the latest breaches were the result of an ‘ignosecond’ by one or more employees that in turn caused a security breach to be possible.  All it took was an email message to personnel that included a piece of malware hidden in a file attachment that exploited a vulnerability that then allowed the installation of a backdoor and viola, another compromise.

This should be a wakeup call to all security professionals.  It does not matter how sophisticated your security technology is, it only takes one person to cancel all that out.  This is why the PCI DSS dedicates requirements in 12.6 to security awareness.  The requirements in 12.6 state:Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.

  • Educate personnel upon hire and at least annually.  Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
  • Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.

The problem is that a lot of security professionals give only lip service to security awareness training.  Let us face it; security awareness training is not as sexy as security technologies like SEIM and WIPS.  And besides, our users are, well, users.  Even if you train them, they still make mistakes, so why bother with security awareness training?  However, at the end of the day, everything in an organization’s security posture comes down to the people that interact with the information you are trying to protect.  As I stated earlier, it only takes one person having a bad day or a “bad apple” to make all of an organization’s security technology and other controls impotent

This is why security awareness is such an important part of an organization’s security posture.  Whether you like it or not, there are human beings in the equation and human beings are fallible.  The only way to address this situation is to educate your fellow employees on how to make things secure and avoid being taken in.  But remember, human beings are fallible, so no matter how hard you press security awareness in your organization, you are still going to have incidents.  Therefore, the goal of security awareness training is to minimize the number and impact of those “ignoseconds.”

But we need to be honest about all of this.  Human beings are fallible and we all have our “moments.”  As a result, even with a lot of appropriate security awareness training and periodic reminders, one or more personnel can have a “moment” and create the possibility of a breach.  Even with defense in depth, all it takes is one well crafted attack, a fallible human and your security is breached.  As I have repeatedly stated, security is not and never will be perfect.  And this is particularly true when human beings are involved.

My favorite story about such a situation is from years ago when I was conducting a social engineering attack against a subsidiary of a Fortune 500 company.  We had crafted a very real looking email message from a known Human Resources consulting firm indicating that they were conducting a survey of the subsidiary’s employees on behalf of the corporate parent.  We instructed recipients to log into a phony Web site and take the survey.  All they had to do was use their network logon credentials to gain access to the survey.  We only got two hits before the parent company’s HR department sent out an urgent email message telling employees that our message was bogus.  One of the two people caught was the CFO of the subsidiary that had hired us.  His comment when confronted with the fact of his “moment?”  “I suppose I shouldn’t have done that.”  What an understatement!

But this story points out the problem all security professionals face and this is one problem that technology is not going to solve.  In the end, people are always going to make mistakes and all we can do is minimize the impact of those mistakes.  Minimizing the impact means real security awareness training coupled with social engineering testing to assess how the security awareness training is working.  In addition, you need to structure your preventative, detective and corrective controls such that you address any points in your controls where one “moment” results in a compromise.  In some cases, you may need to restrict peoples’ access to certain resources or divide up responsibilities.

Most security professionals loathe social engineering tests and rightly so.  As someone famously said a while back, “When on a witch hunt, you are always going to find at least one witch.”  As I have already stated, everyone has their moments and as social engineers such as Kevin Mitnick have shown, there are always ways to social engineer your way into any organization.  Not that organizations have done themselves any favors in this area.  For the last quarter of a century, most organizations have been focused on customer service improvements.  A by-product of this customer service improvement focus has been to train employees to be customer friendly to a fault.  It is those faults that are now being used against them by social engineers.  While good customer service is necessary, customer service training needs to be coupled with a healthy dose of skepticism to ensure that information is not provided without proper authorization.

The best example of customer service gone awry is from the 2010 DEF CON “How Strong Is Your Schmooze” contest.  This contest was a social engineering exercise against large companies that resulted in some very embarrassing results.  Contestants had two weeks to prepare for their social engineering exercise by conducting research on their target.  Of the 15 organizations contacted and 25 available “flags” that could be obtained, 14 gave up one or more “flags.”  To add insult to injury, the social engineers had only 25 minutes to perform their telephone calls in front of a live audience.  If you have read the report you may have issues with the 25 “flags” that were used (God knows the FBI was very concerned and advised the DEF CON people on what they considered okay information to obtain), but you must remember that if this sort of information was obtainable, then probably just about anything could be obtained.

The lesson to be learned in all of this is that if you are not worrying about social engineering and conducting security awareness training, then you are kidding yourself if you think your organization is truly secure.  Yes, there is little you can do to stop human beings from having “ignoseconds.”  But you can take steps to minimize the impact and one of the most important is to get serious about your security awareness training and to follow that training up with social engineering testing.  Just acting on those two items can make a significant difference in the impact of a social engineering attack.

UPDATE: If you think I’m blowing smoke, here are the results of a survey that confirms what I am saying.


The Reinvigoration Of Social Engineering

Social engineering did not go away, but it seems to have taken a backseat to other attack techniques over the last few years.  With the publication of the results of the social engineering contest at Defcon this year, the participants in the contest have shown that social engineering is still alive and well and a very successful attack technique.  The following quote from the report on the contest says it all.

“Targeting people has become the most cost efficient attack vector in many situations, and all indications point to this trend continuing to increase.”

Social engineering is one of the most insidious attack techniques around.  Unfortunately, organizations do little to address social engineering and have only made social engineering easier over the years.  Customer service methodologies and training over the last 30+ years have done a great disservice to organizations.  For example, organizations trip all over themselves to be the JD Power customer service leader.  Employees are assessed on their ability to solve a problem on the first customer contact.  Yet in my experience, these sorts of activities typically focus organizations on blindly providing customer service at the expense of the organization’s security.

The organizers of the contest defined 32 objectives or flags that contestants could obtain over a 25 minute call to the target.  These flags were assigned point values based on the perceived difficulty in obtaining them.  While the flags were not considered to be highly sensitive information, the flags were such that one as to wonder if even more sensitive information would have easily been obtained had the contestants been allowed to go after it.

Prior to the contest, contestants were required to develop dossiers and attack scenarios on their targets that were also graded and given a value that became part of their score.  In the 25 minutes, contestants could call their target once or multiple times.

The statistics gathered as a result of the contest bear out the effectiveness of social engineering.  Of the 15 organizations targeted, 14 of them did give up at least one flag.  More troubling is the fact that if a contestant encountered difficulty in obtaining information all it took to get the information was to hang up and call back and get a different employee.

Another area that provides concern is the amount of information the contestants were able to obtain through their dossier development.  The use of Google, Google Earth and Google StreetView provided an amazing amount of information for the contestants.  Also used were social media sites such as Facebook, MySpace and LinkedIn.  While Facebook, MySpace and similar sites have garnered the most attention by the media, it was LinkedIn that provided the most information, in a few cases providing the contestants with the ability to develop an organization chart for the target.

Security is only as good as the weakest link.  As this contest points out, an organization’s weakest link is probably their employees – the likely cause of which is a lack of or only cursory focus on security awareness.  The contest just magnifies the fact that organizations have done little or nothing to protect their organizations from information leakage by employees.  As I constantly like to remind everyone, security is not perfect.  While you may have a fairly good security awareness program, you are still at risk from social engineering.  As PT Barnum liked to say, “There’s a sucker born every minute.”  Humans are fallible and as much as we try, everyone has their moments, but some people have a lot more moments than others.

If you think this is all just a nice exercise and it really does not present a strong enough threat, then go back over the last six months and read all of the news clippings about data breaches and other exploits.  The majority of these attacks are all social engineering based or had a very strong social engineering component.

I highly recommend that you visit the Web site and obtain a copy of their report.  Share the report with your executives, particularly the leader of your customer service area.  Hopefully they will get a clue regarding the amount of information that is inadvertently leaving your organization.


Patching Human Vulnerabilities

This is an excellent post from David Emm on human vulnerabilities, likely the biggest threat to your cardholder data.

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

June 2022