SECTION 1
The Risks
CHAPTER 1
What is Social Engineering?
A quick consultation with Wikipedia gives a definition of social engineering as, âThe practice of obtaining confidential information by manipulation of legitimate users.â This certainly captures some of the elements. At times it can be used to directly obtain confidential information, although all too often information hasnât been classified in any way, the target of the attack may not have even recognized the confidential nature of the information they are disclosing. However, there are other occasions when the action an attacker seeks may not be directly designed to manipulate you into disclosing information. Tricking a security guard into giving access to a building, using social engineering techniques, doesnât directly obtain confidential information â the objective may be to disable a facility and deny access to information.
The manipulation of legitimate users can play an important role in a social engineering attack. However, often you can trick an employee into going beyond their legitimate user rights as a route to your attack objective.
So a more appropriate definition, may be:
âTo manipulate people, by deception, into giving out information, or performing an action.â
This captures the distinctive aspects of targeting of people, and their manipulation, combined with the two main outcomes â direct loss of information and the achievement of some action desired by the attacker.
To identify specific improvements to your security it is vital that you can assess your vulnerabilities in a methodical way. Without this systematic approach you risk wasting investment in areas that are relatively unimportant to your overall security. If you understand the threats that your organization faces and have identified your specific human vulnerabilities, then you can target immediate improvements that offer maximum cost benefit.
Security professionals in the area of IT security have developed tried and tested methodologies for:
- identifying risks;
- detecting vulnerabilities;
- obtaining new information regarding vulnerabilities;
- developing targeted countermeasures based on risk assessments.
To give an established example; if you are responsible for the security of an Internet-facing web server, you can apply the above methodology by:
- Identifying areas of risk through the analysis of:
- network architecture to understand the external exposure;
- chosen technology platform, focusing on vulnerability history;
- specific web applications deployed, and how they are coded;
- administration and change control systems.
- Detecting vulnerabilities, either through penetration testing, configuration auditing or code auditing.
- Obtaining specific information regarding existing or new vulnerabilities related to each system component through established information sharing mechanisms and system vendor releases.
- Developing countermeasures by risk assessing new vulnerability information and available resources, such as vendor patches. This translates into:
- a hardened web server that can withstand attack; and,
- a protected web server, shielded from attacks.
Not 100 per cent secure, however secure enough â this is the basic principle of risk management.
The above accounts for the day-to-day work of thousands of security administrators around the world, supported by numerous available tools and consulting services.
Working with our clients, we show that a similar methodology can, and should, be applied to social engineering risk.
If you are serious about improving your security, then you must develop similar systems to understand and protect against human vulnerabilities as those currently deployed to protect your IT systems. The same methodology described for securing a web server can be applied to:
- Identifying risks in your information security, related to human vulnerabilities, through analysis of your systems; covered in the early chapters of this book.
- Detecting human vulnerabilities, through systematic testing. The established methodologies we use at ECSC are discussed in the later chapters.
- Sharing information to understand the human weaknesses that attackers can, and do, exploit. The main purpose of this book, and the subject of the majority of its content.
- Developing your countermeasures to give you:
- resilient people, who are more likely to detect and counter an attack; and,
- effective systemic improvements to reduce your reliance on people and their weaknesses.
As with our web server example, this will not make you 100 per cent secure. However, it is likely to be a great improvement on your current position.
With many attackers directing their efforts at obviously vulnerable systems, making your systems more secure than the majority under attack can be good enough. There are times when you may be targeted for other reasons, and your defences will need to be much stronger in these cases.
Unfortunately, humans are not as easy to secure as a web server. Fundamentally, however complex, with the right expertise an IT system can be understood. Human behaviour is much more complex. We have all been âprogrammedâ in infinitely complex ways, and therefore will react differently to the attackersâ input. However, there are many human traits that can be modelled to increase our understanding and help predict their behaviour when under social engineering attack.
Fraudsters, hackers and tricksters understand this. They use knowledge of human weaknesses to guide them in designing new and more complex attacks. Because the success of these attacks is not guaranteed, they have traditionally carried a high degree of risk for the attacker. You can imagine the life of an old-fashioned con artist and the risk of being caught. However, the advent of the Internet, and the range of modern communication technologies, can give the social engineer the ultimate protection â distance and anonymity.
Letâs take, for example, the âphishingâ attack we mentioned earlier; a relatively simple way of exploiting the average online banking customerâs lack of security awareness and the banksâ fundamentally weak systems, to steal your online identity. The attacker sends a fake email with a compelling reason for you to respond and links you to a realistic looking website where you log in and divulge your security details in the process.
Not only is the attack conducted from a distance (invariably from a previously hacked computer in a different country to the true attacker), it targets thousands of users simultaneously. The sheer volume of the attack means it doesnât even have to be very effective to reap significant rewards.
If a criminal attempts a face-to-face social engineering attack, they need to be either very good, or have a workable âget out of jail free cardâ â we will discuss this in more depth when we look at testing methodologies. With a volume attack, such as deployed with phishing, you donât need to be very good to get a handsome return. Imagine, for example, you send 1 000 000 emails and only 5 per cent use the online bank you are targeting, and only 0.1 per cent fall for the scam. If you find ÂŁ1 000 in each account compromised then you have just made ÂŁ50 000, and that is with only 1 in 1 000 falling for the con.
The ease of such attacks explains why many attacks are not very well written; the early examples had numerous, simple mistakes in spelling and grammar. However, they worked to some degree and were therefore good enough for the attacker. We are now seeing more sophisticated attacks, with more applied psychology to improve the hit-rate, and fool even the most astute user.
Attackers now adopt more sophisticated techniques to target individuals in all organizations. Therefore we need to develop better understanding of human weaknesses and delve into the psychology of persuasion, if we are to counter them.
Social Engineering Threats
Many organizations, wanting to develop an effective Information Security Management System (ISMS), have looked to the ISO 27001 standard (previously also known as BS 7799, and ISO 17799). This is a broad international standard covering many areas of security, including IT, human resources, physical security and business continuity.
One weakness of the current ISO 27001 standard is that, although in many ways it is broad in its coverage of security, its recognition of social engineering is poor. With only minimal coverage on user awareness and training, it fails to direct people to a fuller understanding of social engineering threats.
Although, contrary to many peoplesâ beliefs, the standard is written on the understanding that you may well develop additional countermeasures, over and above the 133 controls currently in Annex A. Close examination of the current mandatory clause 4.2.1 g) reveals, âControls listed in Annex A are not exhaustive and additional control objectives and controls may also be selected.â
Therefore it is useful to map some social engineering threats to different areas of the standard to identify a complete picture of the risks.
Hidden Information Assets
At the very early stages of your information security risk identification, it is worth spending some time thinking about your information assets. This is especially valuable in thinking beyond the obvious paper files and electronic data. Particular focus should be given to knowledge that key people hold within their heads, as it is often the case that this information is crucial. You may identify critical IT systems that are largely undocumented and rely on the knowledge of key people who manage them, or in some cases wrote the software in the first place.
The type of information that is only held by key individuals can be difficult to secure as your control is limited. A social engineer is only one trick away from getting disclosure of this information, as physical and electronic access controls cannot be applied.
We are quite used to a narrow interpretation of assets simply being hardware and software. However, we do expect a realistic linkage to information storage, and/or processing. We recently came across some rather bizarre interpretation of what information assets are, in the context of an ISO 27001 implementation. In one organization, a consultant had insisted that the projector in the clientâs boardroom should be included in the risk assessment. The client had rightly questioned this as they couldnât understand the significance for their security. Risk assessments should be formulated in a way that senior managers can understand the issues and make informed judgements.
In this case, the projector wasnât part of an important information system (they had a spare) and it did...