Protecting Yourself Against Social Engineering

You've probably heard the age-old axiom, "A chain is only as strong as its weakest link." And if you've been around IT security for any length of time, you probably know that most often the weakest link turns out to be us-the organics-the human element. We make plenty of security mistakes ranging from resisting inconvenient security policies to simple forgetfulness.

Unfortunately, social engineering only adds to the security lapses caused by these mistakes. All the security technology in the world doesn't do a lick of good if a bad guy tricks one of your users into giving up a password, opening the door, or falling for some other trick. One of the oldest social engineering tricks is to call up the Help desk pretending to be a legitimate user who's forgotten a password. The Help desk fails to verify the user's identity and ultimately gives the attacker access to the user's account. Another long-standing trick is where the intruder gains physical access to the building by claiming to have forgotten his ID card. Using the telephone and physical entry are classic ploys but far from the latest types of social engineering. Today, you've got to be on guard for phishing and spam over instant messaging (SPIM) attacks as well.

Phishing and SPIM
Phishers have become very talented at creating email messages that look like they come from a legitimate, trusted entity (e.g., your bank). The email is cleverly crafted to look like an official request that asks an unsuspecting victim to update his or her account information or read about an update to a policy by following a link. The link takes the victim to a Web site also crafted to look like the official entity site. When the victim enters his or her credentials, the rogue site records them for later exploitation and returns an error to the victim. Knowing that Web pages occasionally fail to load, the victim is unsurprised by the error and gives up. If the site is sophisticated enough, it recognizes the victim from the previous hit and redirects the victim to the original site.

SPIM attacks are similar to phishing, but they work through IM. Just as you can make an email look like it came from anyone, you can do the same thing with IM. Just consider that after briefly changing my display name to " /?Ø," I become known as the writer formerly known as Randy Franklin Smith. The fact is, if you set up an IM account called "John" or "Kim," people will accept it at face value-at least for a while. As with phishing, an attacker casts SPIM like so much seed without specifically targeted individuals or companies. But that doesn't mean such a broad-based attack isn't a risk to your organization. Thieves aren't choosy when deciding from whom to steal information or blackmail. In an email or IM purporting to be your company's IT department, an attacker can warn an employee about a fast-spreading virus or worm (possibly real) and provide a link that supposedly scans or updates the user's workstation against the threat. If the user obediently downloads the file, the user has actually installed a Trojan horse. Once activated, the program initiates a connection back to the attacker who can then participate on your network under whatever authority and access the compromised user possesses.

Unfortunately, social engineering attacks aren't limited to just your employees. In fact, in certain industries (e.g., banking), these types of attacks most often target customers. Although the customer is at fault when falling for such a scam, the company often gets left holding the bag for the financial loss, and ironically, the customer might hold the company responsible for letting someone else impersonate the customer. The public tends to view such security violations much the same way as when a company's Web site is defaced and often focus on the company's failure to secure the site rather than the miscreants who committed the crime.

Creating User Awareness
To combat social engineering, you must either eliminate the human element or educate it. Although often not possible, occasionally you can eliminate the human element. For instance, more and more companies are implementing self-serve password reset applications on the company intranet. After all, if the Help desk is simply going to ask an employee for his name, social security number, and mother's maiden name, why not turn the job over to a program that can't be cajoled or intimated? Such opportunities are the exception, however. More often, the only option is training and education.

How can you effectively create awareness of and train people to recognize social engineering? Such a challenge takes more than sending a policy memo or requiring a customer to click "Accept" on a Web page. A whole industry exists that can provide training tools, videos, and other aids for creating awareness about security issues. Often, the most effective way to get through to users and customers is to be positive by rewarding compliance and using humor. I've seen humorous videos showing a bumbling employee bounce a long through his day violating one security policy after another and leaving a path of destruction and chaos in his wake. I even know of a security officer who occasionally walks a department after hours and leaves a box of chocolates on every desk that's clear of confidential information.

Or, how about adapting the classic sting operation into something more positive as a way of combating phishing? Here's the concept: Silently set up a Web page on your intranet and record the number of hits to that page. Next, warn employees about phishing and SPIM-teach them how the true destination of links in emails can be hidden and how to recognize them. Finally, encourage everyone to report any suspected cases of phishing, then craft your own fictitious email that tries to trick employees to give up their credentials or download a program. For the users who fall for the scheme, have the Web page or program display a message that reminds them of the danger and allay any fears that you've kept a record that can be linked to them personally. (You might still want to compare the number of users who follow the link to the number of invitations you sent out.) For the more alert users who report the bogus invitation, reward them with some form of recognition.

Educating IT Staff
Educating your IT staff is just as important as educating your users. IT must know what's acceptable to put in email and IMs and what isn't. You need to publish a well thought-out policy that states IT will never ask for user credentials over the phone, through email, or by any other means.

Educating your customers is also important and can pay off with building good will, not to mention reducing investigation costs and even direct financial losses. The Federal Financial Institutions Examination Council (FFIEC), the overall umbrella agency for the Federal Deposit Insurance Corporation (FDIC), the Office of the Comptroller of the Currency (OCC), and the rest of the nation's bank regulators recognizes this directive. The FFIEC has created a full-color brochure available at http://www.occ.treas.gov/consumer/PhishBrochFINAL-SCREEN.pdf that's designed to educate bank customers about the threat of identity theft and how to recognize phishing and other attempts.

Social engineering isn't going away. And although phishing and SPIM threats are relatively new, the human element isn't. We've been trying to eliminate our dependence on compliance ever since the first business installed automatically locking doors on its exits. To manage the risk of social engineering, look for ways to eliminate the human element and seek effective ways to train and raise awareness.