Social engineering tends to make less security news as if it is undervalued, when in reality it can be lethal in the hands of a pro. If you doubt just how deadly a social engineer can be, think back at how freaked out the FBI got over the Defcon 18 Social Engineering contest, How Strong Is Your Schmooze. Social engineers may be one of the most dangerous real-world threats facing corporate America.
According to the Social-Engineer site, the Capture The Flag (CTF) contest showed that most of corporate America does not take the threat of social engineering seriously. The companies targeted this year included Microsoft, Google, Apple, Cisco Systems, Symantec, McAfee, Proctor and Gamble, BP, Shell, Ford, Walmart, Pepsi and Coca-Cola. Many social engineer contestants contacted these companies' call centers. Besides using Google for information gathering, social engineers found social media such as LinkedIn and Facebook provided great resources to gather leaked information and compile dossiers on the target corporations.
The full CTF results showed that there is not nearly enough awareness training to all employees. Call center employees were very helpful to the social engineers, giving up information when asked and allowing the social engineering contestant to capture and score flags. "Very often, call center employees are overlooked in various employee awareness programs. However, this weak link, at least in the context of this contest, led to the vast majority of the captured flags." Some of these flags would not have been captured had the call center employee pushed-back, questioned the social engineer on the fishy nature of some questions.
Social engineering contestants successfully captured flags for commonly executed technical attacks as shown by in the graph below:
The CTF results also state, "The other aspect of this that is easy to overlook is that a truly malicious social engineer will not only attack a target at their place of business, but through their personal life as well. If a target appears to be well protected, compromising a spouse or child that may not be as well defended might be the simplest path to a target."
I asked Chris "loganWHD" Hadnagy and Jim "Elwood" O'Gorman from Social-Engineer.Org, some questions about their findings. Their answers will be noted as Social Engineers.
Call center employees are often overworked and underpaid. If a person started questioning the caller who was pretending to be someone "superior" (auditor or such), that employee who pushes-back might fear being fired in this day and age of few job opportunities and economic recession. How do you recommend that businesses train all levels of employees to successfully push-back without facing real-life repercussions, when most people asking would be in a position of authority and not a social engineer? Do you provide this training?
Social Engineers: This is really a superb question and I first of all applaud you for asking it. Security Awareness Training is key. But like anything it must start from the top down. If one employee is security conscious and pushes back, he will be fired most likely, if he interacts with the boss the wrong way. But if it is a company wide effort to remain secure, the boss would see that this employee was following protocol and if anything, be irritated at the inconvenience but be proud his employees took it seriously.
Also it is not a bad idea to have protocols in place so those with the right authority can obtain information they need. Yes, we do provide security awareness training. We do in a manner that is much different than most on the market. It is a live, all day intense session that doesn't just lecture the attendees into a boredom induced coma, but we tell them how the attackers do they evil deeds and then also show them the effects. It makes a very lasting impression that will create a personal security program for those involved.
An important aspect of this is, companies need to provide clear guidance to employees. Then, when the employee follows those rules, the company needs to stand behind the employee regardless of the outcome. This knowledge that the employer "has your back" is very important to get the employee to follow these instructions.
Are most social engineers working as penetration testers or as actual bad guys intent on company harm?
Social Engineers: That is hard to answer because I don't know how many social engineers there are in the world. But I can tell you this, to be a good social engineer you have to be able to least step over to the dark side.
I think an easy answer to that might be looking at any sort of "evil" activity. Look at the ratio of criminals to law enforcement. Using that as a guideline, I think it's safe to say there are more "bad guys" then security professionals.
Is it a common tactic in the real world, when malicious social engineers target the spouse or child of a target? Is it a common attack when cyber criminals are after a way in, a way to money, a way to blackmail or scare the target into cooperating?
Social Engineers: Yes this is a very commonly used attack vector. Look at all the past accounts of Facebook hacks. Basically "friending" someone or a group of people on the list of your target is an easy way to get friended by them and to gain access to vital information. But in truly malicious social engineer attempts, especially those involving corporate espionage, it is not uncommon to find the attacker using information about the targets wife or children to their advantage. Even planting information to ruin a person's reputation and life.
The core concept of this is, attack where the defense is least. If you know your target may be on guard for whatever reason, targeting someone with a connection to the target is a much simpler way to approach the issue. For instance, think of a shared computer in a household. A malicious party can target the teenage son, infect the system with malware that say logs keystrokes. Then when the mother uses the system to check work e-mail later that night, the attacker now has those credentials. This is a very common approach for just that reason.
A person's professional and private life can be aggregated through many social media sources, like LinkedIn, Twitter, Facebook. Some social media profiles are practically required to be successful in business. What do think the right safeguards are when it comes to social media? Do you have guidelines or do you teach the fine line to walk to keep large corporations, or any size business, safe?
Social Engineers: Yes I think social media has its place but there are a few things that can be done to help protect yourself. First always consider how much information you want to release on social media. Are pictures of your kids as well as every sandwich you ever ate really needed? Your purchases being posted all over the net? Not necessary. Also, lock down your accounts so they are passworded or a person must request permission to be a part of your group. If you have to have a front facing social media account then be careful what information you release with it. Does every employee need to have their whole resume as well as all contact information listed? Probably not. Be aware that the information you put online is no longer private. Too often we hear horror stories about issues like passwords reset questions that can be found on Facebook pages. Don't be surprised when people know the information you put online.
The 2010 Verizon Data Breach Investigations Report (DBIR) stated that most cyber-criminals are working the social engineering side at some point in their attack vector in corporate America. What is the most important Security Awareness training that needs to be stressed? Who trains these employees to beware the social engineer?
Social Engineers: Security Awareness needs to be a personal matter. What I mean is that most security awareness training is all about the company and their data... but many employees have said to us, "What do I care? It is just XYZ's data...not mine."
Good training needs to bridge that gap to make it very personal so each person feels the need to be secure in all they do. I personally feel that the training needs to be a split between 3rd party companies and internal security teams to maximize its effectiveness.
You might enjoy reading the full CTF "How Strong Is Your Schmooze" results. Social-Engineer also recently updated its Social Engineer Tool Kit 0.7 - Swagger Wagon Edition. Here is more information about security awareness and here is more about commercial training. I'd like to send a shout out and thank you to Chris "loganWHD" Hadnagy and Jim "Elwood" O'Gorman from Social-Engineer.Org.