Security's Everyman

Security's Everyman

Tuesday, January 22, 2008

Did I Say That?

Last week I read about the bank robbery where the guy dressed up like a courier and was able to get away with $850,000 and it struck me somewhat funny that I could see that happening. In the past I've worked for a couple of banks and I have no doubt that it could happen pretty easily. Today I saw on BankInfoSecurity.com an article about this and a couple of other Social Engineering attacks that have recently been in the news. Good article that I think you will enjoy reading (site registration is required).

Social engineering has been around for a long, long time. Long before computers. We've all seen the movies or heard the stories about how spies would social engineer people during war to gain secrets that would help their side win the war. This usually involved sex or at least the promise of it.  Social engineering can take many routes. It happens via email, over the phone, face to face, and even by paper. They try to get you to divulge information directly or indirectly. They may try to get you to sign something that gives them access to what they want without your knowledge. They may try to get you to answer questions and then use those answers (recorded) to authorize access to their target.

Sometimes they will use flattery (we all have our vanities), they try to confuse you by asking trick or misleading questions, they may avoid answering your questions w/ ramblings so that you get off track and allow them to go on their way. Sometimes they play on your sympathies by telling you sad stories or they may try to take advantage of your generous nature. Often they just come right out and ask and hope that your are either not paying attention, don't care, or are just too stupid ok stupid is what they are hoping for.

The successful social engineer relies on a toolbox full of tricks that can hack away at the psychological traits we all share. These traits include human desires to be:

  • helpful or friendly
  • competent in our positions
  • trusting of other people
  • advancing our own cause and career
  • attractive to those we admire or desire
  • perceived as a team player
  • avoiding bad consequences for ourselves or others

But bad people are bad people, and they will want to exploit an employee’s goodness. Your employees should routinely verify:

  • 1. With whom they are talking and,
  • 2. That they are entitled to the information they are requesting.

“Your employees should be absolutely sure of this,” Cole notes. They should be encouraged to think carefully and, when in doubt, take a message and check with a supervisor.

The above is a quote from the bankinfosecurity article that helps us to see a little of why social engineering works and what we can do to stop it. This is something that I stress to everyone that I talk to about this. VERIFY, VERIFY, VERIFY the identity of anyone who comes to you asking for information, seeking to work on something in your area, or hoping to find their way somewhere within the building. If they are lost and you don't know them escort them to where they say they need to go after you have verified their identity. Don't just let them continue to wander aimlessly around the building.

The other thing that the article points out that I want to comment on is the rise of "spear phishing" attacks. We need to teach our employees not to blindly answer emails or phone calls from someone just because they say that they are someone important. An email that looks like it came from the CEO (or anyone for that matter) needs to be verified before you blindly send sensitive information to them. I know the idea of teaching your users how to check email headers makes you sick, but it's worth it if it prevents the leak of sensitive data.

The important thing is that we make our users aware of social engineering threats and at the very least teach them to not just blindly give out information. If they are unsure then they need to refer the person to management. Teach them to stop and think before acting.

1 comment:

Unknown said...

After you've successfully taught all your employees to read email headers, please come back and discuss your experiences. In the meantime, I have retirement to plan for. :)

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.