They prey on you through a combination of phonecalls, social media and exploiting online business information. It’s time to wise up
The latest Symantec Intelligence Report found that 36 per cent of targeted attacks by cyber criminals are directed at small firms. One could assume that this is because smaller companies are viewed as softer targets by cyber crooks. However, it could also point to a worrying trend in IT security, where social engineering attacks on several businesses are used to construct a larger, more lucrative attack.
As a professional security engineer, I am often called in to test the internal security of client’s IT systems. Over the years, I have become fascinated with the area of social engineering, whereby good natured employees can be persuaded to bend rules or impart information. As mentioned, attacks on internal IT systems can be constructed by piecing together lots of snippets of information and using these to convince others to divulge more important details. No matter how much is invested in firewalls, intrusion prevention solutions and anti-malware technology, I am often amazed at how internal IT security can be impacted by well-meaning employees.
The fact is that data is only as secure as all the businesses that handle it. A social engineer, or “blagger”, trying to access the bank account details of a high-net-worth individual might not start with the bank. He may contact the target’s gym; call his local council; or any other organisation that might have processed those bank account details. A social engineer may also trawl LinkedIn, Facebook, Twitter and numerous other resources to find out more about a target, so that he sounds more convincing when he contacts an organisation to request additional information.
Any suitably paranoid security professional will already know how much information can be gathered from online resources, such as social media websites. What seems to be not so widely appreciated is how this information can be used to target not just an individual, but all of the businesses that person deals with. Each business can play a small part in making your information easier to steal.
The recent attack against CloudFlare demonstrates this point clearly. By socially engineering AT&T customer support, the attacker allegedly gained the pin for the CEO’s mobile voicemail and had calls diverted to another account. A subsequent password reset request sent to the CEO’s Google Apps email account was intercepted by the attacker, because it was sent to the mobile voicemail that the attacker already controlled. The attacker then proceeded to lock out CloudFlare’s system administrators and changed the password on a customer’s email account. Some security experts have suggested that the customer was the real target of the attack. CloudFlare was praised for its transparency in sharing the details of this attack, which enabled the flaw in Google’s 2 factor authentication to be fixed.
A security conscious business will often have procedures in place to defend against social engineering, along with regular staff awareness training. However, these often focus on direct and obvious attacks, such as a caller following a pretext and attempting to obtain a log on password for the Virtual Private Network. What we need to consider is that the most effective attacks are built on a variety of smaller attacks that are barely noticeable. An individual calling up to request someone’s name and whether they are currently in the office, sounds completely harmless, but that information can aid in other attacks.
However, it must be borne in mind that social engineers will construct attack scenarios specifically designed to influence users to bend or completely break procedures. An example of this would be where a social engineer calls the reception of a large firm, pretending to be an IT manager that is running late for a meeting with an outsourced provider and saying something along the lines of: “It’s Richard here, I’m caught in traffic, but the cab driver tells me I’m only five minutes away. We’ve got a guy coming in to do some planned maintenance on our server equipment. Can you give him a visitor pass and show him up to my office and I’ll be there as soon as possible?”
By using the correct staff names and reassuring a junior employee that a more senior member of staff is on his way, in our security tests many employees have been persuaded to break procedure, hand over a badge and allow a complete stranger into the building.
So how can we defend against social engineering to make our internal IT systems more secure? The important point is that social engineering works because it takes advantage of human nature. The hardest targets are employees who are naturally unhelpful and obsessed with rules and regulations. However, these employees are not normally suited to customer facing roles, despite the fact that they would thwart most social engineering attacks.
Another approach would be to change our perceptions of information and broaden the term ‘sensitive’ to include any information about the business and its staff that it doesn’t actively publish. Staff members’ whereabouts, names, direct telephone numbers, badges and many other apparently mundane pieces of information should be guarded and kept out of the public domain. Such a change seems a little extreme and most businesses would be reluctant to put such measures in place arguing that they’re unlikely to be targets for attackers. However, that is precisely the perception that allows these attacks to work.
Businesses need to appreciate that they may form one small part of a larger attack. We need to see the big picture and appreciate the interconnectedness of information however none sensitive we believe it to be. As the CloudFlare example showed, hackers are meticulous in their preparations to gain access to a high value target. It is the responsibility of everyone in the chain to make it as difficult as possible for them to succeed.
By Gavin Watson, Senior Security Engineer and Head of Social Engineering Team, RandomStorm.com