If you've been with us the past few months, we've been talking about the who and why of economic espionage/insider threat. Starting today....we're about to make all you wannabe James Bonds out there understand the how.
A New Degree in Engineering
Still one of the hottest attacks around is one that you really have almost zero chance of defending against. Why? Because it targets people. This attack has been called various things throughout it's existence: con games, social engineering, and most recently: pretexting. The reason it's so hard to stop is that the attack plays on a trait that is generally found to be desirable in human beings: TRUST. (I know, most security pros live in a sort of nebulous state of securanoia.....which is easy to do when you realize everyone is out to steal your data.)
Bottom line, it's far easier to con my way into a building, get customer data, steal some IP.....then it is to hack through your Cisco PIX firewall, then navigate through your domain evading your IDS, and clear the event logs when I'm done. As I tell people all the time, the biggest hole in your firewall are the two glass doors by the Receptionist Desk. Let's take a look at how this happens.....
Kevin Mitnick: Last King of SE
I had the opportunity to meet Kevin a few months ago at an INFRAGARD meeting. Nice guy, very personable, good speaker. Never would have guessed him to be some slick con man. Well, you'd be wrong. Kevin is about the most famous (former) con man around. He's pretty much the poster boy for Social Engineering (SE). Yes, Kevin was doing bad things and was asked to spend some time at a Federally funded rehabilitation facility for his transgressions. His story makes for great reading, and if you haven't already got this book in your security library, his book The Art of Deception: Controlling the Human Element of Security is a must have. Practically a primer for how to identify and defend against these type of attacks. Get it. I've never heard anyone say it was a bad purchase. Many of the examples I'll use are straight out of this book. (If Kevin's reading....thanks man.....you're efforts in this area are really opening some eyes.)
The Video Store
I use this example every time I talk about SE. How hard is it for me to get your credit card information? Well, let's consider the fact that most people are members of one of the major video chains, which almost always includes a brick-and-mortar location near your house. (This is of course, unless you use Netflix). So here's how it goes:
- I find out your name and I find a store near your home.
- I now go and find a store on the other side of town. I stop in around 4:00PM (when the high school kid who works the evening shift starts).
- I explain to Johnny High School that I recently received some great service at his video store. "You guys were the only ones who had a copy of Delta Force II." (Trust me...it's not popular.) I'd love to write a letter to the Corporate HQ thanking them for the great service. To do that I'd need some info form him....store number....manager name...etc. Most kids are going to provide this info freely if they think it'll help a customer. Heck, most MANAGERS will provide this info to you!! "Store number 1154 and the manager's name is Tom Smith? Great..thanks so much."
- I take this store manager/store number info and I call the video store that's actually by your house. Again, I like to call about 30 minutes after school gets out.
- "Hello? Is this the Video Hut on Main and 1st Ave? My name is Tom Smith...manager of Store #1154. Yep, the one on Parker and Elm. What's your name? Hi Amy! I got a customer looking for a copy of Secret Ninja Death Warriors. You guys got one? You do? Great...I'll send him over." Did I ask Amy for any of your customer data? Nope. What are the chances that Amy has actually ever met Tom Smith in person? Marginal. Can Amy check on the network/company directory to see who the manager of Store #1154 is? Sure. Who is it? It's Tom Smith, of course! What I'm doing is building a rapport with Amy. That's key.
- I make the call back to the store by your home a few times in the next few weeks, always trying to speak with Amy. "Hey Amy.....how are you? Looks like your Tigers got beat bad the other night in high school football. Yeah, you'll get them next week. Thanks for helping me last week. Gotta run! TTYL!"
- ...and then one day I call Amy and I'm in a panic "Hey Amy....are your systems up? They are? We had a car hit a telephone pole down the block and we lost our computer systems. I got one of your customers standing here. His name is <insert your name here>. He's in a hurry and we need to get him checked out. Can you give me his membership number, his credit card info, and his last movie purchase? Thanks!". Think Amy is going to give up your data? Darn right. She's dealing with someone she thinks is in authority. No one wants to delay a store manager, with the ability to hire and fire.
(No video stores were harmed in the previous example)
Types of Social Engineering Exploits
Okay, I love to "re-purpose" content, which is perfectly legal so long as you credit the source. This source is from my co-worker, Steve Riley, who's done some great presentations on this as well. Here are some ways that these happen:
- Diffusion of Responsibility ("The VP says you won’t bear any responsibility…") - If targets can be made to believe that they are not solely responsible for their actions, they are more likely to grant the social engineer's request. The social engineer may drop names of other employees involved in the decision-making process, or claim another employee of higher status has authorized the action.
- Chance for Ingratiation ("Look at what you might get out of this!”) - If targets believe compliance with the request enhances their chances of receiving benefit in return, the chances of success are greater. This includes gaining advantage over a competitor, getting in good with management, or giving assistance to an unknown, yet sultry sounding female (although often it’s a computer modulated male's voice) over the phone.
- Trust Relationships ("He’s a good guy, I think I can trust him”) - Often times, the social engineer expends time developing a trust relationship with the intended victim, then exploits that trust. Following a series of small interactions with the target that were positive in nature, the social engineer moves in for the big strike. Chances are the request will be granted.
- Moral Duty (“You must help me! Aren’t you so mad about this?”) - Encouraging the target to act out of a sense of moral duty or moral outrage enhances the chances for success. This exploit requires the social engineer to gather information on the target, and the organization. If the target believes that there is a wrong that compliance will mitigate, and can be made to believe that detection is unlikely, chances of success are increased.
- Guilt (“What, you don’t want to help me?”) - Most individuals attempt to avoid feeling guilt if possible. Social engineers are often masters of psychodrama, creating situations and scenarios designed to tug at heartstrings, manipulate empathy, and create sympathy. If granting the request will lead to avoidance of guilty feelings, or that not granting the requested information will lead to significant problems for the requestor, these are often enough to weigh the balance in favor of compliance with the request.
- Identification (“You and I are really two of a kind, huh?”) - The more the target is able to identify with the social engineer, the more likely the request is to be granted. The social engineer will attempt to build a connection with the target based on intelligence gathered prior to, or during, the contact. Glibness is another trait social engineers excel at, and use to enhance compliance.
- Desire to Be Helpful (“Would you help me here, please?”) - Social engineers rely on people's desire to be helpful to others. Exploits include asking someone to hold a door, or with help logging on to an account. Social engineers are also aware that many individuals have poor refusal skills, and rely on a lack of assertiveness to gather information.
- Cooperation ("Let’s work together. We can do so much.”) - The less conflict with the target the better. The social engineer usually acts as the voice of reason, logic, and patience. Pulling rank, barking orders, getting anger, and being annoying rarely works to gain compliance. That is not to say that these ploys aren't resorted to as a last ditch attempt to break unyielding resistance.
Kevin Says: Stop The Madness! How to Know If You're Getting Played by a SE
So in his most excellent book, Kevin talks about some ways to help reduce the risk of being socially engineered. (You know I like to discuss risk...but it does you no good unless I tell you how to stop it.) Here are some ways to identify if a Social Engineer is engaging you or your employees.
- Refusal to give a callback number
- Out-of-ordinary request
- Claim of Authority
- Stresses urgency
- Threatens negative consequences of noncompliance
- Shows discomfort when questioned
- Name dropping
- Compliments or Flattery
I'm assuming that most of you guys who live in the securanoia realm are aware of things like this. You're "spidey sense" starts to tingle when you get calls like this, or some guy shows up at the front desk trying to talk his way into the building. Problem is, you're employees don't. You can't be everywhere....so you need to take this key info and roll it into your security awareness program.
NEXT TIME: Insider Threat continues with: "How Insiders Move Your Data"