My team and
I decided it would be a great opportunity to hold a contest that would showcase
whether corporate Companies is vulnerable to this attack vector (responding to a “contest”).
We organized the contest by having interested people sign up to take part in
two stages of social engineering :information gathering and active attacks.
To keep the
contest legal and moral we did n ot want any person victimized, and no Social Security
numbers, credit cards, and no personal identifying information would be
gathered. Our goal was not to get any of these people fired. In addition our
goal was not to embarrass any particular company, so we decided also no
passwords or other personal security–related information from the companies.
Instead we developed a list of about 25–30 “flags” that ranged from whether the
company had an internal cafeteria, to who handles its trash disposal, to what
browser it uses, and to what software it uses to open PDFs. Finally, we chose
target companies from all sectors of business in corporate America: gas
companies, tech companies, manufacturers, retail, and everything in between.
Each
contestant was assigned one target company in secret, on which he had two weeks
to do passive information gathering. That meant contestants were not allowed to
contact the company, send it emails, or in any way try to social engineer
information out of it. Instead they had to use the web, Maltego, and other
tools to gather as much information as possible and enter all they found into a
professional-looking report.
From the
information gathered we wanted contestants to develop a couple of plausible
attack vectors that they thought would work in the real world.
Then contestants
had to come to our area, sit in a soundproof booth, and make a 25-minute phone
call to their target to implement their attack vector and see what information
they could obtain.
I could
spend the next 20–30 pages telling you what happened at that contest and what
the outcome was, but one thing we found was this: Every contestant obtained
enough information out of the targets that the company would have failed a
security audit. Regardless of the experience level of the contestant and the
pretext, the contestants were successful in accomplishing their goals.
Now on to
what applies here—security awareness. Corporations that care about security
have programs where they train their employees how to be aware of potential
security risks via phone, Internet, or in person. What we found was that
security awareness in those companies was at failure stage.
Why? How
could it be that these Fortune 500 companies that spend millions or more on
security, training, education, and services designed to protect their employees
could be failing at security awareness?
In
reviewing much of the material and methods available for so-called security
awareness, what I have found is that it is boring, silly, and not geared to
make the participant interact or think. Short DVD presentations that cover a
ton of things in a shotgun approach that blasts the participant with a lot of
tiny little facts are not designed to sink in too deep.
What I
challenge you to do as a company or even as an individual is to create a
program that engages, interacts, and dives deep into security awareness.
Instead of just telling your employees why having long and complex passwords is
a good idea, show them how quickly one can crack an easy password. When I am
asked to help perform security awareness training for a client, sometimes I ask
an employee to come up to my computer and type in a password that she feels is
secure. I do this before I release any information about passwords. Then as I
start my presentation on that section I start a cracker against that password.
Usually within a minute or two the password is cracked and I reveal to the room
the password that was secretly typed into my computer. The immediate and drastic
effect it has on each person has an extreme impact. But after numerous
demonstrations like that employees will comment on how they now understand how
serious having a good password is.
When I
discuss the topic of malicious attachments in email, I do not have to show
employees how to craft a malicious PDF but I do show them what it looks like
from both the victim’s and the attacker’s computers when a malicious PDF is
opened. This helps them understand that a simple crash can lead to devastation.
Of course,
this teaching method produces a lot of fear, and although that is not the goal,
it is not a terrible side product, because employees will remember it better.
But the goal is to make them think not just about what they do not only at work
and with their office computers, but also their own bank accounts, home
computers, and how they treat security on a personal level.
I want each
person who hears a security presentation or reads this tutorial to review how
he interacts with the Internet as a whole and make serious changes to reusing
passwords, storing passwords or personal information in non-secure locations,
and to where they connect to the Internet. I cannot tell you how many times I
have seen a person sitting in the center of Starbucks on her free Wi-Fi
checking a bank account or making an online purchase. As much as I want to go
up and yell at that person and tell her how quickly her whole life can be
turned upside down if the wrong person is sitting on that same network with
her, I don’t.
I want
people who read this to also think of how they give out information over the
phone. Con men and scam artists use many avenues to steal from the elderly,
those having hard economic times, and everyone else. The phone still remains a
very powerful way to do this. Being aware of the vendors’, banks’, or suppliers’
policies on what they will and will not ask for over the phone can help you
avoid many of the pitfalls. For example, many banks list in their policies that
they will never call and ask from a Social Security number or bank account
number. Knowing this can safeguard you for falling for a scam that can empty your
life savings.
Calling
security awareness a “program” indicates that it is something ongoing. A
program means you schedule time to continually educate yourself. After you
obtain all this useful information, then you can use it to develop a program
that will help you to stay secure.
No comments:
Post a Comment