Prevention and Mitigation of Social Engineering Attacks

Prevention and Mitigation of Social Engineering Attacks

Sometimes after I give a speech or security training, people will look very paranoid and scared and say something like, “It just seems there is no hope to even attempt security. How do I do it?”

 That is a good question. I promote having a good disaster-recovery plan and incident response plan because nowadays it seems that it is not a matter of “if” you will get hacked, but “when.” You can take precautions to give you at least a fighting chance at security.

 
Social engineering mitigation is not as easy as ensuring hardware security. With traditional defensive security you can throw money into intrusion detection systems, firewalls, antivirus programs, and other solutions to maintain perimeter security. With social engineering no software systems exist that you can attach to your employees or yourself to remain secure.

Security awareness is not about a 40-, 60-, or 90-minute program once every year. It is about creating a culture or a set of standards that each person is committed to utilizing in his or her entire life. It is not just about work or websites deemed to be “important,” but it is the way one approaches being secure as a whole

Top six steps I tell my clients they can take to prevent and mitigate social engineering attempts:

1. Learning to identify social engineering attacks
2. Creating a personal security awareness program
3. Creating awareness of the value of the information that is being sought by social engineers
4. Keeping software updated
5. Developing scripts
6. Learning from social engineering audits

Learning from Social Engineering Audits

If you have ever broken a limb you know that as you recover your doctor may send you for therapy. As therapists rehabilitate you, you may undergo some stress testing. This type of testing enables your doctors to see whether you have weaknesses that need to be strengthened. The same applies for your business, except instead of waiting for the “break” to occur before you “test,” social engineering audits enable you to stress-test your company before a breach occurs.

The following sections answer a few key questions when it comes to social engineering audits and how to choose the best auditor. Before getting into the depth of social engineering audits, you should know what an audit really is.

Understanding What a Social Engineering Audit Is

In the most basic terms a social engineering audit is where a security professional is hired to test the people, policies, and physical perimeter of a company by simulating the same attacks that a malicious social engineer would use. The two main differences between a malicious social engineer and a professional auditor are:

• Usually, moral and legal guidelines exist that a professional auditor will follow.
• The goals of the professional auditor are always to help and not to embarrass, steal, or harm a client.
• Professional audits generally have scope limitations that are not imposed upon real attackers.

The professional auditor will spend a lot of time analyzing and gathering data on a “target” or client and will use that information to develop realistic attack vectors. While doing this the professional auditor always keeps in mind the goals that are set forth in writing for each audit. This is an essential piece of the puzzle, because going down a path that can have very bad repercussions on both the SE and the target might be tempting. Clearly defined goals can keep a social engineering auditor from making that mistake.

Setting Audit Goals

The professional social engineer must engage in moral and ethical behavior while still stretching across that line that allows him or her to put on the true “black hat” of a malicious social engineer. This means taking note of things that he or she can use to gain access and expose a hole or weakness in a company’s defenses, no matter how low it may seem.

Finding the security gaps has to be balanced with a concern for the individual employees. Companies who are hacked with a social engineering audit often think that firing the employee(s) who fell for the attack fixes the problem and plugs the “hole.” What the client fails to realize is that after an audit, those employees who did fall for the attacks are probably the most secure people in the building at that time.

The professional social engineer must take extra precaution to ensure that the employees are not put into the line of fire. Personally I make it a key point to tell clients that the audit is not about the employees and, as far as I can help it, I do not include names of the employees who were used. In cases where that cannot be helped and I need to include those names, I focus the report on the flaws the company has in its training, policies, and defenses that allowed the employee to falter.

When outlining the goals of an audit with an auditor I outline the level of intensity from 0 to 10 for these key areas:

• To determine whether employees will click on links in emails or open files from people they do not know well, leading to compromise
• To determine whether an employee would go to a website and enter personal or business-related information on that site
• To determine how much information can be obtained via the phone or in-person visits of employees at work or personal places (that is, bars, gyms, daycares)
• To determine the level of security in the office perimeter by testing locks, cameras, motion sensors, and security guards
• To determine the ability of a social engineer to create a malicious USB or DVD that will entice the employee to use it on his or her work computer, compromising the business

Of course, more areas will be tested, but what I try to do is outline closely the goals the company has for this audit. What I find is that companies often do not know what they want. The auditor’s job is to walk them through different avenues into the company and to determine which of those they want tested.

What Should and Should Not Be Included in an Audit

Many different ways exist for testing the outlined goals to see clearly whether a security hole exists in a company. Using all the principles in this tutorial can a security hole exists in a company. Using all the principles in this book can help outline a good plan for attack. However, avoid some things when planning an attack. Things like:

• Attacking a target’s family or friends
• Planting evidence of crimes or infidelity to discredit a target
• Depending on the laws of the land, impersonating law enforcement  can be illegal
• Breaking into a target’s home or apartment
• Using evidence of a real affair or embarrassing circumstance to blackmail a target into compliance.

Things like these should be avoided at all costs because they do not accomplish the goal and leave the target feeling violated. However, the question does come up about what to do if in an audit evidence appears of some of these things. Each auditor must personally decide how to handle these circumstances, but consider a couple of examples.

In one audit, an auditor found out an employee was using the company’s high-speed Internet to download gigabytes worth of porn to external hard drives. Instead of risking the employee’s getting fired he went to the employee and told him he knew, but he didn’t want him to get fired and just gave him a warning to stop. The employee became embarrassed and upset and figured the auditor was going to still report him. He decided he wanted to preemptively combat this attack and he went to the owners and said the auditor was planting evidence of this offense on his computer.

Of course, the auditor had logs and screenshots of when the compromise occurred and the employee was fired anyway. But also the auditor was reprimanded for not coming forward when he found an offense of which the company had a strict policy.

In another account, the auditor found evidence of a man downloading child pornography to his computer and then distributing it to others on the Internet. The auditor knew from the other images on his computer that he had a wife and children and that reporting this would lead to divorce, probably jail time, and the ruination of his career as well as the family’s life.

The law of the land was that child pornography was illegal, as well as morally disgusting and vile. The auditor turned the man in to the company as well as the authorities, which cost that man his career, family, and freedom.

Having a clearly defined “do not” list enhances your audits and keeps you from crossing your own moral and legal guidelines. In one interview I had with Joe Navarro, one of the world’s leaders on nonverbal communication, he made a statement about this point. He said that unless you are a law enforcement agent you have to decide what lines you will and will not cross before you enter into an engagement. With that in mind then what things should an auditor include in audits?

Phishing Attacks: Targeted email attacks that allow a company to see whether its employees are susceptible to attacks through email.

Pretexting In-Person Attacks: Very precise and controlled pretexts are chosen and then performed over the phone or in-person to determine whether employees will fall for them.

Baiting: An in-person attack where access is gained to the target’s building or other property by some method, and USBs or DVDs are dropped that contain malicious files on them embedded with malicious code.

Tailgating (or piggybacking): An in-person attack where the auditor attempts to approach a group of employees to gain access to the building by just following them in.

Physical Security (Red Team): An attempt to gain physical access to an office and take items of value to the company.

This short list can help a professional auditor set some guidelines to define what should and should not be included. Still, one of the largest problems many companies have is trying to pick out a good auditor, one who can accomplish these tasks at hand.

Choosing the Best Auditor

If you broke a limb and the damage was bad, and a doctor told you that you have a chance for only 50% recovery, but that going to see a good surgeon could increase those odds, wouldn’t you search high and low for a good surgeon to fix your problems? And when you found him, what questions would you ask? Wouldn’t you want to see his past work? You would want some proof of his ability to grasp the concepts and perform the tasks that would increase your chances of recovery.

You follow a similar process to find the right auditor. Here are some of the basics that you might want to find out as you speak to an auditor:

Knowledge: Has the team released any research, papers, speeches, or other materials that display they are knowledgeable about social engineering? Are they known in the community for being leaders in this field? You do not want to trust your audit and security to a team that is using outdated methods and is not up on the most recent tactics being used.

Determining the amount of knowledge an auditor and team has is hard to do without a little research. Asking auditors about any papers, articles, or information they have written on the topics is not a bad idea. Make sure the team you hire is at the top of its game.

Experience: Clients often do not want to be identified or named. In my case, many clients do not want to be put on a website or marketing material because they feel this will embarrass them or make them vulnerable. But you can determine the experience of the auditor in other ways. Ask him about the methods he has used and how he implemented solutions in the past.

An auditor often does not want to let all the secrets out of the bag in an initial meeting, but ask him for one or two accounts of attacks he launched, which will help you determine his level of skill.

Contract: Having the audit completely outlined, documented, and limitations set can go a long way toward a successful audit.

Personally, I do not like to work with a ton of limitations because most malicious social engineers do not have any at all. But at least a small subset of rules written out on what is and is not allowed should be agreed upon.

A social engineer wants permission to record phone calls; video-record the building and interactions; and especially if an audit includes physical security, to have written permission to remove items from the premises. An auditor doesn’t want to finish the audit just to be presented with a warrant or a lawsuit.

Also designate an emergency contact person who knows about the audit and can vouch for the auditor and team. If an auditor finds himself in a legal jam he’ll want a number to call. No one wants to be performing a late-night dumpster dive to be met by the police and have to sit the night in jail. Having a contact person provides a “get out of jail free” card and can save a lot of hassle in the long run.

Developing Scripts

One more beneficial thing bears mentioning: develop scripts. Don’t cringe; I don’t mean scripts in the sense that the employee must say X if a situation equals A plus B. I am talking about outlines that help an employee be prepared to use critical thinking when it counts the most. Consider these scenarios:

What is the proper response when someone who claims to work for the CEO calls and demands your password? What do you do when a guy who has no appointment but looks and acts the part of a vendor demands access to a part of the building or property?

Scripts can help an employee determine the proper response during these circumstances and help them feel at ease. For example, a script may look like this:

If someone calls and claims to be from the management office and demands compliance of either handing over information or internal data, follow these steps:

1. Ask for the person’s employee ID number and name. Do not answer any questions until you have this information.
2. After getting the identifying information, ask for the project ID number related to the project he or she is managing that requires this information.
3. If the information in steps 1 and 2 is successfully obtained, comply. If it’s not, ask the person to have his or her manager send an email to your manager requesting authorization and terminate the call.

A simple script like this can help employees know what to say and do in circumstances that can try their security consciousness.

Keeping Software Updated

In our contest, more than 60% of the companies that were called were still using Internet Explorer 6 and Adobe Acrobat 8. Those are staggering statistics.

Dozens if not hundreds of public vulnerabilities exist in those two applications alone. Knowing that a target uses those two applications opens them up for an enormous number of attacks that can be so malicious that all the IDs, firewalls, and antivirus systems cannot possibly stop them. But do you know what can stop them?

The answer is updates. The newest versions of software generally have patched their security holes, at least the majority of them. If a particular piece of software has a horrible track record, don’t use it; switch to something less vulnerable.

In the contest calls, if an employee divulged that the company used Firefox, Chrome, or another secure browser, or FoxIt or the most up-to-date Adobe software, contestants would have been shut down. I am not saying those pieces of software do not experience any problems at all. Exploits for certain versions certainly exist, but this software is significantly less vulnerable. The possession of that information is still valuable but if no exploits are available then the next phase of the attack cannot be launched.

Keeping software updated is the one tip that seems to get the most flack because it takes the most work and can cause the most overhead.

Changing internal policies and methodologies that allow very old software to still be in play can be very difficult and cause all sorts of internal shifts.

However, if a company is committed to security and committed to creating a personal security awareness then committing to these changes will become part of the business culture.

Being Aware of the Value of the Information You Are Being Asked For

Before giving out information to someone, determine whether the person who is calling or interacting with you deserves it. Humans have this built-in desire to want to help and to be helpful to those whom we perceive need it. It is a major way a social engineer manipulates a target into handing over valuable information. Analyzing the person with whom you are interacting and determining whether she deserves the information she is asking for can save you the embarrassment and damage of falling victim.

For example, in the social engineering contest at Defcon one contestant had a pretext that he was a customer of a major antivirus company. He called in with a serious problem—his computer couldn’t get online and he felt it was due to something the antivirus was doing and wanted the technical support representation to do one simple thing—browse to a website.

Malicious SEs often use this attack vector. By driving a victim to a website embedded with malicious code or malicious files they can gain access to a target’s computer and network. In the case of the contest, the website was  not malicious at all, but it was to show that if this were a malicious attack it would have been successful.

The first attempt was laid out like this by the contestant: “I cannot browse to my website and I think your product is blocking me. Can you check by going to this site so I know for sure whether it is your software or not?”

The technical support representative answered well by saying, “Sir, our product would not block you from going to that site; it wouldn’t matter if I can go there or not.” He declined the request.

The contestant did not give up there; after talking a bit more he again tried, “I know you said your product would not block the site, but it worked until I installed your software, so can you please check for me?”

Again he was declined his request: “Sir, I am sorry for that inconvenience but again our product would not block you and my going to the site will not help you fix the problem.”

It seemed as if the request was going to be rejected for good when the contestant tried one last-ditch effort and said, “Sir, it would make me feel better if you would just try going to this site for me. Please, can you help me out?”

This simple request put our technical support rep over the edge and he opened his browser and went right to the site. He had the right idea, he even had the right security awareness answer, but in the end he wanted his “customer” to “feel better” and honored his request. This could have led that company to a major pitfall if it were a malicious attack.

The technical support representative knew that this information was not relevant to that particular call. Like him, you must be determined to analyze whether the information being asked for is deserved and relevant to the person with whom you are interacting. Approaching this scenario from the other angle, what if the contestant were a legitimate customer and the rep had declined to go to that website—what is the worst that could have happened?

The customer might have been a little upset at being declined the request he wanted but it still would not have changed the outcome. The product he had was not the cause of his woes.

A social engineer often uses charm to start a conversation about the weather, work, the product, anything at all, and uses it to reveal the information sought. This is where a good security awareness policy comes into play—educating your employees about what tactics might be used against them can save them from acting out of fear.

In one audit the pretext I used was being the assistant to the CFO. The call center employees had a fear of losing their jobs for rejecting the requests from such a high-level management. Why? They are not given the proper education to know that rejecting that request would not cost them their jobs. At the same time protocols should be in place for the employee to know when a request for information is proper.

I mentioned earlier that creating an atmosphere that makes information seem less valuable is also a tactic used by social engineers to get people to freely divulge this “unimportant” information.

Creating a Personal Security Awareness Culture

My team and I decided it would be a great opportunity to hold a contest that would showcase whether corporate Companies is vulnerable to this attack vector (responding to a “contest”). We organized the contest by having interested people sign up to take part in two stages of social engineering :information gathering and active attacks.

To keep the contest legal and moral we did n ot want any person victimized, and no Social Security numbers, credit cards, and no personal identifying information would be gathered. Our goal was not to get any of these people fired. In addition our goal was not to embarrass any particular company, so we decided also no passwords or other personal security–related information from the companies. Instead we developed a list of about 25–30 “flags” that ranged from whether the company had an internal cafeteria, to who handles its trash disposal, to what browser it uses, and to what software it uses to open PDFs. Finally, we chose target companies from all sectors of business in corporate America: gas companies, tech companies, manufacturers, retail, and everything in between.

Each contestant was assigned one target company in secret, on which he had two weeks to do passive information gathering. That meant contestants were not allowed to contact the company, send it emails, or in any way try to social engineer information out of it. Instead they had to use the web, Maltego, and other tools to gather as much information as possible and enter all they found into a professional-looking report.

From the information gathered we wanted contestants to develop a couple of plausible attack vectors that they thought would work in the real world.

Then contestants had to come to our area, sit in a soundproof booth, and make a 25-minute phone call to their target to implement their attack vector and see what information they could obtain.

I could spend the next 20–30 pages telling you what happened at that contest and what the outcome was, but one thing we found was this: Every contestant obtained enough information out of the targets that the company would have failed a security audit. Regardless of the experience level of the contestant and the pretext, the contestants were successful in accomplishing their goals.

Now on to what applies here—security awareness. Corporations that care about security have programs where they train their employees how to be aware of potential security risks via phone, Internet, or in person. What we found was that security awareness in those companies was at failure stage.

Why? How could it be that these Fortune 500 companies that spend millions or more on security, training, education, and services designed to protect their employees could be failing at security awareness?

In reviewing much of the material and methods available for so-called security awareness, what I have found is that it is boring, silly, and not geared to make the participant interact or think. Short DVD presentations that cover a ton of things in a shotgun approach that blasts the participant with a lot of tiny little facts are not designed to sink in too deep.

What I challenge you to do as a company or even as an individual is to create a program that engages, interacts, and dives deep into security awareness. Instead of just telling your employees why having long and complex passwords is a good idea, show them how quickly one can crack an easy password. When I am asked to help perform security awareness training for a client, sometimes I ask an employee to come up to my computer and type in a password that she feels is secure. I do this before I release any information about passwords. Then as I start my presentation on that section I start a cracker against that password. Usually within a minute or two the password is cracked and I reveal to the room the password that was secretly typed into my computer. The immediate and drastic effect it has on each person has an extreme impact. But after numerous demonstrations like that employees will comment on how they now understand how serious having a good password is.

When I discuss the topic of malicious attachments in email, I do not have to show employees how to craft a malicious PDF but I do show them what it looks like from both the victim’s and the attacker’s computers when a malicious PDF is opened. This helps them understand that a simple crash can lead to devastation.

Of course, this teaching method produces a lot of fear, and although that is not the goal, it is not a terrible side product, because employees will remember it better. But the goal is to make them think not just about what they do not only at work and with their office computers, but also their own bank accounts, home computers, and how they treat security on a personal level.

I want each person who hears a security presentation or reads this tutorial to review how he interacts with the Internet as a whole and make serious changes to reusing passwords, storing passwords or personal information in non-secure locations, and to where they connect to the Internet. I cannot tell you how many times I have seen a person sitting in the center of Starbucks on her free Wi-Fi checking a bank account or making an online purchase. As much as I want to go up and yell at that person and tell her how quickly her whole life can be turned upside down if the wrong person is sitting on that same network with her, I don’t.

I want people who read this to also think of how they give out information over the phone. Con men and scam artists use many avenues to steal from the elderly, those having hard economic times, and everyone else. The phone still remains a very powerful way to do this. Being aware of the vendors’, banks’, or suppliers’ policies on what they will and will not ask for over the phone can help you avoid many of the pitfalls. For example, many banks list in their policies that they will never call and ask from a Social Security number or bank account number. Knowing this can safeguard you for falling for a scam that can empty your life savings.

Calling security awareness a “program” indicates that it is something ongoing. A program means you schedule time to continually educate yourself. After you obtain all this useful information, then you can use it to develop a program that will help you to stay secure.

Learning to Identify Social Engineering Attacks

The first stage in social engineering prevention and mitigation is to learn about the attacks. 

You don’t have to dive so deep into these attacks that you know how to recreate malicious PDFs or create the perfect con. 

But understanding what happens when you click a malicious PDF and what signs to look for to determine whether someone is trying to trick you can help protect you. 

You need to understand the threats and how they apply to you.