Frequently during the course of a security assessment, we get asked about social engineering. People want to know if it is really worth the time it takes, and what is the point, anyway? Well, the bottom line is that the access an intruder can achieve either by physically walking into an office or data center, or by convincing an employee to click on a link or divulge information over the phone, can be one of the quickest ways to a data breach. In fact, according to the FBI data security survey in 2009, non-malicious insiders (folks that just make mistakes such as the ones listed below) are a much bigger problem than malicious insiders. In fact, 16% of respondents reported that nearly all of their losses were due to these well-meaning insiders.
Some of the most common problems we see from organizations who go through social engineering assessments are the following:
1) Physical access to sensitive information in an office. Many people leave sensitive information lying around. They write their password on a sticky note and stick it to their monitor, or they print out sensitive information and leave it lying on their desk. Most companies do not adhere to strict visitor restrictions and our engineers can easily walk through the office space peeking into cubes and offices, looking for tidbits of information that might be useful to someone with ill intentions.
2) Physical access to servers. Another common problem is the unlocked machine room. Intruders who make it past the front desk can locate the organization’s machine room and wreak all kinds of havoc from the console of the organization’s accounting server.
3) Passwords divulged or reset over the phone. Generally speaking, people are helpful when you call them. This covers both help desk personnel and regular employees. We often test for the ability to get someone to either reset a password or divulge their own password over the phone, and find it shockingly easy to do both.
4) Phishing scams. The fourth attack that we frequently test for in social engineering exercises is the phishing scam. As with the prior example, we find it too easy to create a mock web site and then convince a user to click on a link that we’ve emailed them. This can be a very fast way to install a Trojan horse or some other type of malware on a system within an organization’s security perimeter for later use.
So what do we do about all these vulnerabilities? The first thing is to test for them. We need to understand the strengths and weaknesses of the particular organization. Some organizations actually protect their physical premises very well, but call the help desk and they will reset a password without verifying the caller’s identity. Some organizations are the exact opposite. Once the organization’s profile is understood, then it’s time to educate the staff and users. Users frequently don’t even think about information security in their day-to-day jobs. But educate them, and they will become a strong line of defense against intruders.
![[Slashdot]](/wp-content/plugins/slashdot.ico){kind=small}
![[Digg]](/wp-content/plugins/digg.ico){kind=small}
![[Reddit]](/wp-content/plugins/reddit.ico){kind=small}
![[del.icio.us]](/wp-content/plugins/delicious.gif){kind=small}
![[Technorati]](/wp-content/plugins/technorati.ico){kind=small}
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico){kind=small}
Leave a Comment