Katherine Abercrombie, Security Consultant at Context Information Security, discusses the threat that social engineering attacks pose and how organisations defend against attackers coming in through the front door.
While investment in cyber defences has been increasing exponentially, relying on technology alone isn’t enough to keep your data secure. Organisations are doing better at improving the security awareness of their employees for phishing and phone-based vishing attacks, but physical security and the risk of threats walking in on two feet are sometimes overlooked. Everything and everyone is part of the available attack surface for a good attacker, who doesn’t need to know how to get through your firewall if they’re able to walk straight into your server room.
This type of threat is called social engineering; simply put it is the clever manipulation of the human tendency to trust. Attackers know that sometimes the easiest way to gain access to a computer system is to simply go after the user. Why waste time trying to crack a secure password when you can just ask for it instead? It is difficult to establish exact numbers around the frequency of this kind of attack, or likelihood of successful compromise. There is no electronic trace for some of these attacks the way there would be with hacking or phishing, and if it’s done well you may not even realise you’ve been socially engineered.
While traditional penetration testing focuses on finding security flaws in hardware and software defences, how do you test your organisation’s resilience to social engineering? As a company legally employed to perform social engineering, Context is bound by laws and contracts which limit the amount of time we devote to an intrusion attempt and what methods we are allowed to use. For example, no lock picking or impersonating existing companies or law enforcement. And yet, our success rate is roughly fifty percent across both physical intrusion and vishing (phone-based phishing) engagements. Now imagine what someone without the same constraints could achieve.
Breaking it Down
Whether legally testing a company’s physical and procedural security or approaching it as an actual attacker, the rough anatomy of a social engineering attack breaks down into two distinct phases; reconnaissance and the attack itself.
Reconnaissance is aimed at identifying information to determine the best plan of attack and support the attacker’s story if challenged. This might include identifying employees on social media sites such as LinkedIn to target or impersonate; looking for floor plans or visuals on sites such as Google Maps to identify a route in; finding pictures of employees wearing their ID badges on the company website or phone numbers and email addresses. It may also include simply sitting outside the building in a car or nearby coffee shop to watch people coming and going, observe what physical security is in place, and look for visible ID that can be faked using a simple card printer.
With this information gathered, an attacker can determine how to approach their attack. If physical security is lacking they might simply try walking in through the front door or find a way to get access to the network through phishing or vishing. Alternately, they might use a combination of these methods to register as a visitor, so that when they arrive they are given a pass and shown right in, or they may pose as a repairman who’s been called out to fix something urgently.
Successful social engineering relies on the manipulation of human behaviour to achieve a desired outcome. This could involve playing on sympathy or comradery to avoid security checks; making someone feel like they’ve done a good deed; making them feel too awkward to challenge someone; or using a sense of fear or urgency to get the desired result. These are all tools in a social engineer’s arsenal. Tail-gating incidents are also far too common by exploiting people’s reluctance to be confrontational or to interrupt someone who is speaking on a mobile phone. Subsequent friendly behaviour can also give staff the impression that an attacker was in fact supposed to be there. There’s a perception that someone who sneaks into the office is going to be obvious, acting noticeably suspicious, but this is not necessarily going to be the case; as a result simply acting like you belong can often be all the cover that is needed.
How Do We Make It Right?
In social engineering attacks, people are the point of failure. Most employees are generally reluctant to close a door in someone’s face to prevent tailgating, or to challenge their identity, allowing physical and procedural security checks to be circumvented. Part of this is because we are taught to be polite, to hold open the door for someone, particularly if they have their hands full. But it’s also the fear of reprisal if you challenge the wrong person. In many cases the worst security offenders are the most senior employees, citing reasons such as being ‘too busy’ to bother with a long password, or relying on the fact that people know them to exempt them from wearing visible ID.
The single biggest factor that can help guard against social engineering attacks is user awareness. Here are a few other simple, but key points to improve security:
- Ensure buy-in from all levels of the company, from the top down;
- Make sure you have a strong security policy in place across the entire organisation and that all employees are aware of the policy and their responsibilities; and
- Encourage employees to challenge anyone without visible ID and to actively prevent tailgating, without fear of reprisal.
At Context we tend to find the same general issues each time we perform a social engineering engagement. So, here are some of the key recommendations:
- Implement multi-level verification for anyone requesting access to secure areas or IT systems, which should always include a request for a detail which should not be available online. Consider, for example, the hoops you are required to jump through when using telephone banking to verify that you are who you say you are;
- Make sure there is a robust policy in place to verify that any visitors to the office are properly identified and have authorisation from an existing member of staff who can verify the reason for the visit;
- Implement a well-defined policy for dealing with anyone who is suspected of being present without authorisation, such as alerting security and ensuring that the suspect is accompanied at all times until their identity and authorisation can be verified;
- Make sure computer monitors are angled, or external facing windows are tinted, to avoid the contents of the screen being read using camera zoom from street-level or neighbouring buildings;
- Consider using a solution to prevent unrecognised devices, such as laptops, from connecting to the corporate network from any desk or meeting room;
- Conduct social engineering engagements and awareness training to assess your risk and to raise user awareness;
- Encourage employees to remove their ID when they leave the building, making it more difficult for the ID to be observed by an attacker and used to create a credible fake; and
- Install and maintain anti-virus software, firewalls and other intrusion protection and detection systems on corporate computers and networks to reduce the impact of a successful phishing attack against employees.
The threat of social engineering to gain access to corporate IT systems seems too often be overlooked in favour of securing those systems against computer-based attacks. The key to securing your organisation’s IT systems lies in preparing for all avenues of attack; locking the front and back doors and all the windows is no good if there’s a hole in your roof, after all.
People are a vital and often overlooked component of a security system, part of the attack surface available to an attacker, and without proper awareness and training may be the weak link that exposes your data to the world.
Katherine Abercrombie, Security Consultant at Context Information Security
Image Credit: GlebStock / Shutterstock