Social engineering reloaded Part II

Company X's physical (building) security includes badges for all employees, locked doors, security guards, and restricted access. Employees, however, tend to hold doors open for others and don't tend to check the photos on IDs when doing so. Dumpster areas are gated but unlocked, leaving them open to potential dumpster divers. Phone security is standard, allowing internal transfers and outgoing calls with blocked IDs. Remote access is through a VPN with SecureID, the use of which requires permission from a superior and inactive accounts are suspended within 30 days. Wireless access points in the buildings also fall under these restrictions.

As for hardware, remote drives are used, but employees are instructed not to store confidential information on the drives. Laptops are common, but only roughly 30% of users lock them with the provided cables. Shared drives on the internal network are protected by group permissions. On the system level, the company runs weekly virus scans. Security teams have reduced administrative rights on machines so employees can't install rogue programs. Password requirements are fairly standard, requiring a variety of characters, changed every few months.

Software comes standard for each machine. Screen savers are password protected, but not always locked. Most machines are open to Internet access, with the exception of some site blocking. Passwords can be saved in browsers, however. Email suffers from frequent server problems, webmail is not always secure, and IM use internally is rampant.

In the areas where social engineering prevention could be most useful, barely anything is done. When an employee is on the phone with Help Desk support, the employee's number comes up on phone but no standard authentication questions are asked by either the Help Desk staff or the employee being helped. CallerID spoofing would be a very simple way to get a password reset. Security training is available for home network usage and basic encryption, but departments differ in their use of these tools. No standard training is given for new employees, leaving the organization open to staff passing around a wide range of bad habits.

Sadly, Company X's security is not much better than it was ten years ago and it has barely evolved with the times. It's tough enough to keep up with the latest technology, patches, and filters with corporate budget cuts. Security teams tend to get the short end of the stick until the company suffers a major outage from an attack. Since various attacks became more public in recent years, everybody and their brother company claims to be secure - but the reality is that most companies are like Company X, struggling to maintain a basic level of security.
Countermeasures
What could Company X and others like it do to prevent attacks on the social engineering level? On the technical side, they must continue to install spam filters and update software patches, as a bare minimum. Making cryptography standard for email and web access, not allowing passwords to be saved in browsers, and changing to an internal messaging program are key technology step. The next step would be to develop an incident reporting and tracking program. This way they can discover additional holes in their program and attend to those holes. Incident reporting won't necessarily catch the intruders, but it helps to find ways to deter them.

Not to bite the hand that feeds us, but as Mitnick says, "anyone who thinks that security products alone offer true security is settling for the illusion of security." Therefore, training cannot be emphasized enough. New employee training, repeat training, regular updates, and fun security tips can keep the security education process fresh and lively. Some companies now use t-shirts and other paraphernalia to advertise security practices and remind employees to beware of suspicious phone calls and other potential phishing attempts. Help Desk staff need to have proper authentication procedures for all support calls. Security personnel should be adequately trained as well, and screened beyond regular employees in case they themselves pose a risk to the company.

Security policies used to have more bark than bite, but these days it's now common to put more teeth into them. Corporate policies, standards, guidelines, and so on cover a wide range of areas but the important thing is to develop them with growth and accountability in mind. Topics that should be covered in corporate policies include information sensitivity, password protection, ethics, acceptable use, email, database credentials, extranet usage, VPN security, and server security.

Also, pay attention to what's happening on the national and international level as far as ID theft laws and database protection are concerned. New bills are being developed to make identity theft more difficult through the greater protection of personal information.
The bottom line
Unfortunately, the reality is that intruders rarely get caught, and even when they are caught, the penalties haven't traditionally been stiff. Shouldn't we be more worried about serial murderers running loose than a bunch of computer geeks? Seriously though, identity theft, corporate espionage and cyber-terrorism are here to stay, so the bottom line lies in making a commitment to combating potential attackers.

At Company X the buck ultimately stops with the CIO, who must commit to improving their security program before they lose a significant amount of money and intellectual property to a major attack. That requires committing both the financial and people resources to the problem, and not dropping education and training from the budget. As individuals, we must commit to increasing our awareness of the risks we face and the potential openings we create for social engineers to fool us. The key, according to Schneier, lies in, "securing the interaction between the data and the people."

In any good security program, a realistic balance must be reached. There's always a fine line between an "atmosphere of paranoia" and a productive environment. However, if we err on the side of stronger security, knowing human error is the problem, we'll be more likely to achieve success. Just remember that we, the people, are the weakest link and as Mitnick writes, "Don't' be gullible!"
Resources
"A VOIP security plan of attack", Joel Snyder, Network World, September 13, 2004.

"Cisco Denial of Service VoIP Attack", VoIP & Gadgets Blog, January 21, 2005.

"Closing the Floodgates: DDoS Mitigation Techniques", Matthew Tanase, Security Focus, January 7, 2003.

Hacking Exposed: Network Security Secrets & Solutions, McClure, Scambray & Kurtz, Fifth Edition, McGraw-Hill/Osborne, 2005.

"Malicious Malware: attacking the attackers, part 1", Thorsten Holz and Frederic Raynal, Security Focus, Jan 31, 2006.

"Malicious Malware: attacking the attackers, part 2", Thorsten Holz and Frederic Raynal, Security Focus, Feb 2, 2006.

"Phishing losses overestimated - survey", John Leyden, The Register, December 3, 2004.

"Phishing for Savvy Users", Scott Granneman, Security Focus, Nov. 1, 2004. "Phishing, spyware and other pests plagued 2004", Anik Jesdanum, AP, Dec. 30, 2004.

"The SANS Security Policy Project", SANS, 2006.

Secrets & Lies: Digital Security in a Networked World, Bruce Schneier, Wiley Computer Publishing, 2000.

"Social Engineering Fundamentals, Part I: Hacker Tactics", Sarah Granger, Security Focus, Infocus, December 18, 2001.

"Social Engineering Fundamentals, Part II: Combat Strategies", Sarah Granger, Security Focus, Infocus, January 9, 2002.

The Art of Deception, Kevin Mitnick & William L. Simon, Wiley Publishing, Inc., 2002.

The Hacker Ethic, Sarah Granger, Ethics in the Computer Age, ACM Press, 1994.

"Voice over IP Security", Matthew Tanase, Security Focus, March 12, 2004.

Source Article : http://www.securityfocus.com/infocus/1860/2