Security Basics: Social Engineering

(This article was originally published on the Findings From the Field blog.) Miles McQueen of the University of Idaho & Idaho National Laboratories had an interesting presentation in the Security track at the last ARC World Forum in Orlando some time ago. He talked about work INL had done with their own people to increase awareness of social engineering attacks. He cited pan-cultural research results about people lying as background. The research showed how many people across many cultures believed that the following traits indicated someone was lying: 75% – avoidance of eye contact 64% – touching or scratching yourself 62% – telling stories longer than usual The problem is that the research also shows that the behaviors above are not good indicators of deception. In fact, it turns out that almost nobody is able to reliably detect lies. The exceptions are in very limited domains. Eg: many members of police forces are very good at determining when someone is lying about evidence of criminality. But those same people are no better than average outside of their domain of expertise – eg: determining when a sales person or spouse is lying about something else. In the INL experiments in 2008, 40% of employees provided their passwords to a fake employee over the telephone. Many reported the phone-phishing, but the first such report came fully 45 minutes after the experiment started and a number of passwords had already been harvested. 20% inserted thumb drives found in the parking lot into their computers, and 10% opened an attachment on an official-looking email. Other phishing experiments showed between 45% and 80% success in getting people to open attachments and provide user name / password credentials when the phishing email was tailored to each individual target recipient, with information about the recipient and information about the target’s context (school, work, military academy) in the phishing email. The implications for industrial security are alarming – all the firewalls and VPNs in the world won’t help you if your people are giving out their passwords to strangers, or plugging "found" USB sticks into their workstations. To deal with the threat, you need measures like: social engineering awareness and testing – but you can’t count on your people not handing out their passwords, two-factor authentication for your most critical assets, so disclosure of simple user names and passwords does not put those assets at risk, operator workstations with access to email and the internet on a separate network segment from critical assets, and ideally, no permanent, unauthenticated connections between critical assets and other workstations. The last one is important – and hard to do. You must assume your administrator workstations and even L3 servers will harbor trojans from time to time, but you generally cannot completely cut off L2 networks from L3 servers - batch records and other imperatives mean some L2 data must migrate into L3 or even L4/enterprise servers. L2 networks should be firewalled off from L3 networks, and you should at least minimize permanent connections between those networks. Do not connect Windows RPC ports or other popular attack vectors between networks - limit cross-segment connections to the minimum required to move your critical information. That’s all for now. I’m off to scatter USB keys in the parking lot at head office...