E-Book, Englisch, 390 Seiten
Watson / Mason / Ackroyd Social Engineering Penetration Testing
1. Auflage 2014
ISBN: 978-0-12-420182-8
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Executing Social Engineering Pen Tests, Assessments and Defense
E-Book, Englisch, 390 Seiten
ISBN: 978-0-12-420182-8
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
Gavin is the Professional Services Manager at RandomStorm and is responsible for devising and also delivering innovative testing services offered to clients, including the full range of penetration testing and social engineering engagements. Gavin has worked in IT for many years, focusing for the past five years on delivering internal and external penetration tests and social engineering engagements for multiple clients across all verticals.
Autoren/Hrsg.
Weitere Infos & Material
The Weak Link in the Business Security Chain
Gavin Watson, Senior Security Engineer, RandomStorm Limited
It is still very much the case that companies will invest more money in defense technology than developing personnel awareness training and hardened policies and procedures. This chapter will explain why this approach is taken, why it isn’t effective, and clearly paint a picture of just how vulnerable companies actually are.
Keywords
Data classification; customer service mentality; weak awareness and training; weak policies; weak procedures; the weakest link
Information in this chapter
• Why personnel are the weakest link
• Secure data with vulnerable users
• The problem with privileges
• Data classifications and need to know
• Security, availability, and functionality
• Customer service mentality
• Poor management example
• Lack of awareness and training
• Weak security policies
• Weak procedures
Introduction
The reader has now been introduced to the concept of social engineering, along with some of the various techniques using real-world and fictitious examples. This chapter now focuses specifically on the threat of social engineering to businesses.
The idea of leveraging vulnerable personnel members to obtain sensitive information may seem fairly obvious. If a perpetrator, despite all their efforts, has been unable to attack the system that stores, processes or transmits sensitive data due to strong technical security controls, then they would likely attack the individuals that use the system instead.
The stark reality is that criminal or hostile individuals or groups are becoming increasingly aware that the most effective method of attack is to exploit the human factor, rather than employing often costly and difficult technical attacks.
Putting this into context, a criminal organization may be attracted into infiltrating a level 1 merchant’s network (processing more than 6 million card transactions per year) and illegally extracting the payment card data stored within. The value of this extracted data, to the criminal, starts at approximately $4 per payment card record (sold on various illegal cyber chat rooms)—$24 million or used to purchase numerous goods, for sale on the black market (e.g., 6,000,000×$50 purchases—$300 million worth of goods), sold at a discount of $30 each—$180 million.
With this in mind, the attraction of achieving access to this data through the exploitation of human nature, using a nice smile is easy to appreciate.
However, if this concept is so obvious then why do businesses and their personnel continue to overlook this and leave themselves vulnerable? The simple answer is that although the concept of socially engineering individuals is understood, the various reasons for individuals being vulnerable are not necessarily so straightforward. The personnel can’t simply hear about social engineering and decide to avoid falling victim to it. While Chapter 3 will discuss all the ways in which human nature can be exploited, this chapter will concentrate on vulnerabilities caused by flaws in the business itself that affect the employees. Business issues of this kind can make even the most security conscious individual vulnerable to social engineering.
The following sections will explore these issues covering some of the most significant challenges businesses face when it comes to social engineering and security in general. Such challenges include how to secure sensitive information yet allowing personnel to access it, examining the problematic relationship between security, availability and functionality. The security issues associated with data classification, need to know, excessive privileges, customer service mentality and lack of effective security awareness and training will be explored in relation to social engineering.
This chapter will conclude by exploring the social engineering vulnerabilities caused by weak policies and procedures or by overly specific or vague procedures and how authority can be misused to render otherwise strong policies completely useless.
Why personnel are the weakest link
The phrase “People are the weakest link in your security” is a term often used by security professionals. However, businesses continue to ignore or overlook this simple concept. To fully explore this idea we’ll use a fictitious business called “Vulnerable Inc.” as an example.
One morning Vulnerable Inc. personnel arrive to unlock the front doors to their office complex and raise the shutters. Upon entering, they then input the correct code to disable the main alarm. They climb the stairs to reach their main office and enter in yet another code to gain access to the electronic access control system. Therefore, every morning the personnel need to navigate through four layers of varied security controls, which would certainly be quite a challenge for an attacker. It is controls of this kind that receive the most significant investment from businesses.
An attacker decides to break into the main offices of “Vulnerable Inc.” to steal laptops containing sensitive and valuable information. After a quick inspection of the various security controls they opt for climbing a ladder and gaining access through smashing a window. By doing so they immediately bypass three of the security controls, with only the main alarm remaining. This leaves them with a limited amount of time before anyone is likely to investigate the alarm noise to make a grab of a few laptops and various sensitive documents. In situations like this the usual response from the business is to invest more money in physical controls, which may well be very effective. Here the business may decide to install high security windows, install a closed-circuit television system, security furniture or some other mechanism to help prevent the attacker from breaking the windows and/or stealing laptops.
Now suppose the attacker wants to avoid raising any alarms, preferring to avoid the messy “smash and grab” approach. Instead they dress to match the employees, reproduce a fake employee badge and tailgate the personnel into the premises during a busy lunch-hour period, mirroring them by holding a supermarket shopping bag, just like everyone else. The attacker manages to casually walk past reception, blending in with all the other personnel. When no one is looking the attacker walks around the office placing various laptops into a bag, installs a few key loggers and grabs a few documents off a printer before making their way back out. All of this goes unnoticed until after lunch when people return to their desks to resume work, and even then it’s a mystery until someone suggests there may have been a theft. This scenario demonstrates an extremely simplistic example of a social engineering attack. They have not directly manipulated anyone or elicited any information from an employee. Instead they have created a plausible situation and have indirectly manipulated peoples’ perception. Onlookers believed the attacker to be a member of staff, validated by the badge, attire, confidence in their walk, shopping bag and from being merged in with the other personnel members. Attacks of this kind are extremely effective and the business may be hopelessly ill equipped to deal with them. The typical response to this kind of incident is to hastily deploy an ineffective company-wide security awareness program. That is, if there is any response initiated at all. This is understandable, bearing in mind that most companies may favor keeping an incident like this very quiet.
What is the reason for businesses investing the security budget in the wrong areas? The reason is this: when an attacker breaks a window the solution is simple, implement a physical solution (stronger windows). However, when an attacker tricks the employee into revealing information or allowing them access to restricted areas, the solution is not so apparent. The issue is that physical security vulnerabilities are tangible entities; they can be directly interacted with and resolved. However, social engineering vulnerabilities are “intangible”, such as those associated with human nature or weak procedures. Most businesses are unfamiliar with the methods for mitigating the risk of intangible security issues. The solution often involves a defense in depth approach, which may involve multiple direct and indirect strategies.
Before a business can even begin to formulate an effective defense strategy, they first need to fully understand the reasons why their personnel are the weakest link in the security chain.
When trying to explain why employees are susceptible to attacks like this, it is all too easy to blame human nature; “”. However, there are often numerous security weaknesses in the business itself that translate into weaknesses associated with the employees.
It is wise to start with the weakness in your business processes first, before pointing the finger at the employees.
Secure data with vulnerable users
Sensitive data stored within a system can never really be completely secure. However, to explore the concept of vulnerable employees, let us suppose that a database is invented that cannot be penetrated by unauthorized users. Hackers...
