Read an Excerpt
Techno Security's Guide to Managing RisksFOR IT MANAGERS, AUDITORS, AND INVESTIGATORS
By Jack Wiles
SyngressCopyright © 2007 Elsevier, Inc.
All right reserved.
Chapter OneSocial Engineering: Risks, Threats, Vulnerabilities, and Countermeasures by Jack Wiles
Jack Wiles is a security professional with over 30 years of experience in security-related fields, including computer security, disaster recovery, and physical security. He is a professional speaker and has trained federal agents, corporate attorneys, and internal auditors on many computer crime-related topics. He is a pioneer in presenting on subjects that are now being labeled "Homeland Security" topics. Jack is a co-founder and President of TheTrainingCo., which runs the well-known Techno Security and Techno Forensics trade shows. He is in frequent contact with members of many state and local law enforcement agencies as well as special agents with the U.S. Secret Service, FBI, U.S. Customs, the Department of Justice, and the Department of Defense. He was appointed the first President of the North Carolina InfraGard chapter, which is now one of the largest chapters in the country. He is also a founding member and "official" MC of the U.S. Secret Service South Carolina Electronic Crimes Task Force. Jack is also a Vietnam veteran who served with the 101st Airborne Division in Vietnam in 1967-68.
Some of the things I will discuss in this chapter have been on my mind since the mid-1980s. I believe it's time I put them in writing and present my thoughts on what I believe could be the most effective and dangerous threat to any security plan: social engineering! This age-old threat has taken on a new meaning as what I collectively call "bad guys" have continued to use the art of the con to gain access to intellectual property and, if necessary, the buildings that house it.
This chapter isn't meant to be read as a complete story from beginning to end. Social engineering and ways to prevent it are subjects with many meanings. This will be more of a potpourri of tips, tricks, vulnerabilities, and lessons learned from 30-plus years of dealing with these issues. As an inside penetration team leader, I used every exploit I could to conduct a successful inside penetration test. It was during those years that I gained most of my social engineering experience. These skills helped me eventually hang up my dumpster-diving penetration team clothes and retire from the tiger team world UNDETECTED! Although I came close several times, I was never stopped or reported to security as a possible burglar or corporate espionage agent, even though that's what I effectively was while I had our teams inside their buildings.
If you think this chapter has a strong risk management flavor, it was intentional. Just about every area of concern with security today is a risk management issue. This chapter, and most of the others in this book, are chock full of what I like to call Techno Tidbits of useful risk management countermeasures. Hopefully, many of them will be topics you might not have considered in the past as you put together your security plan. External, internal, and information system auditors should pick up a few ideas for things that should be added to their audit process.
How Easy Is It?
Way back in 1988, I was part of an internal security team for a large corporation. On several occasions, I had the opportunity to hear some of the conversations that went On when a cracker (bad guy hacker) group targeted a victim by calling them on the phone. They were using social engineering skills to gain access to proprietary information, including passwords. I'll never forget what I heard one experienced cracker say to a cracker-in-training: "Social engineering is the easiest way to break into a system." He then followed up that comment by saying "The stupidity of the average system administrator amazes me."
That was almost 20 years ago and it was the first time I had heard the words social engineering. Why do I think of it as a tool that could be used by any "bad guy" from a cracker to a terrorist? Social engineering is what I believe could be the most effective and dangerous outsider-insider threat to any security plan.
Over the past 15 years, I have learned firsthand just how easy it is to be an effective con man as I lead several inside penetration teams into clients' buildings who hired us to test their vulnerabilities. Not one time did we fail or get caught as we roamed their buildings pretending to be employees. Everyone we encountered while doing our thing thought we belonged there.
Human Nature: Human Weakness
This is certainly not the first time anyone has written about the effects of social engineering. It doesn't take much searching on the Internet to find material on the subject, and in almost every article you will note a common thread. In each case, the social engineer turns our normal human nature of wanting to be kind, helpful, and sympathetic into a weakness they can exploit.
If we looked at this through the eyes of a risk manager performing a risk assessment, our untrained and unaware human nature could be considered a major vulnerability, threatening just about everything important to our company. We'll talk about possible countermeasures to these threats throughout of the rest of the chapter.
The reason I digressed into a full discussion about a risk assessment of the threat of social engineering is because I don't think many people have performed a detailed risk analysis. Since social engineering is a truly formidable threat, you need to know how vulnerable you are (at work and home) and what you can do to reduce those risks.
Any risk assessment needs to consider at least four things: risks, threats, vulnerabilities, and countermeasures.
Risk Management: Performing a Mini Risk Assessment
I recently had the opportunity to purchase my first boat. It's not huge, but it is just big enough for me to use as a floating mini-office a couple of days a week when the weather is nice. Just for fun, let's do a mini risk assessment of some of the risks, threats, vulnerabilities, and countermeasures associated with my new floating office. This isn't intended to be extensive (I'm sure you will think of things I didn't mention here). I just wanted to give us practice using terms most associated with risk assessments and risk management.
What Do l Have at Risk?
Being out on the water all day, my life is the first thing that comes to mind as a risk. The boat itself is also at risk, though I have passed some of the financial risk along to an insurance company, which is what we do with a lot of risks where it makes sense. Any equipment on the boat is at risk of not only sinking but of possibly being dropped overboard, or being soaked by a large wave. A sudden thunderstorm could cause problems. Depending on lake conditions, too many other boats could cause a problem. The battery in the boat could die causing me to lose all power and even strand me on the lake. As you can see, when you consider what you have a risk, you will immediately start to consider some of the threats that could possibly increase your risks. What I have at risk on the boat is everything I could lose if something bad happened. Let's call all the bad things that could happen "possible threats."
What Are Some Possible Threats?
We've already mentioned a few possible threats, which are different than those surrounding my home office. Weather could certainly be a threat, as could simply hitting something as I was moving from one place to another on the lake. The threat of a sudden thunderstorm, or of being hit by another boat, always exists. There isn't much risk of being hit by a car (hopefully), or suffering from a commercial power outage while I'm aboard. The possible threat of theft should be small as long as I keep an eye on my equipment while I'm launching the boat. Overall, the threats, which could possibly hinder my ability to conduct business from my boat, would be lower than most places. (Am I looking for reasons to work from my boat or what?)
What Are Some of the Possible Vulnerabilities?
I would be much more vulnerable to severe weather changes out on the lake than in my home office. I would also be vulnerable to lake conditions in general at any given time. (This is a large lake about 20 miles long.) For a few days following a heavy rain, hundreds of semi-submerged items float down stream. I would certainly be vulnerable to someone losing control of his or her boat and crashing into mine. If I didn't know the depth of the water I was in, I could possibly run aground or hit something in water that was shallower than I thought it was. It would most likely just be an inconvenience, but as in any vehicle, I could run out of fuel. I mentioned not being affected by commercial power failures, but I could easily run my only battery down to where I couldn't start the engine to return to the marina. In addition, though I am always very careful, I could possibly fall overboard—a difficult problem when you're on the water alone.
What about My Countermeasures?
I really enjoy talking about countermeasures. The word even sounds cool. You have all of these things that you have identified as yours and they could be at risk out there in the boat. You have considered the possible threats and how vulnerable you might be as you encounter them. Now, what can you do to lower your risk and decrease your vulnerability?
I've learned a lot during the few months I have had this new floating mini-office. Some of my newfound countermeasures are
* I only try to be on the lake when most other boaters aren't out there.
* I check the weather forecast every time before I head to the lake.
* I will install a second marine battery to insure I always have power.
* I have made sure special waterproof cases are used for my computer and cell phone.
* I carry a small inverter onboard to provide me with 110 volts AC from the boat battery.
* I make sure the marina and my family are always notified of where I will be, and when I expect to return.
* I always carry a small marina radio onboard.
* All data on my computer and cell phone have backup copies on shore.
* I wear a self-inflating life vest at all times.
I'm sure many more issues could be addressed in this mini-assessment, but the point is we all need to at least be familiar with, and understand, our risks at home and work. Included in this book is a detailed chapter titled "Personal, Workforce, and Family Preparedness," which contains a wealth of information for lowering your risk in some of the most important areas of your life.
For my definition here, let's consider the outside threats as those coming at you from the Internet or dial-up modem (You do know where all of your dial-up modems are; don't you?), or a simple phone call from a total stranger. The reason I mention dial-up modems is because there are still many of them out there. Many maintenance ports on older PBXs, building environmental controls, air handling systems, and access control systems still use them and probably will continue to rely on them well into the future.
I'm not considering insider (current employee) activity in this chapter. Even though malicious insiders can use social engineering in a number of ways, the countermeasures for that kind of activity can be much different. For this discussion, let's consider outsider–insider threats as people who never were employees and didn't belong in the building.
This would be the category my inside penetration team would fit into. When we roamed through buildings unchallenged, we definitely didn't belong there (other than being hired to try to get there). Someone checking out your building for possible espionage or future terrorist activities would also fit in this category. In theory, some employee inside the building should eventually figure out that there is a "Trojan horse" in the camp. Someone who has gotten past whatever security there is at the perimeter where entry was gained. There is a good chance they used some form of social engineering to get there.
Excerpted from Techno Security's Guide to Managing Risks by Jack Wiles Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.