The fifth annual social engineering capture-the-flag competition at DEFCON once again graphically illustrated the social engineering risk. Take 5 minutes to download and read this year's report: the results, particularly the implications for information security, are truly shocking.
In short, the contestants were invited to socially-engineer a number of items of information from ten victim companies - all high-profile US brands (Apple, Boeing, Chevron, Exxon, General Dynamics, General Electric, General Motors, Home Depot, Johnson & Johnson and Walt Disney). Contestants had some time ahead of the event to research their targets using published information and to prepare their pretexts. During the competition period, live on stage at DEFCON, they attempted - and generally succeeded - in tricking and persuading employees of the victim companies to part with the "flags", pieces of information that should not have been disclosed.
Listed on page 8 of the report, most of the flags would no doubt have seemed quite innocuous and trivial to the employees targeted, hence one social engineering technique is to provide the pretext or context in which disclosing them seems entirely natural. In reality, the flags go towards building up an information dossier or toolkit, paving the way for ever more serious attacks such as physical site intrusion and network/system hacking. Think of them as the snowflakes and little snowballs that form the giant, unstoppable snowball which rolls down the hill smashing things in its wake.
In the real world, of course, malicious social engineers would have been unconstrained by the rules of the competition or ethics, so could undoubtedly have captured much more sensitive and valuable proprietary information using the same techniques, plus those that they were not permitted to use at DEFCON (e.g. personal threats or coercion).
All of this begs the obvious questions: "How can we guard against social engineering?" and equally "How can we use social engineering?"
Given that the report was no doubt written by social engineers whose skills are more offensive than defensive, it offers just three suggestions on preventive techniques: policies, awareness and tests. On awareness, the report says:
"2. Consistent, Real World EducationOne of the areas that appear to be lacking across the board is quality, meaningful, security awareness education. In our experience, there is a definite relationship between companies that provide frequent awareness training and the amount of information that company surrenders. An organization that places a priority on education and critical thinking is sure to possess a workforce that is far more prepared to deal with malicious intrusions, regardless of the attack vector.Security awareness training needs to be consistent, frequent and personal. It doesn’t require that a company needs to plan large events each month, but annual or biannual security reminders should be sent out to keep the topic fresh in the employees’ minds. Often, the difficulty lies in businesses making training and education a priority to the extent that appropriate resources are allocated to ensure quality and relevance. Security education really cannot be from a canned, pre-made solution. Education needs to be specific to each company and in many cases, even specific to each department within the company. Companies who truly understand the challenges and rewards associated with high quality training and education will find themselves most prepared for the inevitable."
Naturally, I completely agree that security awareness is a vital part of the solution, and "frequent awareness training" is definitely needed, but "annual or biannual reminders" aren't nearly frequent enough to be effective, in my considered opinion. Our preferred approach is continuous, using monthly security awareness topics as a means to remind employees throughout the entire year about social engineering, hacking, password hygiene, backups, business continuity and a million other information security things. For a small fraction of what it would cost you to research and prepare the materials from scratch, our NoticeBored service delivers fresh, creative, camera-ready awareness content every month.
It just so happens that we are currently revising the NoticeBored security awareness module on social engineering. Aside from policies, awareness and tests, the module offers several other social engineering controls. I particularly like the idea of helping general employees first of all recognize the signs that they may be dealing with a social engineer, and then pass the inquiries through to employees who have been specially trained to deal with the threat. The neat part about this control is that virtually every organization already has employees who are competent to take on the specialist role - in fact they practice their skills on a daily basis. The NoticeBored awareness module provides suitable awareness/training materials for both the general employees and the specialists, along with materials to bring management up to speed on the social engineering risks and controls.
Check out NoticeBored to kick-start your awareness program on social engineering, but don't hang about: social engineers are already making snowballs from your information. Sign up this month to guarantee delivery of the newly-revised social engineering awareness module before the end of year holiday period, 'peak season' for social engineering attacks.
By the way, I have already addressed the question "How can we use social engineering?" on this blog. Social engineering is definitely a 'dual-use' weapon. Are you tooled-up yet?