Picture the scene. It is early evening and the waves have been pounding against the shoreline the whole day. Four people are sitting in the pub as the sun begins to glow orange as it lowers in the sky. Their limbs are weary, their hair full of salt and sand. The conversation turns from talking about dings in surfboards and how they carved up the face to that of social engineering and the use of neuro linguistic programming. This may seem like a strange topic for surfers but in fact all of these people work in the security industry. Everyday they are testing the security of hardware, software and buildings or developing security products. Whilst everyone works with the latest technologies it is still the human factor in security that fascinates everyone the most.
So what is this topic of “Social Engineering” that is so interesting for everyone to discuss? Put simply, it is using people to break a security model. You might think this is just about phoning someone up and asking them for their password. Not at all, it is about creating an illusion and a web of trust that allows an attacker to obtain information or bridge the gaps created by security controls without the person even knowing they are doing it. It sounds like mind control and in one sense that is exactly what it is. Although this isn’t about hypnosis or mind probes, it is about people seeing and hearing what you want them to. Like the facade on a film set creates the illusion of reality on a cinema screen.
Everyone in the security industry has stories to tell but as you probably guessed none of them have names or places attached. You get to hear the stories but the people involved are anonymous and ambiguous. After all it could never happen to you, or your company, could it? I will leave that up to you to decide after you have read one of the stories told round the table that night.
It was 3 o’clock on a sunny Thursday afternoon when Mr X received an email that appeared to come from the IT department, saying how a new HR system was being implemented. The application was having problems and needed to be populated with each user’s details for the new payroll process. The email explained that if you didn’t fill in your details you wouldn’t get paid. Mr X is concerned as his mortgage payment comes out of his account 5 days after his wages go in so he can’t afford not to get paid on time this month, so he clicks the link in the email.
It all looks genuine as the site is branded with the corporate logo and has a prompt for Mr X’s username and password. As the application is in the style of the company’s website the obvious thing to enter in the site is the details he uses to log on to his PC. Success, the site lets him in and contains his payroll data, or lack of it. It is empty so in the fear that he won’t get paid he re-enters his details and hits submit. It all works and returns him to the company’s homepage, no problems, nothing to worry about and he will now get paid. Time to get back to work.
In the reception of the company’s smart new office building a visitor receives an email on their PDA. They introduce themselves at reception and show their business card, from the firm of architects that designed the office building. They are here to complete an inspection of the building as the defect period is at an end. They apologise for not making an appointment but they were in the area and thought they could get this job wrapped up before the end of the day. They only want to look round the atrium and ground floor meeting rooms so the receptionist says it is OK and asks them to let them know when they are finished.
In reality the name of the architect was discovered because they advertised the company as a case study on their website. The email that was received by the PDA contained the username and password entered on the phishing site and the briefcase being carried contains a laptop computer. They head straight for the meeting room and plug their laptop into the network connection on the Voice over IP phone. A few quick probes are made looking for key Microsoft Windows systems. They are successful and locate the important servers on the network as should be possible on any network of this type. Using the stolen username and password the fake architect is able to access some file shares and an email account. All the data on the servers that can be accessed with the user’s account is then copied onto the laptop which is then folded up and put back into the briefcase.
There is just enough time to head back to reception to talk about the cracks in the meeting room and the tarnishing on one of the doors. They are out of the warranty period but as the receptionist did him a favour he will make sure they get fixed free of charge. After a smile and a friendly wish of a good evening he heads out of the door. The sensitive corporate data is safely stored on his laptop. This could be sold to a competitor or used for blackmail or other criminal purposes. But in this case the only place this will go is in the report for the client about the social engineering exercise. This may sound far fetched but it is a reality for many companies that are targeted in this way. More worryingly most of those attacked in this way never know anything about it.
So what can we learn from this story? There are two important things to take from this. The first is that technology alone is not the answer to security, it forms a series of tools that enable people to keep both information and other people safe. The second is that the breaches occur when exceptions occur in our daily processes and methods of working. If we are aware of the methods that people might use to deceive or trick us we will be better equipped to protect ourselves. Also we must understand why people might want to attack us so that we can identify that there is a threat out there and that we need to be vigilant.
So the next time you see a phishing attack or receive a phone call from a stranger ask yourself a question. What does this email or this person want of me? Don’t be tempted to be drawn into wondering about what they can do for you or what you can get out of it. That way you might foil the social engineer who is after your credit card details, banking information, sensitive corporate data or even your identity.