Education key to fighting social engineering

It’s 8:30 am. The night before was the Wild Wednesday conference party where drinks were free until the wee hours of the morning. For all intents and purposes, the conference attendees should all be sleeping late. But here I stand in a room packed with people (yawning people) to hear Cisco expert Todd Lammle speak on the subject of social engineering.

For those of you unfamiliar with this term, it’s been defined as “the art of manipulating people into performing actions or divulging confidential information.” Technology often takes the blame when an individual or organization falls victim to a social-engineering scheme that results in valuable information being stolen or systems being otherwise compromised. Just ask Microsoft: The company is often slammed for security shortcomings in its products, even though it has added effective new tools in Vista: User Account Control, Windows Defender, and the Security Center.

Yet, perhaps Microsoft alone isn’t responsible for all the world’s security woes. Kevin Mitnick, who popularized the term “social engineering” in his book “The Art of Deception,” argues that the weakest link in any network is neither your virus protection nor your firewall; it’s your people. People trust easily and will dole out information they consider irrelevant to others. Utilized properly, that information becomes the key to unlocking your entire network.

Mr. Lammle gave a variety of examples showing how a person (or shall we say criminal) can trick your users into divulging information. Beyond the online techniques we know so well, such as phishing scams and Trojan horses, there’s masquerading. We ordinarily trust people who say who they are. So, when the receptionist gets a call from someone saying, “Hi, I’m with your network engineering department,” she may believe that person and divulge information she shouldn’t.

If that person also does a little cursory research and asks a few employees some questions, the line would be more like “Hi, I am Jack with your network engineering department. My supervisor Roy Bannion said Mr. Johnson, the CEO, wants us to help users with their login procedures.” At this point the person has given all the right names and the receptionist has no reason not to trust the person. Once the perpetrator has access, your network is theirs.

The most surprising part of the discussion (more so than even the number of people in attendance given the early hour) was when Mr. Lammle asked the audience, “So, what methods do you have in place to educate your users about these threats?” There was silence. Mr. Lammle followed up with, “OK, that’s typical. Now after listening to this session, what methods do you hope to implement going forward?”

There was more silence.

Why waste so much time and money trying to protect a network if we aren’t educating our users? If they continue to click the link that says, “Click here for the latest nude picture of Anna Kournikova” (which is a real virus from 2001 called the “Anna Kournikova Virus“, a VB worm), what does this say about our plan to protect the network? If a simple liar can call in and get information and use it against you, shame on them. If you’ve done nothing to try and stop them, shame on you!

One of the key elements to protecting your people from social engineering is to make it both a part of new employee training and continuing employee education. Quick training sessions, short screencasts on the subject; whatever it takes to make the point. YouTube has some interesting training videos that try to make the process fun and informative. Here is one example produced by Citi.

You should have a procedure in place that prevents certain information from being given out to strangers. Network administrators should provide consistent reminders to users to keep them on their toes. Stronger passwords should be enforced as well. You might even want to test your people from time to time by using an agency that specializes in social engineering attacks (ethical hackers that perform penetration testing). The risk here, however, is that people can turn around and use that knowledge maliciously. So, you might want to perform your own in-house tests.

Back to Microsoft, then. The company is clearly aware of the social engineering problem. The company is not only continually strengthening the security of its wares to fight back, it’s offering guidance to help address the weakest link: users’ lack of awareness. To that end, the company released a 30-page whitepaper a while back that most admins would do well to download (for free) and read.

Education is your only defense. So … what plans do you have to protect yourself and your company from social engineering?