Tech Insight: Building The Right Defense Against Social Engineering
Defcon capture-the-flag contest shows humans are still the enterprise's weakest link
Was your company targeted during last week's Social Engineering Capture the Flag event at the Defcon conference? If it was, would you know?
The contest caused quite a stir in several industries -- in fact, the FBI contacted the contest's organizers to discuss concerns that sensitive, personal information would be targeted.
So what's the big deal? Social engineering is certainly nothing new. However, the contest -- and the associated press coverage -- managed to raise a new level of concern. Some companies went as far as to send out information to their employees and customers warning them about the upcoming contest.
We've all used social engineering to get what we want -- even when we were children. Now we're faced by attackers who are using it against our companies to get what they want. The question so many future victims ask is what would an attacker want from them? The answer is simple: information.
Maybe your company is the direct target of an attacker, or maybe it's simply a stepping stone to a bigger fish. Either way, social engineering is the most effective tool that an attacker can use against your company. You can patch every desktop and segregate every sensitive network segment, but you can't accurately predict your employees' behavior when facing a cleverly designed attack.
The best defense against social engineering is awareness and training -- with policies to back both. You and your employees should know the most common technical forms of social engineering attacks. Phishing, instant messaging, and social networks are the three attack vectors your users face.
Those three attack vectors have two things in common: They insulate attackers from face-to-face communications, and they're extremely effective. Novice social engineers often opt for these online methods because they require less skill to perform successfully than talking to a target on the phone or walking through the front door.
Using any of these three vectors, an attacker can entice users into providing their credentials. The most common targets are the places where the credentials are collected via email or through a form on a Website. The attack site is set up to mimic a legitimate site the user would expect to see and trust.
In many cases, users are tricked into thinking there is an urgency to provide their user names and passwords. They fall for a scam that threatens to terminate their access to bank or email accounts; they're convinced to take swift steps to help a co-worker.
Sophisticated social engineering techniques, like those demonstrated in the Social Engineering CTF, require preparation to know details about the target organization and those who work there. But that's not always enough, even when combined with confidence. An understanding of human behaviors is needed, and knowing the correct gestures and language to use in specific situations is often necessary to be successful.
The most common personal attack vectors, as described by the Social Engineering Framework at Social-Engineer.org, include customer service, tech support, and delivery persons. Each of these vectors requires talking to the victims on the phone or interacting in person. This is where attacks often fail because the attacker doesn't know enough about the target -- or fails to gain the victim's confidence.
Chris Hadnagy, organizer of the Social Engineering CTF contest, said, "Every company where we were able to contact a human, [the contestants] were successful at social engineering them." Two employees at a target company did thwart one contestant's efforts because the questions sounded "fishy."
Defending against social engineering comes down to awareness and training. There is no patch for human awareness. Enterprises should mandate training so that users are educated and aware of the dangers posed by social engineering.
The most effective training includes role-playing to demonstrate how social engineering attacks are carried out. The Social Engineering Framework has many good examples to draw from, and history has shown us plenty of skilled social engineers we can point to, including Frank Abagnale and Kevin Mitnick.
Modern-day experts, such as Chris Nickerson and Jayson Street, also serve as excellent examples. Nickerson starred in the TV show "Tiger Team," which followed his team through a series of technical and social engineering attacks to gain access to an exotic car dealership and custom jeweler.
Street's "Deceiving the Heavens to Cross the Sea: Using the 36 Stratagems for Social Engineering" provides numerous real-world examples of social engineering attacks -- all of which can be used to help educate your employees.
You can augment your training program by sending out newsletters with current examples of social engineering or recent phishing attempts in the news. Some IT organizations test their employees by conducting internal social engineering attacks against a different department each month. Employees who catch the attack receive a positive report to their supervisor, while those who are tricked receive additional training and awareness recommendations.
As technical defenses get better, social engineering attacks are becoming more targeted and sophisticated. It's critical to educate users about the attacks that may be used against them. Instill in them a sense of responsibility to question strangers in the halls and be suspicious of phone calls asking for a password.
As the Defcon contest proved, people are the No. 1 vulnerability in your network. Be sure you're taking proper steps to "secure" them.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like