Wednesday, 8 October 2008

Social Engineering

I think possibly the equal first security threat facing all business today is that of Social engineering. I say equal first, because a lot of insider threats would probably fall under this banner. The employee, lets say his name is John calls up the helpdesk, he tells them his name is Sam, and that he has forgotten his password. You of course see where I am going with this, the helpdesk happily resets Sam's password, John knows Sam is out to a long lunch and has access to files he doesn't. He logs in as Sam, gets the files he needs and then logs out, maybe even leaving a post-it on Sams screen saying the helpdesk had to reset his password to blah, so the helpdesk doesn't get another call and get suspicious.
John know has all the files on his cheap USB disk, or in hard copy and does with them whatever it is nefarious people do with data to make a buck.
I have seen mitigation techniques for the one I mentioned above, all users have a password reset word, something they wouldn't have as a password and stored in plain-text for the helpdesk to see. This will mitigate it, unless John says he forgot it and to send someone down, the helpdesk guy may not know John or Sam, and as long as John is in Sam's office still acting like he owns the place he will probably get away with it.
Social Engineering is scary for another reason in that even non-technical users can do it. I remember I had a client once who had a relitively new employee call up asking for some permissions to files he needed for work. I knew his role was to do with those files and I knew his voice over the phone (as funnily enough he had moved from one client to another). Still I decided to call his manager to get the ok. She didn't give it, and was a bit distrubed that he had asked for the access. Horray one for the good guys.
Have a look here at how easily some guys doing a sprite commercial pulled off some non-harmful social engineering.
Here is a very thourough article on the subject.
And here is my first shirt design on cafepress, totally on topic.
Really though combine some social engineering with technical knowledge the smarts to think of the good-guys mitigation techniques and the connections to make money off your exploits and you have a major foe to be reaconed with.
I think in future we will need to audit our people as much as we do our security systems. Having someone who won't suffer the repricussions of the law come in randomly and do spot checks would keep people on their toes, but it also comes down to having the personal touch, knowing people by name, by their voice, by their face. Maybe the solution is smaller decentralised IT departments, say one for each department and at least one at each site, this lessens the body of knowledge but increases the likelyhood of the staff member knowing the other. I don't know, someone will come up with a solution eventually.