By Shane MacDougall, senior security engineer, Mosaic451
The other day I was asked what is the biggest information security threat facing any company in 2019. Is it ransomware? Some AI powered malware? Overpowering DDOS attacks? I didn’t hesitate – the answer is the same as it has been since I was first asked the question over two decades ago. The biggest threat to our infrastructure remains our users.
Social engineering, an attack where hackers extract information and access, not from traditional hacking attacks, but rather by interacting with a person in conversation, remains a devastatingly effective method of gaining unauthorized information or access to a network. It’s an attack vector that rarely fails. Unlike logical attacks, social engineering leaves no log entries to trip IDS or alert security admins. As organizations invest more dollars into security appliances and next-gen blinky boxes designed to harden their perimeter, attackers are increasingly opting to target the weakest link – the end user.
Recently, I was in Canada at the Hackfest hacker conference in Quebec, as host and organizer of the second installation of its social engineering “capture the flag” competition. The three part competition had the competitors first spend a week searching for specific pieces of information (flags) about their target company, from a list of items provided by Hackfest. The flags range from information that can be used for an onsite attack (who does your document disposal, what is the pickup schedule), those that can be used for a logical attack (type of operating system, service pack level, browser and email client information), networking information which gives the attacker information about the infrastructure (wifi info, VPN access, security devices), and finally information about the employee and the work environment, which could be used to help the attacker pose as an insider.
The second portion of the competition had the contestants hop into a sound proof booth, and were given 25 minutes to call their target company in front of an audience, and to gather as many flags as possible based on their dossier information. The third and final segment had competitors randomly draw a target, then each contestant had 30 minutes to use the audience members to search the web for flags or phone numbers to create a workable dossier. Each competitor was then put back into the booth to make another 25 minutes worth of calls in hunt of flags.
The results of this year’s contest were eye opening, but sadly reminiscent of last year’s event. Of the eight companies targeted, all gave out information that would give an attacker an advantage for a remote attack, on-site attack, or both. Specific breakdowns of results include:
- 75 percent visited a URL provided by their attacker
- 100 percent gave information about what version operating system/service pack version they were running
- 88 percent gave detailed information on what internet browser they were using
- 75 percent divulged information about Wi-Fi within their network
- 63 percent divulged information about secure document shredding, including their provider and the schedule for disposal
- 63 percent divulged detailed information about their email client
- 75 percent gave detailed information about the internal computer network
- 75 percent shared personal information about themselves and their work history
Read that list again. Fully six of eight targeted companies had employees that went to a URL that their attacker pointed them to. If that link had been malicious, the attacker could very well have gained access to the target’s network, bypassing all the firewall and security appliances focused on blocking external attacks. Every company also gave the callers detailed information on their operating system and patch level, and most gave similar information about their internet browsers. Armed with this specific information, an attacker could easily craft a specific attack for their target. The numbers for other flags were just as worrisome. Remember, these are people giving out this information to a complete stranger over the phone. If this doesn’t make your blood run cold, maybe you should check yourself for a pulse.
The reality is that any skilled attacker will be able to convince someone to log into their network and spill the company secrets. Obviously the success rate will be dependent on the skill of the attacker and the susceptibility of the target, but given enough time the attacker will prevail. This was illustrated a few times in the competition. A contestant with a pretty weak pretext and rather diffident demeanor, would be shut down pretty quickly on their first approach, but on their second call were easily picking up flags with ease. The more confident contestants were strip mining data from their first contacts with ruthless efficiency within a couple of minutes of picking up the phone.
At this point, it might seem hopeless – and the way things stand now, I’d be tempted to agree. In this age of social media, companies are going to great lengths to solicit positive reviews, and are deathly afraid of creating any sort of negative media presence. “The customer is always right” mantra seems to have taken center stage, with disastrous effect to information security. The reality is that we need to train our employees that it’s okay to say “no;” that if a call seems suspicious it’s okay to terminate it. That if something feels wrong, there’s a reason – it’s because something likely is wrong. Management needs to let its employees know that it will back them if an incident goes south due to a suspected social engineering incident.
Unfortunately we also need to train our employees to suppress our natural human inclination to be helpful by default. Instead we need to instill with them a trust but verify attitude – to be helpful, but within limits. To always be on the lookout for someone trying to play them. While it might sound horrible, the reality is one day they might very well encounter that person, and when they do, how will your company fare? Unless you’ve trained your employees in the proper way to handle suspicious calls, you might not like the answer.