EXECUTIVE SUMMARY
|
Social engineering
attacks involve the use of deceptive or
manipulative tactics on an
individual to gain a result—often to gain
unauthorized access to information assets.
The practice sometimes is referred to as
soft hacking and often is used to gather
intelligence for a subsequent hacking
attack.
Technically savvy
CPAs have the skills to analyze
a company’s information security
climate, search for patterns in
security-related data, make
recommendations to management and
formulate security policies and
procedures.
Testing by a
third-party contractor can
pinpoint whether an organization is
vulnerable to social engineering attacks.
Such testing can shed light on whether
employees adhere to the information
security guidelines set out in policies
and procedures.
Stephen Lineberry, CISA,
NSA IAM/IEM, is information systems audit
manager for KraftCPAs PLLC. His e-mail
address is
slineberry@kraftcpas.com. |
B
usinesses spend a significant portion of
their annual information technology budgets on
high-tech computer security. But the firewalls,
vaults, bunkers, locks and biometrics those
dollars buy can be pierced by attackers targeting
untrained, uninformed or unmonitored users.
Few companies properly address the human
element of information security. “There are times
when the human element is the leaky faucet” that
spills sensitive information, says Debra Murphy, a
consultant who is vice president of marketing for
Rapid7, a Boston-based security software company
that performs vulnerability assessment, network
penetration and social engineering testing. One
cause for the information trickle linked to
employees is the pressure many are under to
constantly improve customer service. “People are
being measured on helping customers and providing
a great customer experience,” Murphy says. Social
engineering scam artists, who use deceptive and
manipulative tactics on individuals to gain
unauthorized access to information, pounce on that
customer-focused mandate. Some of the best
tools for fighting social engineering attacks are
security awareness training and social engineering
testing. The effectiveness of these controls will
vary based on the quality of their implementation,
including follow-up and retraining. Social
engineering testing, by its very nature, can be
difficult to conduct without third-party
assistance. One option is to engage an information
security organization to conduct testing. The
testing can uncover areas in which an organization
is most vulnerable so that risk can be assessed
and mitigation strategies can be formulated and
implemented. While prices vary, hiring an
outside firm to conduct social engineering testing
typically costs between $10,000 and $15,000.
Rolling social engineering testing into a larger
security penetration engagement can reduce the
cost of the social engineering component, says Jim
Patterson, director of consulting for Rapid7.
A meaningful social engineering audit must
involve people who are knowledgeable about social
engineering techniques and are creative enough to
mimic the methods of real attackers. Rapid7
typically tests in a double-blind engagement,
coordinating primarily with internal audit groups
in large companies or the head of IT in smaller
businesses. The testers set out knowing little
about the client company, Patterson says. The IT
staff and other employees of the target firm are
not alerted to the possible attack.
ATTACK SIMULATION The
following example is based on an actual social
engineering test. For privacy, some information
has been altered or omitted; however, the
techniques and results are accurately portrayed.
A common way to prevent unauthorized access
to secure information is to require proof of
identification. The goal of this test was to
manipulate a bank employee into processing a
transaction without obtaining any form of
identification from the customer, who in this case
was a social engineering tester. Through
simple observation of the target, the tester
gathered information critical to his attack. A
photo ID was generally required when a person
requested a transaction. Friday afternoon was a
particularly busy time for bank employees, with a
typical wait time in line of 22 to 25 minutes.
Closing time was 5 p.m., and the entrance
door typically would be locked a few minutes prior
to closing. Employees could easily overhear
customers’ conversations because of the size of
the space. The attack was scheduled to
begin on a Friday at 4:30 p.m., when distraction
was highly likely due to heavy activity and the
approaching weekend. The social engineering tester
arrived at 4:30 p.m. and took his place at the end
of the line. The tester engaged others waiting in
line in friendly conversation. The tester joked
about the trials of his day, which included
getting a speeding ticket that caused him to be
behind schedule. An employee locked the entrance
door a few minutes before closing. The tester
joked with the employee as he walked by.
The tester then continued to make conversation
as he waited in line. His turn came a couple of
minutes before closing. The tester complimented
the employee for the patience the employee had
shown with a rude patron. Prior to being
asked, the tester removed his wallet and searched
for his driver’s license, which, of course, he
could not find. The tester continued, somewhat
frantically, to remove contents from the wallet in
search of his license. At this point, the
employee played right into the tester’s hands. The
employee referred to the traffic ticket the tester
had discussed while in line, and the tester
appeared suddenly enlightened. He told the
employee that he had likely stuffed his license in
his glove box along with the traffic ticket. He
apologized and asked the employee to please wait
while he went to his car to retrieve his license.
The employee, knowing that the entrance door
was locked and that it was closing time on a
Friday, told the tester not to worry about it. The
employee processed the transaction, gave the
tester the information he sought and told him to
enjoy his weekend. The social engineering
tester successfully induced:
Familiarity. The employee
had likely heard enough of the tester’s
conversation with others and no longer viewed the
tester as a complete stranger.
Sympathy. To the employee,
the tester appeared to have had a trying day, but
seemed to be taking it all in stride. He had even
admitted that he deserved the speeding ticket and
he couldn’t fault the police officer for doing his
job.
Comfort and Trust. The
reason the tester did not have his license seemed
perfectly plausible to the employee. “At
the end of the day, it’s about getting someone to
violate a policy,” says Patterson of Rapid7.
Social engineering attacks are often used to
gather intelligence that might be useful in a
subsequent hacking attack. During a recent
engagement, Rapid7 was hired to conduct
penetration testing for a business that offers
online sales of gift cards. The tester’s goal,
Patterson says, was to get someone from within the
company to open an e-mail message containing a
Trojan horse that would install malicious software
giving the attacker control over the victim’s
computer and, thereby, access to customer credit
card information. The tester entered bogus
credit card information with his order, which
triggered a phone call from an employee whose job
it was to manually enter all payment information
from the seller’s online orders. The tester
offered to send the correct information to the
business in an e-mail with an attached document.
The phone conversation was designed to lower the
guard of the employee, who might not have opened
the e-mail had it come from a complete stranger.
In the end, the employee opened the e-mail and
attachment, Patterson says, and welcomed in the
Trojan, allowing the tester to break through the
firewall and gain access to 25,000 credit card
accounts. Fred Cantz, senior manager,
forensic accounting and litigation support, for
Smart Business Advisory and Consulting’s
Philadelphia office, cautions that such social
engineering audits can open up a host of employee
relations issues and sensitivities. He suggests
that the results of testing should be used to aid
in training rather than to discipline employees.
THE TRAINING GAP Many
information security managers and administrators
may feel uncomfortable as trainers. While
knowledgeable about technology, often “they’re not
as good at dealing with policies and procedures
and the training aspects of technology,” says
Danny Jeter, senior manager and consultant with
Jackson Thornton Technologies, a business spun out
of the Montgomery, Ala. based accounting firm
Jackson Thornton. That disconnect,
combined with discomfort relating to personal
privacy issues, is among the chief reasons that a
large percentage of organizations do a poor job
managing the human element of information
security. Many critical controls that
support information security are non-technical.
Observing non-technical controls may reveal much
about the strength of an organization’s
information security. A technically competent
CPA—especially a CPA who is a Certified
Information Technology Professional (CITP),
Certified Fraud Examiner (CFE) or a Certified
Information Systems Auditor (CISA)—can add value
to a company by observing and analyzing issues
that affect information security and then
communicating concerns and recommendations to
management. CPAs understand internal
controls and can assist companies in adapting
control concepts to protect the confidentiality,
availability and integrity of valuable assets.
Cantz says CPAs can perform trend analysis and
search for patterns in security data. They can be
assets in drafting policies and procedures for
safeguarding financial and customer data and also
play a role in training employees to abide by the
rules. “CPAs and IT have to work as a
team,” says Cantz, a CPA, CFE and former
supervisory agent with the U.S. Postal Inspection
Service. “I don’t think CPAs can do it better or
cheaper or faster. But working hand-in-hand with
IT, they can design a program that will assist in
combating the social engineering challenges of
today’s workplace.” Patti Perdue, a
principal with Jackson Thornton and the
partner-in-charge for Jackson Thornton
Technologies, suggests that all partners and
managers in her firm ask their clients questions
including: How do clients protect confidential
information stored on the network or business
computers? How often do they check for employee
compliance with the requirements? Are employee
passwords changed at least annually? Does an
independent third party evaluate controls
periodically? To foster a culture that is
information security aware, company management,
assisted by qualified CPAs, should begin by asking
the following questions:
Are employees educated and aware of
common information security threats?
Do they write down or freely share
passwords with others?
Do visitors freely move about
facilities without facing barriers to entry, such as
a requirement to wear a company-issued badge?
Is it common to see sensitive
information, such as completed employment
applications or client documents containing Social
Security numbers, accessible in unmonitored or
otherwise unsecured areas?
What is the prevailing employee
attitude regarding information security controls?
Are enforced information controls viewed primarily
as a nuisance or a necessity? No system is
immune to human ingenuity. Effective information
security must be culturally ingrained and backed
by strategies and processes that are continually
tested, taught, measured and refined. |