Welcome to Volume 3, Issue 8 of The Internet Security Conference Newsletter, Insight. Insight provides commentaries and educational columns, authored by some of the best minds in the security community.
TISC is about sharing clue. So is the newsletter. We promise to provide something useful each issue. If we don't, flame me.
Enjoy, and be safe,
In this issue, Chris Tobkin talks about social engineering. Everyone loves to recount stories about social engineering events, but few organizations want to admit how vulnerable they are to social engineering. Mark Seiden, a physical security specialist at Securify, explains how the maintenance engineers (janitors) of buildings are one of the best sources of entry to a supposedly secured facility - "I left my care keys and airline tickets in my briefcase in my office, and the CEO expects me in Los Angeles this evening, can you help me out?" I made a point several years ago by arriving early for a meeting and bypassing the lobby and elevator guards by entering the building through a basement door, then taking the elevator from the basement straight to the 7th floor. All I had to do was ask how to deliver a large package without dragging it through the lobby.
Read on. Chris makes a good case for applying policy to more than your firewalls and VPN appliances.
Ever wonder how big companies and big government spend millions on internal and external security (firewalls, security personnel, intrusion detection systems, etc.) and are still compromised? Is it because they do not have adequately trained personnel? Highly unlikely, large companies have some very sharp security people. Is it because they don't have enough security software? Possibly, but software alone cannot protect a company from a security breach. Bruce Schneier, CEO of CounterPane and respected cryptanalyst and security expert, stated, "Security is a process, not a product." To expand upon one aspect of that, this paper describes a few processes companies are not honing in on well as of yet.
Securing your networks through software can only partially protect your data. It is a well-known fact that keeping your servers and networks physically secure also plays a large part in keeping your data secure. Many times, I have heard technical people say, "Well, if they can get to the machine physically, then they've won." I say it myself quite often. How do companies protect from these problems? Some hire security guards to sit at a reception desk to stop unauthorized people from entering. Many companies keep their machines behind locked doors. Once you have done these things, your data is secure, right? No person can get to the data because they don't have a card to the door to get into the server room, and the guards are at the front door to make sure unauthorized people don't come in. In addition, you have had an independent firm come in and audit your computer security internally and externally. Is that it? Have your covered all your bases?
One crucial piece is missing -- an audit of how successful your policies and procedures are being implemented. Enter social engineering.
The hacker's jargon dictionary defines social engineering as follows:
Social Engineering: n. Term used among crackers and samurai for cracking techniques that rely on weaknesses in [Human Beings] rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.
Social engineering preys on the trust and idiosyncrasies that humans, and society as a whole, have developed and implicitly adhere to whether as part of a social construct or out of familiarity. Social engineering is one of the easiest ways to get information from a company since it requires little to no technical expertise. In fact, everyone knows how to do it; we just do not realize when we do it. Have you ever told an employee that there is a deadline to get a worker to do their job faster, better, or the way you want them to do it? How about telling the worker at Burger King you are allergic to mayo (when you're not) just to make sure they don't just wipe it off? Maybe you have acted ignorant or helpless to not further complicate the situation? Have you ever you're your professor you are going to be out of town for a funeral to delay taking an exam, or maybe acted as if you knew someone or something just because you wanted to continue the conversation or not be embarrassed? That's social engineering!
ACT THE PART
For one to be a good social engineer one must leave behind his or her (Note: social engineering seems less common yet more effective for women) social understandings and ethics and start looking at things people don't normally recognize or want to look at. For example, the implicit trust people have with each other. It is the golden rule - do unto others, as you would have them do unto you. Nobody likes being hassled and as a result, nobody wants to be a pain or stop someone else from doing his or her job. Psychology and Sociology backgrounds are a plus in learning the intricacies of social engineering.
A prospective social engineer also has to be the type that thinks outside of the box. Just because there is a lock on a door does not mean the door is locked. Perhaps it is. Look up at the ceiling - if it's a suspended ceiling, the wall may be overcome. At my first job as a systems administrator, I had left the keys to the server room at home and needed to get in. Climbing over the wall got me in, but once realizing this, we decided to remedy the situation, since others could exploit this path as well.
DRESS THE PART
The appropriate attire and confidence can also have a large impact. Walk into a company with a shirt bearing the logo of the local phone company and say you're there to "do routine preventative maintenance on the phone system". Chances are that someone will show you directly to their wiring closet and leave you there to "do your work". "I've discovered that if you have a hard hat, a clipboard and you're wearing a suit, you can go anywhere," said Robert Lupo, known as Virus to other hackers. "I got into the pit at the Indianapolis 500 this year." This method works quite well if you act confident. If you act as if you have done this 200 times already and are perceived as belonging somewhere, it lends to your credibility as whomever you are trying to impersonate.
Much of this has worked for getting into credit unions and banks, large data warehouses, network operations centers, etc. Auditing for this special type of attack requires one to think like a criminal. Reckless disregard for the facilities of the company and a goal of getting "the crown jewels" are a requirement. A conspiracy theorist mentality is also a benefit. For instance, I presented the theory of shooting a bullet through their glass front door and through another pane of glass shortly down the hall and in plain view from the parking lot. The glass down the hall showed off their server room. Doing this would have disabled -- or at least disrupted -- all corporate data traffic. (The company rethought "showing off their server room" to people waiting in the lobby after we presented this theory.)
KNOW YOUR ENEMY
Another aspect of social engineering is information reconnaissance. This is the use of taking public information and using it to draw conclusions or educated assumptions about secret or confidential data. The gathering of this information can be done over the network by searching newsgroups and websites or by querying whois for information. A simple example of this can be seen by looking at postings to mailing lists to find out internal network addresses, email server and client software, or areas that companies are lacking in expertise.
Another example is information stored in DNS. Yes, the information can be queried and retrieved on its own. However, if one is able to do a zone transfer, the attacker now has a detailed map of the addresses used on the network (possibly only the external network). Depending on the DNS naming scheme used by the company, it is easy to determine a particular IP address's function. ("router", "fw", "gw", and "proxy" are good examples) Along the same line, a naming scheme can give away information about what other computers may be available but not directly known to the external network. (If a company has their systems named "bart", "lisa", "marge", and "maggie" after characters from The Simpsons cartoon, it stands to reason that there is a system named "homer".) As always, this may make it easier to remember computers' names, but it also makes it easier for someone to ascertain the possibility of a system's presence via this syntactical nomenclature system.
BE YOUR ENEMY
Identity theft is another form of social engineering that relies heavily on information reconnaissance. Abraham Abdallah had to do a tremendous amount of information gathering and correlation to steal the identities of more than 200 of Forbes 400 Richest People in America. His work included retrieving detailed credit reports on his victims, which he used to clone their identities and gain access to their credit card, brokerage, and bank accounts.
WHAT IS THE ANSWER?
The only solution I see for these problems are a combination of a well-written and enforced security policy, and employee training. No matter how many firewalls you have, if a person can stroll inside your buildings unescorted, there is a good chance he or she will be able to access your data and vital parts of your network one way or another. It makes it even easier for the person to get onto the network if no screen saver passwords are used and users have their passwords on Post-It notes on their monitors.
The security policy must explicitly state and reinforce the point that employees must not fear for their jobs by reporting security problems and deny access where and when they should (policy should reward people). For example, a secretary should not fear for her job when she does not allow a visitor to enter the facility when the security policy explicitly states she is doing the correct thing. Normally, this is not a problem. However, when a Vice President tells the secretary to let the visitor in unescorted because he is too busy to come downstairs, the secretary begins questioning whether the policy is enforced and whether she should stop enforcing it or follow the policy and run the risk of retribution. The security policy should give the secretary in this example the peace of mind that she would be doing the correct thing by telling the VP she cannot allow the visitor in unescorted and he must come escort the visitor. The policy must also include resolutions and punishment for those who would choose not to follow the policy - in this case, the VP.
Among other things to touch on in the policy include shredding of documents to prevent information gathering via "dumpster diving", password usage, and handling and dissemination of corporate information.
Training is also necessary due to the lack of understanding of the importance or sensitivity of data by employees within and outside of IT. This can be something as simple as an afternoon seminar for all current employees and a half-day seminar once a month for all new employees. Many companies are already doing this and hospitals are starting to do this much more often with HIPAA regulations on the horizon. Any way you decide to implement it, employees need to understand what the effects are and what is expected of them.
Long story short, social engineering and information reconnaissance can quickly short-circuit much of the security a company puts in place. All of the results from social engineering and information reconnaissance exercises should be calculated into a company's risk assessment so that a company can decide to either assume the risk or attempt to mitigate it. I realize that addressing all of these issues is out of the reach of most organizations right now. However, some of the issues are relatively inexpensive to implement. Others take more time and money. Unfortunately, with the theft of data, identities, and corporate espionage becoming a more widespread problem and concern, these areas are now a requirement to keep corporate information as well as the corporate facility secure.
Chris Tobkin is a Security Engineer/Analyst for InterSec Communications, Inc. in St. Paul, Minnesota. Day-to-day Chris's workload consists of conducting network and physical security audits (including social engineering), installing security products, forensics, and teaching classes on security. He spends his free time working on his security website, http://interactiveinfosec.com, reading mailing lists, mixing music, and playing with his two cats.
TISC 2001 - Register Online!
Early registration for TISC 2001 is now open, visit our registration page today.
TISC 2001 will be held June 4-8, 2001 at the Century Plaza Hotel and Tower, Los Angeles, CA. Take a peek at our program.