http://news.ft.com/cms/s/458807fe-efec-11da-b80e-00
00779e2340,dwp_uuid=863bb51c-1f76-11da-853a-00000e2511c8
.html
By Kate Mackenzie
May 30 2006
Holding a security door open for someone laden with cups of
coffee or
a big stack of documents may seem the polite thing to do.
But you may
have fallen for a classic trick deployed by hackers.
The person might have been smartly dressed and looked
legitimate, but
that is a key part of the deception of "social
engineering", which
uses simple, everyday situations to deceive individuals into
giving
out physicial or technical access to facilities that can be
a mine of
valuable information.
Whether getting into a building, eliciting a password over
the
telephone or persuading a phishing victim to e-mail their
banking
details, "social engineering" is responsible for
more than half of
security breaches, and some estimates claim the proportion
is as high
as 90 per cent.
Deploying a powerful firewall or maintaining up-to-date
software
patches on thousands of desktop machines is easy compared
with raising
employees' awareness of their own risky behaviour.
Last year, for example, three call centre staff at Mphasis,
an Indian
outsourcer, tricked several Citibank customers into
revealing their
Pin numbers and then stole hundreds of thousands of dollars,
in an
incident that rocked the outsourcing industry.
Bob Blakley, chief scientist for security and privacy at
IBM's Tivoli
division, says it is partly because there is no
"standard set of
social behaviours" for tasks such as resetting a
password over the
phone, so many people are easily persuaded to go along with
risky
procedures.
The problem is worsening, as hacking attempts and malware
are
increasingly used by organised criminals, rather than
fame-hungry or
curious geeks.
Despite a consensus that it is always people who are the
weakest point
in any security system, workplace prevention tactics are
often
neglected or relegated to a set of acceptable use policies
that are
largely ignored by staff.
By contrast, meticulous and detailed documents on the
dishonest use of
"social engineering" techniques are easily
available on the internet.
One such document details a vast number of techniques,
ranging from
"dumpster diving" to shoulder surfing - looking
over someone's
shoulder as they key in a password or Pin - to
"conformity": for
example, telling the target that everyone else has given out
their
password over the phone.
Appealing to people's better nature by phoning up and
pretending to be
an out-of-town colleague who urgently needs to access the
network is
another.
In spite of all the experimentation and refinement of
techniques to
persuade and confuse potential "social
engineering" targets, the
security industry's response is almost exclusively focused
on
technology rather than psychology.
What can be done about it? The first thing is to take a
wider view of
security, says Jan Babiak, Head of Information Security at
Ernst &
Young.
"For example in certain countries, you have a very
good chance of
kidnapping senior executives. The physical security [team]
take
enormous precautions, but the IT people might have left
something like
a calender somewhere where it's easy to hack into."
Cisco, meanwhile, urges executives to create a
"top-down" culture of
security awareness instead of palming off all security to a
separate
team.
Dave Shackleford, the director of security solutions and
assessment
services at Vigilar, a US security consultancy, says that
executives
are often the softest target for "social
engineering" experiments.
They tend to think they are "above the law" and
have access to high
level information. They are also used to associating with
other
top-level people, says Shackleford, so their trust levels
are higher.
Mr Shackleford frequently puts clients' security defences
to the test
by, for example, photographing staff IDs with a telephoto
lens to copy
them. No attempted physical test undertaken by Vigilar has
failed, he
says.
Mr Shackleford says companies need policies in place:
"If they don't
have explicit policies laid out for their employees, then
they may not
know any better."
Vigilar's clients act on the information gleaned from the
tests in
different ways, but punishing employees who fell for a
"social
engineering" trick is not usually one of them.
"It's human nature to be helpful," says Mr
Shackleford. Instead, they
tend to respond by improving training and awareness
procedures.
Some of Mr Shackleford's techniques are frighteningly
simple: "Just
phoning someone's extension can reveal if they are out of
town, for
example, and for how long."
Robert Chapman, chief executive of The Training Camp, which
runs
security awareness courses for non-IT staff, says:
"All the talk and
all the money really is on technology. People in a sense
brag about
how much they spent on their Cisco firewalls." But
they overlook the
obvious weaknesses.
His company recently ran the well-publicised "CD
test" in bond in
which 100 CDs were handed out to workers in the City,
promising a free
Valentine's Day gift if they installed it. Once installed
the CD
reported back to Chapman; he says the majority of recipients
did so.
Bruce Schneier, the cryptographer who also works as a
security
consultant, is not so sure.
He believes technical security must take into account
behaviours, but
does not believe "social engineering" can be
adequately guarded
against by training: "Have you ever met a user?"
he replies when asked
about efforts to improve staff awareness.
Technology, Mr Schneier says, must be more tailored to each
user's
needs and risk levels. Does a typical office worker, for
example, need
to have access to a USB port or even a CD drive?
"This is not just a 'get some guys on and solve it'
problem," says
Schneier. "It's like murder, burglary - all of these
things, they've
been around for ever."
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com
|