In the last few months, we have seen an significant increase in organisations asking Safecoms to carry out “social vulnerability” (or “social engineering”) tests. This is compared virtually no enquiries during the previous 12 months. It seems like the market is finally starting to take on board what experienced security professionals have been saying for some time – namely that a professional hacker is now more likely to break into your network by exploiting human weakness than through technical means. And if an organisation can't determine where and what those human weaknesses are, they have a potential security risk that could be much greater than the odd missing patch…

The Issue
The system administrator in the company’s Austin, Texas sales office received a phone call.  “This is Joseph Jones,” the caller announced.  “I’m in business development at corporate.  I’ll be in town for the week, at the Driskill Hotel.  I’d like you to have me set up with a temporary account so I can access my email without making a long distance call.”
“Let me get that name again, and give me your employee number,” the sys admin said.  The false Jones gave the number….

“OK, Joe.  Tell me, what’s your building number?”  The attacker had done his homework and had the answer ready…

It was as simple as that.  The sys admin had verified the name Joseph Jones, the department, and the employee number, and “Joe” had given the right answer to the “test question” about the building number.  “Your username’s going to be the same as your corporate one, jbjones,” the sys admin said, “and I’m giving you an initial password of ‘change me’”.

This is an extract from Kevin Mitnick’s book “The Art of Deception”, probably the best known book about social engineering.  The following is an [edited] extract from a Safecoms report to a client about one of the results of a social engineering test that we recently conducted:

Category	Attack-Password Reset
When	10.30 am:  14 December
Target	IT Helpdesk
Objective	Obtain reset of “Sally Brown’s” password.
Background	Earlier call to reception (posing as a caller from the organisers of “Australian PA of the Year Award”) yielded names of all Executive PA’s, their contact details, names of their bosses, and some personal details (e.g. Sally Brown had only recently joined).  Additional personal information obtained from further fake call direct to Sally (location in building, sits next to another PA “Anne Jones” etc.).  Believed had sufficient personal information to convincingly pose as Sally in call to IT Helpdesk.
Method	Posed as Sally Brown over the phone, having access problems, confused and desperate to finish important document to meet a deadline.
Result	After a lengthy conversation, IT Helpdesk agreed to reset password to “1234abcd”
Analysis	IT Helpdesk followed procedure up to a point, but when it transpired there was no “secret question” yet set up for this employee, they broke with procedure and reset the password (rather than requiring further verification of ID through a call from her manager).

The vast majority of criminally motivated hackers simply want to find the easiest way of gaining access to corporate and governmental systems and databases, do their business, and move on without getting caught.  As technical defences against Internet based attacks become increasingly sophisticated and IT teams are getting better at their patch management processes, hackers are increasingly recognising that exploitation of human weakness is a much easier method of gaining unauthorised access to systems and information.

Organisations that have traditionally had regular penetration tests to check their vulnerability to Internet based attacks are now, therefore, looking at extending the scope of that testing to also cover “social vulnerabilities”.

The outcomes from these tests provide the organisation with highly valuable information about where their weaknesses are, enabling user education to be targeted very effectively and specific procedures to be tightened up.

So what kinds of activities should be “in scope” in a social vulnerability test?  What kinds of weaknesses are typically unearthed?  And what types of remediation actions can be taken to address the findings?

Defining the Scope
As with any form of penetration testing, social vulnerability tests will vary in scope depending upon the kinds of risks that most concern the organisation. Some organisations are particularly concerned about outsiders gaining physical access to secure areas (e.g. comms rooms and data centres) or to staff in certain “sensitive” roles such as debt collection (particularly if there has been a history of attempted physical assaults by disgruntled customers who feel they have been wronged by the organisation). Others are primarily concerned about hackers being able to socially engineer log on credentials from users of the corporate network. Organisations that deal with customers online or over the phone are often more concerned about the possibility of an attacker obtaining information about a customer from a contact centre in order to steal that customer’s identity for fraudulent purposes.

However, a typical social vulnerability test will probably include most or all of the following activities:

• Social engineering of selected departments to obtain confidential information about staff, customers, or the organisation
• Social engineering of employees to obtain log on credentials
• Social engineering of IT department posing as an employee to have a password reset or obtain other sensitive information
• Attempting to gain physical access to selected areas of the company building
• Sending spoofed phishing email to selected staff requesting them to provide password details or to click on a suspicious link. 
• Determine whether confidential information can be obtained from garbage bins located outside premises

The Test
A hacker engaged in a social engineering attack usually starts out by gathering as much information as possible to build a picture of the organisation, the people who work in it, customers, the IT infrastructure, and possible points of weakness (both physical and logical). The results of the information gathering activities will then provide the attacker with a number of “leads” for the construction of attacks.  A social vulnerability test should follow the same methodology.

Safecoms generally finds that it is relatively straightforward to obtain a lot of valuable information very quickly from a few “fake” phone calls and other information gathering activities.  Areas typically targeted in the early stages include:

Reception: experience demonstrates that receptionists vary significantly in their security awareness.  Some are canny, experienced operators who “smell a rat” very quickly.  Others, by contrast, are “chatty” and dispense all manner of information useful to an attacker if approached in the right way.  For example, in a recent social vulnerability test conducted by Safecoms, one phone call to reception (posing as a representative from the organisers of a “PA of the Year Award”) yielded the names of all the Executive PA’s in the organisation, their contact details, the names of their bosses, and valuable personal information about some of them such as how long they had worked at the organisation, whether they were permanent or temporary, and so on.  This information was then built on to achieve a fraudulent password reset from the IT Helpdesk (see above).

HR Staff: many organisations now advertise their job vacancies on their websites, often with a specific contact person in HR who can be called for further information.  Posing as a prospective job applicant over the phone, a lot of useful background information can be unearthed from the HR team (who are, of course, trying to be helpful).

IT Department: a lot of IT staff enjoy the opportunity to talk at the detailed technical level about what they have built and implemented in their workplace: this natural enthusiasm can be exploited by an attacker posing over the phone as (e.g.) a student researching into “best practice” in enterprise IT architecture. 

Rubbish bins: No social vulnerability test would be complete without a bit of “Information Diving” (or “dumpster diving” as it known outside the UK).  Safecoms' experience is that organisations can be very careless about the way they dispose of sensitive, paper based information.  A recent test conducted by Safecoms included a raid on one garbage sack that had been left out on the street by the client awaiting collection.  The contents included...  The contents included

• print outs of information about customers containing sufficient detail to launch identity theft scams
• details of all change management assignments currently being undertaken by the IT department (including the names of the IT staff responsible for each item and the names of the internal “clients”, thereby enabling follow up calls to those clients posing as an assistant to the responsible IT department member)
• a help desk roster and details of all outstanding “tickets”
• a draft internal discussion paper about a new product (yet to be announced externally)
• personal information (including full bank account details) about some employees
• an organisation chart giving details of names, roles and reporting relationships of numerous employees

 

Having collected this kind of information, the attacker will work out how he or she (the best social engineers tend to be women, in our experience) can piece together what they have found out from the various sources to construct attacks.  For example:

• by combining information about a particular employee obtained from various sources (including the employee themselves) together with information obtained from a member of the IT Department about remote access procedures within the company and internal contact details for the IT Helpdesk, it may be possible to call the help desk posing as that employee and obtain a password reset, thereby gaining immediate remote access having stolen that user’s identity

• by using information obtained from a garbage sack about current IT activities (change management items, outstanding helpdesk “tickets” etc.) and information obtained about the members of a particular department (including their contact details) it may be possible to call a user posing as a new or temporary member of the IT Department and persuade the user that they need to give the IT Department their authentication details

• by using information obtained from various sources (e.g. HR and Reception) and then preying on the natural courtesy and helpfulness of random employees travelling in lifts who then get out to access secure levels of a building, it may be possible to identify the precise location of a senior individual in a sensitive role (e.g. Head of Debt Collections) and tailgate an employee entering that secure area to personally deliver a “package” to that individual.

It should be stressed that the examples given above are just three of a wide variety of types of attack that can be perpetrated depending on the nature of the information obtained in the initial phase.  The essence of social engineering is that it is opportunistic, and rapidly develops a life of its own as combinations of pieces of information inspire new attacks.

The Security Dividend
Of course, the overriding objective of a social vulnerability test is to provide the organisation’s management with an authentic view of security weaknesses that need to be addressed.  This information can then be used to set the agenda for targeted training initiatives and tightening up of policies and procedures.

Training programs based around actual events that have occurred within the organisation in the course of a social vulnerability test will be far more effective than those based on abstract examples of incidents that have reportedly occurred in other organisations.  It automatically pre-empts the “that would never happen here…” school of complacent thinking.

A well executed social vulnerability test (particularly where the results are presented back to senior management and staff) will also play an important role in reinforcing the fact that information security is not just “an IT thing”, but that everyone has a role to play and that “security” needs to be seen as a core part of the corporate culture in the same way that (e.g.) customer service and innovative thinking are.