CIO Insight: What is social engineering?
Mogull: Social engineering is the manipulation of people rather than electronic systems in a security attack. The reality of it is that we all use it on a day-to-day basis-to get a discount at a store, to maybe get into a concert that were not supposed to get into, and so forth. Successful social engineering can completely circumvent all of our security.
Heres an example: How hard do you think it is to get a UPS uniform? You can buy one on eBay for $50 bucks with 48-hour delivery. How much access do we give the UPS guys? Say this UPS guy comes in early in the morning before anyone else is in the office and hes got a delivery for so-and-so. He walks into the data center with a PDA, plugs it into the computer, and voila. He can suck down anything. Obviously, there are a lot of tools at the disposal of somebody who wants to perpetuate these kinds of problems.
Another example: The cleaning and maintenance staff have access to your entire organization overnight while theyre cleaning and maintaining. How do you know that they dont have a Ph.D. in computer science and malicious intent? You dont.
Heres a great story, and its true: A CEO of a company goes on vacation. The day after he leaves, a consultant, wearing a suit, carrying all the right references, walks in the door of the office and says, “Mr. Johnson hired me and asked me to take a look at your engineering plans. Apparently, there was a technical problem.” Someone says, “Oh, he just went on vacation, hes not here.” The consultant responds: “Well, you know, I came from out-of-town, Im only here for basically the one day. This is pretty important, and, frankly, you guys already paid me a lot of money. Is there anyone I could talk to about this?” So this person sits down, spends an entire day going over the engineering plan, and walks out with copies because there are some issues that he needs to work on later. Meanwhile, the CEO gets back from vacation and says: “What consultant?”
A further example. A company went out and did scanning over public networks, and they did it legally. They wanted to find out how much information they could find out about the CIA by just using Internet tools only-no phone calls, nothing else. Know what they found? Phone numbers and the names of people at those desks, internal lines, through DNS registers and through network scanning. They mapped the topology of the network, and then they were able to figure out who was in charge of many of those network sectors. Now you get that information and you make a phone call, and you know now the persons name, you know their internal extension, and you can use that to manipulate: “Hey, Bob, this is Jim over from network engineering. Were having a problem. Can you send me this e-mail, how about this, how about that?” And thats an example of this scanning of the physical and the electronic worlds to gain information.
So were basically talking about cyber-crime-not necessarily digital break-ins, but also physical break-ins?
Right. Social engineering is a scam, its a con, and whether its digital or physical, it depends on what the attack is. When I talk about it, I talk about it in the terms of electronic attacks and how its used to perpetuate those particular kinds of attacks. Oftentimes, its manipulation to get the user name and the password. Direct manipulations of corporations for credit card information, other account information. Insider attacks-somebody within an organization thats got some kind of malicious intent-are very large. I also classify former employees in the same vein because theyll often take advantage of another employee to do some kind of internal attack.
How much more of an issue are these kinds of attacks today than they were five or 10 years ago?
If theres a worse anything, its just that organizations have a higher reliability on their electronic systems, and oftentimes, if you think about 20 years ago, more people have access to those systems than ever had access to them before. But social engineering is a very well-known issue in the security community. Its also one thats a bit more difficult to address than a lot of the traditional security issues because, you know, you cant stop people being from being people, and as much as youd like, your users are going to make mistakes and theyll be manipulated and everything else. I think its been a consistent problem.
What do CIOs and CISOs have in their arsenal to battle this problem?
I am not a fan of generic security training. Its useless, absolutely a waste of time. A wall poster about security wont do anything if you dont properly structure your program. So the first step is to get your governance in place. Then you can build you awareness and change your culture. You also train people on security issues. System administrators need a lot of different training than a developer, line employees or senior leadership needs. You need to teach them what to do, how to report problems, how to respond to problems. You have to have a hotline, and usually the help desk is the best place to put this. So if theres something they suspect, be it physical or electronic security, it doesnt matter, theyve got one place to report it. Ive often heard stories about people reporting laptop thefts to the IT department and not physical security. Is computer theft a technical or physical problem? Its both. Depending on their level of access, employers need to do background checks and not just a criminal background check. If they have access to the data center, I dont care if theyve got a garbage can in their hands or if theyve got a laptop in their hands, do the same background check. Especially when theyre the guys who are there at 3 oclock in the morning.
Terminated employees are a big problem. I hate to say this because you wont think its nice, but you know what? Dont give anybody hints that youre going to fire them until you do, unless you really, really, really trust this person. If theres a sense that theyre disgruntled at all, then you have to have employee-termination procedures. You have to change all their accounts, changing all their physical access and make sure that they cant go back and do stuff. Now again, it depends on their job role, it depends on what kind of information you have. Monitor usage patterns for unusual access or behavior. By the way, management hates it when I say this, but if you have a positive working environment, you have fewer disgruntled employees.
Are more companies beginning to adopt these policies?
I see some enterprises that are really good and very protective. Financial services is moving a lot more in this direction, some of the more highly security conscious organizations. But most people still cant get their basic security issues solved, and there are a lot of people out there who still just need to stick with the basics. Thats because security is a cost center. It can be seen as an inconvenience. Think about security in real life in the rest of the world. Its not something that gets us profit. Its not necessarily where people put their first investments, which I think is unfortunate. If you built a house with no security, with no locks on the windows or doors, youre going to have a heck of a lot of work to do to retrofit it. Its less work and time and cost to integrate it in from the start.
And thats what we do in real life. We do integrate it. We know when we buy a house, we go ahead. Or, if you have a store, okay, you think about what other forms of security youll need. Heres the safe, here are the door locks, here are the cameras, here are the security practices and policies, and were going to get insurance if all this stuff fails. Trouble is, many companies havent been all that great about implementing that same kind of design into their digital systems. Companies need to stop relegating security to a line item of the IT budget and really take a look at how they can best leverage all of their technology investments and use security as a positive tool. That involves the security guys working more closely with the business guys, and making sure that their wants and needs and everything else are aligned. They have to have strong communication. The role of a security department is to enable a business to take the greatest amount of risk it wants to take in the safest way possible.
The IT department is responsible for the overall running of IT systems, so theyre the ones who make sure the firewalls are up and configured and are functioning in line with the security team. And then when theres some kind of a potential security incident, the security team is brought in, and they actually look at resolving what the issue is. The security team puts representatives on major projects so that the security needs of the project are dealt with very early on. But oftentimes its the technology guys that are going to do the nuts and bolts implementation.
How does social engineering affect the culture of a company?
People have to have a modicum of caution. Lets face it, we as people are not naturally distrustful (even though I am, but Im paranoid and delusional). Were not naturally distrustful, and as such were open to manipulation, and there are specific psychological techniques that are actually used to manipulate people.
And how much is too much? When do you cross the line from being secure to being paranoid?
You dont need to make people paranoid, not at all. The line is when security interferes with your ability to do business. If you cant get your job done because the securitys getting in the way and if its inhibiting your growth, thats when youve gone too far.