The issue of social engineering is one that is often overlooked in the discussions of security and privacy within the payments space. The discourse on security and privacy practices tends to focus primarily on technology and processes, sometimes skipping entirely over the question of people. Certainly the point has been made that individuals should be aware of the information security policy and in order to achieve compliance with the PCI standard, companies must annually train their employees on the program. Yet, the shadow of social engineering looms. In fact, according to the 2006 CSI/FBI Computer Crime and Security Survey, the issue of social engineering does not even make the list of the top ten “Most Critical Issues in the Next 2 Years.”
Social engineering can be defined as the use of interpersonal skills to elicit information that will allow an individual to gain access to a company’s resources. It is essentially a low-tech form of hacking into a system. Instead of using a brute force attack to determine a password, an individual might simply call the help desk, posing as an authorized user that has simply forgotten the password. This allows the hacker to almost completely circumvent the technological controls enacted by the organization. The investment for the hacker, in terms of both capital and time, is very low and the return is generally high. The risk of discovery is also relatively low, making this particular type of hacking very attractive.
A Google search on the term “social engineering” will provide ample illustration of the fact that, although this may be the most low-tech method of attack, it is often the most successful. Phishing is an example of social engineering in which the hacker tricks people into providing sensitive log-on information to financial accounts. While many are now familiar with this ploy it still accounts for over $500 Million (USD) in losses each year according to NACHA.
The reason that social engineering is so successful is that, despite skepticism to the contrary, people are trusting by nature. Perhaps complacent would be a better word. Most people will accept at face value what they see before them, as opposed to suspecting ulterior motives. The less threatening an individual seems, the more information they may be able to garner with social engineering techniques. Usually, it would not occur to someone to question an individual that says they left their proximity card to the office at home. The typical reaction might be to commiserate with the person and then open the door for them. Similarly, when someone calls a tech help desk and says they forgot their password, the first reaction may be to reset it or give out a new one without adequately authenticating the individual.
In addition to the impulse to help, there are a number of other traits that make social engineering hard to detect and difficult to prevent. There is, for instance, the tendency towards self- preservation. A social engineer may communicate the idea that the caller will be in trouble if they don’t comply. Most people try to avoid conflict as much as possible, and so will do as the social engineer asks in order to preserve their job. Similarly, people that feel panicked or pushed may simply give out information in order to prevent whatever imminent business disaster the social engineer may have conjured.
The fact that social engineering tends to be so successful offers a unique challenge to data security professionals. This is where the “people” and “process” part of the phrase “technology, people and process” comes into play. All the technology in the world can not keep out an individual that has been given access to the network. Most information security programs include an “employee awareness form,” stating that the employee has read and understood the policy. Additionally, to become PCI compliant, companies must train employees on information security at least annually. Requirement 12.6 states that companies must “Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.” While it does not call out social engineering specifically, it should be considered a best practice to include training on the subject in the curriculum.
Social engineers are extremely adept at reading weakness in people, and especially at finding that point within an organization that can be easily exploited. More often than not, this organizational weakness can be found in call centers and help desks. In these areas, the rate of employee turnover is generally high and the employees are less aware of security issues. These traits make them extremely valuable targets for social engineers. In these departments job performance ratings are often predicated upon their friendliness and their ability to solve problems for the caller. Those criteria can run counter to the ability to rout social engineering attempts. This is not to suggest that friendliness and helpfulness should not be part of the job evaluations, but that because they are, training on social engineering is even more crucial.
Detecting a social engineering attack can be very difficult. Fortunately, for well-trained employees there are a number of tale- tell signs that can be used to identify a social engineering attempt in progress. First and foremost is the act of asking for sensitive information. One should be suspicious of callers requesting User IDs and password combinations, for instance. Similarly, one should be suspicious of anyone that offers too much or too little information. For example, a caller that asks for information, but refuses to give any information that can be used to verify identity (such as an address or phone number) should be regarded as questionable.
Well-trained employees may also be able to plant land-mines to trap an unwary social engineer. Often social engineers may know enough to pass a cursory inspection, but when asked more detailed questions he or she may begin to falter. For example, if a caller to a tech desk asks for a username and password, they may be able to provide the name of the department and person for whom they supposedly work. If asked more probing questions about the organization, though, they may be unable to answer. In that case the social engineer may begin rushing or bullying the employee, trying a different tactic to elicit the prohibited information. Individuals that seem to be in a hurry, rushing through a conversation, may also be doing so in order to compel you to provide more information than might normally be the case. The essence of detecting social engineering ploys is the detection of abnormal behavior.
The follow-on to the detection of abnormal behavior is the ability to act on it. Employees should feel as though they are empowered to deny information to anyone is not using the approved channels or cannot verify their identification. Frequently, employees tend to feel as though security is the province of the IT security team and not something with which they should be concerned. Additionally, they may not feel comfortable, for example, denying information or access to someone purporting to be a company executive. These attitudes lend themselves to exploitation.
In addition to reading and reacting to these attempts, companies must be sure that all employees are aware of these attempts. Chances are a social engineer will try again and again until he or she finds someone that is susceptible. By documenting and communicating these attempts throughout the relevant departments in the organization, companies may be able to prevent an attack from succeeding. Such communication will also drive home the notion that everyone, not just the IT security group, is responsible for the data contained in the organization’s networks.
At the end of the day, one of the most effective tools against social engineering is instinct. Most people are blessed with the ability to tell when something just does not feel right. More often than not, that feeling is right. Although we’re often taught that in business we must depend upon hard facts and reliable data, intuition can be a useful tool in fighting attempts to circumvent security protocol. Learning to listen to that “feeling” and act on it appropriately can be crucial managing the vulnerability of an organization to social engineering.
While the impulse to offer assistance to our fellow man is admirable, it must be balanced against the likelihood that the individual in question possesses some malicious intent. It sounds cynical, but unfortunately as the value of data continues to increase, the chances of individuals participating in unsavory activities to obtain that data will increase apace.
|
