Social Engineering, an Innate Human Quality

The stated tenets of data security, confidentiality, integrity and availability purvey the titles of networking books. It is evident there has been a sudden awakening of the importance or lack thereof of data security. Operating systems, applications, networking and internetworking devices, are being examined for vulnerabilities. Threats and risks are no longer ignored. New specializations are being created. A few years ago anti-virus installation and updates was an added-on value.

Today it is a full time responsibility in the world of networking. Firewalls are being developed for the daunting cat and mouse game of malware detection and eradication. Viruses are presented with names that spell trouble; multipartite, polymorphic, phage, stealth; retro. Intrusion detection systems, intrusion prevention systems, and honeypots are fine tuned to provide a comfort zone for the networking professional. These devices can no longer be the one size fits all variety. IDSs are defined as network-based, host-based, signature-based, anomaly-based and the list goes on and on. Resources are being consumed more for protection than data exchange.

I am comfortable with the fact that there is this emphasis placed on data security but still concerned with the non-acceptance of the need for user training. I believe that no security device (read machine) can ever defeat the creativity and manipulative ingenuity of the human brain. Developers are still working on Artificial intelligence. We are born with it. The human's ability to reason, question, debate, infer, deduct, pretend, deceive and mislead can never be curtailed by a box running an IOS and some man-designed algorithms. Encryption technologies are competing with human intelligence. We've gone from being comfortable with 56 bit encryption to 128,192, and 256. Ciphers are stream, block, substitution, transposition, symmetric, asymmetric, yet, with time, they are quickly becoming susceptible. The much touted WPA for WLANs felt that blow last week.

The common factor that seems to defeat the attempts to create the secure network environment is human behavior. Means, opportunity and motive is all that is needed. Of the three, opportunity prevails. Most people have the means, some people have motives. Because of the growth in internet access, more and more people have the opportunity. I remember a few thousand weeks ago very few employees needed internet access to perform their duties. Matter of fact, I can count the number of people who spoke about computers. Today it's just understood. The world's population is becoming more computer savvy each day. The computers' processing power increases because of our ability to learn and improve. Way too much acclaim is given to the PC with little or no recognition of the human mind behind it's growth. Viruses, worms, Trojan horses are all man-made. We are therefore in a battle with our own intelligence. It is therefore essential that we recognize that in order to create a safer networking environment we must begin by addressing or influencing human behavior. The one attack that will never be stopped is social engineering. Our goal as security personnel is to mitigate threats. Can we truly mitigate the threat of social engineering without addressing behavior? I say a resounding no.

Social engineering is an innate human quality or skill. We are exposed to it in our everyday lives. Any parent would agree that kids, especially teenagers are master social engineers. They frame questions knowing the result they want. They extract information with questions that seem to be casual chatter. My daughter has manipulated me into an action that was beneficial to her, ashamed to say, numerous times. The network attacker has that ability. He/she is not going to study UNIX or learn C++ to compromise your network. He/she looks for the most vulnerable or "low hanging fruit". The most vulnerable entity on a network is the user, train and untrained. We can, however, create a more secure environment if we erase some human habits through training.

I remember visiting a doctor's office and hearing the receptionist openly repeating confidential information on the phone. I've seen IP addresses stuck to the monitor in a New York bank. A friend of mine, a New York cabdriver told me that he can be a social engineer with the conversations he overhear in his cab. Recently I did a training class at one large client location, there were a number of PCs in the training room. I was given access to one PC. On that PC I had access to an open email account and read what I know was confidential emails of, get this, a manager. Employees and employers need to be trained as to the art of social engineering. The attacks are carried out through telephone, online, diving in dumpsters, and shoulder surfing. One attack that is almost always successful is the reverse social engineering attack. The employer needs to assure that the end-user is aware of the new trends. Helpdesks are a favorite target for the S.E. Most helpdesks are staffed with entry level IT professionals. Not a great amount of emphasis is placed on training because helpdesk positions are normally stepping stones. A helpdesk does just that, help! If they are not educated they will help. The attacker may be aware of the quick turnover at say ABC Corp. because he worked there before. Previously I spoke about the receptionist at the doctor's office, they need to be trained not only on Word or Excel, but also on social engineering attacks.

Although we have moved positively in the direction of software and hardware testing and design, we are still behind in the most vulnerable area of the network, our staff. Employers need now more than ever to reinforce their security posture by demanding and supporting user awareness training. Policies can no longer be a static, four hundred page document that is only seen during the employment process. Policies must be current, always available and enforced. Employees must be educated as to the need for security, the effect of a compromise on their jobs, compliance issues and repercussions for non-compliance.

An untrained staff will defeat any security policy. Security training should be given as much or even more attention than procuring expensive equipment. Mobilization has increased the availabilty of network resources. Todays network creeps into the Starbucks, the airport, hotels and homes. Users are given access to more and more private information. Devices like laptops, PDAs, and phones store sensitive information that travels with the user.The attacker no longer has to gain physical access to the enterprise network. It it therefore imperative that the playing field be evened by having the user aware of the sensitivity of their work environment.

My hats off to the organizations that have already seen the relevance of employee training. Banks, hospitals, small business owners and the military have upped the ante for staff. My hope is that the practice does not end with the worker/student attaining a certification. It has been said by numerous students of security that the knowledge gained would not significantly affect the status quo at work. Information transfer should be encouraged, users should be rewarded for compliance. Again I stress that for any security policy to be successful, we must affect human behavior.