Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How to help protect your organization from social engineering attacks

michelle Fincher, Social Engineer Inc.

2-June-2015 Training and policies that take into account human nature.

In addition to co-authoring Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails, Michelle Fincher, chief influencing agent, Social-Engineer, Inc. is a pen tester and course trainer, so she’s been involved in all three typical attack vectors used by social engineers – phishing, spear phishing and vishing. She's speaking at SC Congress Toronto.

“It’s a problem because of who we are as human beings… not necessarily due to technology,” she said. “Technology is great and important, as is policy. Without the human factor and knowing mistakes people make, it doesn’t work the way you expect.”

For example the RSA breach a few years ago, in which a human overrode both technical and policy controls.

“If you’re not aware of what bad guys are doing, and human behavior, you’re not covering everything,” said Fincher. “We need to understand how human make decisions and mistakes. I help our company help our clients cover those factors. Even going so far as what they post on social media, and what that provides an attacker.”

As emotional creatures humans don’t make good rational decisions, because if we did we’d make decisions based on facts, and we almost never do that.

Human decision making is a large factor in security, and a lot of companies don’t realize they’re placing their employees in a position to affect the security of the company, and employees are seldom prepared to do that.

Perhaps you’ve had to sit through one annual horrible security training session of cheesy videos and CBTs, after which you’re expected to make the right decisions – after one hour of training a year

“Ours is brief and consistent and short, to respect peoples’ time,” Fincher said. “I’d say 99% of people don’t have jobs that include security. If you make security difficult, you’re creating problems. I also think it’s problematic that if someone fails training, it’s punishment to send them for more training.”

For example, if you click on an attachment you’re brought to a consistent, brief, not painful message that makes you think about security being a hassle.

For greatest effect, pen testing goes hand in hand with education. Action based on something you’ve been taught becomes personally relevant. Fincher offers an example…
“Suppose you take someone off the street and ask, ‘do you want to learn how to punch?’ If you do the education without a framework it’s not nearly as effective. If you get someone who’s been punched they understand. Testing is important, because you’ll be asked to demonstrate your knowledge. Without follow-up education they don’t know what they did wrong.”

Vishing is phone (voice) solicitation. The Rogers Communications attack was based on a vishing attack. The attacker found the name of a mid-level manager, then called into Rogers IT support, saying they needed to set something up and needed security question answers. Then someone else called back claiming to be that person, knowing the answers to the security questions.

“Vishing can be used to gain information for an attack,” said Fincher. “You can get a sense of systems and internal language used in an organization. At DefCon we run a contest in which contestants call and are awarded for every flagged bit of info they manage to get from that call.”

Humans also tend to believe information or a message that comes from multiple sources. Franco-phoning for example – a woman received a phishing email that said “please take care of this invoice immediately.” Then she’d receive a phone call from a male, pretending to be an executive, telling her to open that invoice immediately.

“It would work the other way as well – if a phone call is placed to a company and says they’ll follow up with an email, even though both are illegitimate,” Fincher noted.

That goes back to policies – what info is ok to say over the phone? How do you verify callers?

“You’ve placed your staff in a difficult position. Most people want to be helpful. Policy needs to be without verification I can’t give you that information. Call a checkout person at your local drugstore… are they prepared to say ‘sorry, I can’t do that’?”

While you don’t want your staff rude and mean, you do want them comfortable asking for verification. Fincher once got into a badged facility posing as a singing telegram.

Did she have to sing?

“Yes. And I’m a really horrible singer, clearly I’m NOT a singing telegram, and yet they bought the story. My boss and I do these engagements regularly. And we play to stereotypes, so the man is typically the boss. We’d gotten in using several different pretexts, so we thought we’d try this one as a laugh. Sure enough, it worked. As a whole those at the company we were testing were nice and helpful people. Unfortunately that’s what makes them vulnerable.”