The Weakest Link: Social Engineering
We’ve met the enemy and it’s us
by Mark Richardson, CTO, Medical Records Company
To demonstrate how easily security breaches happen, I asked our department heads to attend a meeting on social engineering. Much to their dismay I explained how within 30 seconds I could break into our system and gain mid-level access to our (then) state-of-the art system, by making one phone call, without using my access code.
They didn’t believe me; they didn’t want to believe the veil of security could dissolve so quickly. So I showed them how it’s done. Randomly, I selected one of the department managers, making sure I did not know her personally. I chose Kelly Blake, who happened to be late to the meeting.
I called Kelly and said, “Hi, this is Peter Livingston from the computer department, have you noticed your computer slowing down recently?”
“Who are you?”
“Oh, I’m Mark’s assistant. He asked me to check with everyone regarding the recent slowdown of our filing system. Did you notice anything slowing down?”
“Well, it did seem rather slow the other day.”
“OK, hang on, I’m going to log onto your terminal, now your user name is kblake?” I gave the person’s name with first initial before the last name.
“No, it’s kblakey.”
“Ah, thanks. Sorry I’m still new here, OK. Hang on, oh, what’s your password?”
“sam89,” she replied.
“Thanks, now Kelly, would you please come to the security session meeting you were scheduled for. You just allowed a total stranger access to the system.”
She was embarrassed, but she managed to keep her job.
Before you read anything else in this article, if you are a CTO, try doing this now ...
Finished?
I’m willing to bet at least 70% of you gained one of two things: 1) user name, or 2) password. This is the oldest social engineering trick in the book, and it is still used successfully
You may have every firewall known to mankind, every password scheme, evoked biometrics, placed Shavlik’s products on your server but you can still be defeated and thrown out on the street by the weakest link, and that is on a good day. People can actually die on a bad day.
As a CTO of a medical records software development company, what I’m about to share with you should, I hope, keep you employed and prevent deadly access.
Grab a beverage and pay close attention as we examine our enemy, the weakest link. Years ago in the comic strip Pogo, the hero chases a swamp monster’s foot prints in the mud. After several days of walking in circles, the footprints are identified. The hero says, the now classic line, “I have found the enemy and it is us.”
Let us examine the various types of weak links and how to overcome them.
Type 1 - The clueless savant
Like the absentminded professor these folks are brilliant, but lacking in common sense. They know nothing about computers. They might be executives or brilliant PhDs. They’re the ones that write passwords on a sticky note, attaching it to the monitor. When they lose the sticky note, they’ll call you on their 900 MHz cordless phone or cellular and ask, “What’s my password? Is it ‘cow’?” To keep things easy to remember, they list their password in the address book under the obvious, “Password,” or as an item featured on their to-do list. These folks believe they would never lose their PDA, yet misplacing the keys to their Mercedes happens all the time.
They are known for classic moves like writing their pin number on their bank card.
I would love to say that “We can make the system clueless-proof,” but once you claim that, along comes a better clueless user. These people make your system vulnerable, but thankfully, you can put safeguards in place to get them up to speed.
Type 2 - The regular user
These people know about security and would never give out their password. They know the rules and stick to them. However, being human, exposures happen. For example, they leave their work session open to go to the printer to grab the budget printout. Along the way, they get distracted and end up talking half-an-hour about last night’s ball game.
When their password-protected screensaver, the one that kicks in every three minutes, gets annoying they think nothing of disabling it. These people are a little harder to convince that there’s a security risk. They are skeptical and have a hard time believing that anyone else would be in the office, pass by their desk, or even look at their screen to gather secure information while they work. They could never imagine someone using this information as an open door into the network. Proper paranoia hasn’t set in, yet.
Type 3 - The advanced user/hacker
Some of them you know, but some of them on the other hand, keep their hacking a secret. These trusted individuals have high level security access to your system, yet they do astoundingly stupid things like warehouse 4,000 porn images in a secret directory on a remote server (yes, it has happened to us). The types of damage they do depend on their degree of frustration with the organization.
Type 4 - The criminal
These people purposely try to access your resources. Sometimes they work alone, but in a large organization they can work in groups and are often closely tied to one of three areas: Warehouse /Shipping, I.T. and data entry, or finance. Their motivations might be low level like corporate espionage or high level like payroll access. They can go unnoticed, draining your company for years because they’re efforts are well-coordinated.
The Social Engineer Comes in All Ages
Social Engineer profiles vary. I’d like to say it excludes the very young whose voices have yet to change, but it hasn’t. Don’t believe it? Then you’ve never met a disgruntled or curious teenager, especially one whose Dad or Mom works in a high tech company. And, surprisingly, one whose helpful parent has loaned the kid a notebook to use for homework.
“My child would never do that!” you say. You’re right, your child might not, but his friend from school would love to play around a bit. Remember that when they hand you a pink slip.
The types of Social Engineers come from a broad spectrum. Back in the ‘90s, when I owned Internet retail stores, one middle-aged man came into an office and scooped up a memo with a password written on it. Using that, he remotely gained access into our mail server. We tracked him down. But we also had to tell about 200 disgruntled clients that the email and the user accounts got compromised.
His reason for doing it? He wanted to see if he could. I call this the “locked door syndrome.” Lock a door and tell everyone that it is off-limits. Curiosity gets the best of some people and they will try to open the door and take a peek.
Serve and Protect
It’s up to us to help our organizations. Serve and protect your organization against stupidity, gullibility, curiosity, or outright criminal intent. Create training and awareness programs that involve the entire organization and repeat them on a regular basis. User education, awareness, and accountability are the key to strengthening the weakest link.
The terms hacking and cracking are used interchangeably in this article
[PRINTER FRIENDLY VERSION]
