Publications & Resources

September/October 2009
Focus: Information Systems & Security

Defending Against the Savvy and the Sneaky: Protecting Your Network From the Con Artist

By Raj Dandage

The cost of data security is on the rise and data breaches are in the headlines daily. You’ve implemented the latest security technologies, ran every vulnerability scan imaginable and spent thousands of dollars securing your network. But your weakest link in the security chain could very well be the person in the office down the hall or in the cubicle next to you. The human trait to be helpful is what allows a con-artist access to your organization’s information through a process known as Social Engineering. Read on to learn the things you should be doing to thwart the attacks of the technically savvy or the just plain sneaky.

Anatomy of a Con

The first step for any imposter is to establish credibility in the mind of the victim. He or she will do research on your organization to develop background and learn the jargon necessary for the con. The research portion of the job may take several requests for information, each innocent enough on its own but used in concert, the bits of information will eventually establish credibility in the mind of the victim.

During a recent engagement at a client, we were asked to test the security awareness of employees by utilizing social engineering tactics. We were able to gain access to the client’s offices by walking in through the back door with a current employee, known as “piggybacking.” Our associate had a plausible story of an early morning meeting with a vice-president occurring before the receptionist was on-duty to unlock the front door. Being very social, he asked the employee for directions to the VP’s office and then walked down the hall alone, sat down at a cubicle, plugged into an open network jack and acted as if he was working. He then proceeded to begin a conversation with a neighboring employee to help him access the network and received all of the access credentials he needed to infiltrate the system. Luckily, this particular example was orchestrated by a consultant specifically hired by Management, but it’s a completely plausible scenario for someone with malicious intent.

This is just one of the many tactics that can be used by social engineers to breach your network. Other less dramatic, but more common examples of social engineering techniques are:

Phishing – This is a common technique involving a falsified e-mail or phone call that tricks people into providing certain information. A popular phishing tactic is to create a fake website and then send mass emails telling recipients to go to the website and update their information. If this email came from what looked like your network administrator, how many of your employees would respond?

Dumpster diving – Far from glamorous, many social engineers begin their attacks by rummaging through the trash of your organization. Sensitive information is not always disposed of properly, so attackers can find a treasure trove of information useful in developing a false identity.

Plan of Defense

The first step in thwarting any attack is to determine what social engineering techniques can be used against your organization. A risk assessment is necessary to give you an understanding of where threats reside as well as view the controls you have regarding access.

Once your assessment is completed you will have insight into the areas where you can beef up your information disclosure policy and educate your employees about its use. This policy must clearly define who is allowed to access information and what type of sensitive information can be disclosed. It should include procedures dealing with both customer information as well as information about your organization. Also, it is important that the policies and procedures be written down so that they can be used in training and referenced easily. During the education process, stress with all employees that asking these types of questions to callers and visitors is not rude but required to ensure that privileged information is being kept safe. The written step-by-step documentation will help employees who may feel uncomfortable with challenging something that looks unusual.

Also, don’t forget about policies regarding the physical security of the organization. Train all employees to ask for identification from anyone they do not recognize and that visitors are escorted by an employee at all times. Areas where equipment containing secure information is stored should be locked-down and only those who need access to perform their job duties should be allowed in.

Don’t let your hard work go to waste.

Lastly, all of this education and training will go to waste if you don’t monitor how you’re doing. Check annually that the policies and procedures you have put into place are being followed. Perhaps include a social engineering review as part of your internal audits. Remember, a policy is only as good as the people who adopt and enforce it.

Raj Dandage is lead architect with the WolfPACsm Solutions Group of Wolf & Company, P.C. He can be reached at 978-590-6817 or www.wolfpacsolutions.com.