Social engineering attacks: Is security focused on the wrong problem?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://searchsecurity.techtarget.com/feature/Social-engineering-attacks-Is-security-focused-on-the-wrong-problem

Malicious social-engineering attacks are on the rise and branching out far
beyond simply targeting the financial sector. While some organizations
develop employee-awareness training or solicit pen testing, or use some
combination of the two, these preventive tactics can only go so far.

Adopting a "know thy data" approach -- in terms of what it is, how valuable
it is and where it is -- and then focusing on securing it may be the key to
surviving the relentless onslaught of attacks.

Remember the ancient Greeks' "gift" horse to the city of Troy? While a
social-engineering attack is by no means new, today this highly effective
tool snares its victims through phishing, elicitation and impersonation.

"We freely give out information on the Web in the form of social media,
over the phone or just to strangers -- often without realizing we've just
handed an attacker tiny bits of info that can wreak havoc," said Chris
Hadnagy, chief human hacker, president and CEO of Social-Engineer Inc., a
firm specializing in social-engineering services and training.

Anyone -- even pros -- can become a victim of a social-engineering attack.
"It's nearly impossible to detect you've been socially engineered," said
Daniel Cohen, head of knowledge delivery and business development for RSA's
FraudAction group, who says malicious social engineering is one of the
biggest problems for security. "As long as there's a conscious interface
between man and machine, social engineering will always exist."

Money is the main reason malicious social engineering is so pervasive. In
October 2013, RSA identified more than 62,000 phishing attacks, which
raised the bar in terms of number of attacks carried out within a single
month. The median takedown time for attacks is 12 hours -- worth roughly
$300 each hour. During October 2013 alone, phishing attacks netted $233
million.

And it's easy money. On the underground market, you can buy a spam service
to blast out 500,000 emails for a mere $75. "Of those 500,000 recipients,
some people will inevitably send Bitcoins or whatever you're asking for,"
said Cohen. "It's why we're seeing mind-blowing losses on the order of
hundreds of millions globally to phishing."

New targets emerging

While phishing has traditionally plagued the financial sector because it's
easy to commercialize and sell financial credentials, attackers are now
branching out to target mobile and gaming platforms, as well as airlines'
frequent flier mile programs.

Perhaps most disturbing of all, healthcare is emerging as a target because
the value of medical data is slowly increasing on the underground market.
"The vast majority of attacks, however, still target financial
institutions," Cohen said.

One factor behind the expansion of phishing attacks is that, thanks to
underground sites on the dark Web, fraudsters from all over the globe have
a way to connect and collaborate anonymously. They frequently solicit
partners with social-engineering skills, as shown in the figure below, to
help fill in the missing pieces of identities, which they can then turn
around and either use or sell.

Art and science of manipulation

Educating employees about the dangers of a social-engineering attack is
important, and companies should provide active awareness training. "Simply
having staff sign a social-media policy or code of conduct doesn't mitigate
the risks or create adequate awareness," said Nejolla Korris, CEO of
InterVeritas International, which specializes in social-engineering
awareness and lie-detection training.

What should employee training impart? For starters, awareness of what
phishing, elicitation and impersonation look like and how they're used.

It's important for employees to understand how a social-engineering attack
is tied to psychology and human nature. "The ability to discover what
individuals' sensitive spots are and target them by tapping into the good
nature of human beings makes the work of social engineers much more
effective," Korris said.

Another aspect of employee training is learning how to mitigate problems
when they occur, according to Social-Engineer's Hadnagy. Many companies
still lack a person or department to route any suspicious email or phone
calls to.

"It's critical to have a place to report these events, before it turns into
a mess," said Hadnagy. "It's also important to remove the fear of being
fired. When employees feel good about reporting incidents, companies can
mitigate the effects of social engineering much faster."

Social-engineering pen tests can also reveal surprising vulnerabilities as
well as provide awareness on a more personal level.

"The biggest portion of any social-engineering pen test we do is
information gathering; more than 50% of our time goes into it. And we
gather everything," said Hadnagy. "Social media makes it easy. We go to
LinkedIn, Myspace, Facebook, Twitter or the hundreds of other social-media
sites to see what they've put out on the Web publicly."

LinkedIn is "a dream tool for social engineers, because many people post
their entire professional histories and rarely use any privacy settings,"
said Korris. "It has very few filters, and unless you've made a conscious
effort to hide it, your information is there for anyone to see."

What, specifically, are social engineers looking for? "How people use their
corporate email addresses, how they spread the message about their likes,
dislikes, favorite restaurants, kids, all those things," explained Hadnagy.
"A malicious attacker will search for weaknesses, which generally involve
something you like or enjoy because you're more prone to click a link or
allow a person access to you if it's something you're in tune with."

One bank manager had a Facebook profile with 796 photos of herself with a
drink in her hand, and another 398 photos of herself in a bikini. That's a
"weakness" that can be easily exploited, according to Korris. "This bank
manager also posted her birthdate, photos of her Escalade, and her driver's
license," she said. "For someone required to maintain the privacy of her
clients, she showed no discretion on Facebook." And it gets worse: The
bank's corporate logo appears next to her Facebook profile, along with
photos of the bank staff, all tagged of course.

Information that may seem benign can literally open the door to social
engineers. "We were able to infiltrate a company because we called up and
someone told us who their waste disposal vendor was," said Hadnagy. "A few
days later, after we had a couple of hats and shirts made with that
vendor's name, they let us right in," he added. "All from a one simple
piece of information given out over the phone -- no verification that we
were who we said we were."

Hadnagy and his colleagues use their audit findings to help educate
companies. "Having a third party come in and 'go to town' on your people
and network to see where the vulnerabilities exist is a huge benefit," he
said. "At the end of our pen tests, we'll show you the spear-phishing
emails and the phone calls we used, as well as the impersonations. We teach
what worked and why, what failed and, especially, what to do when they
fail."

Not everyone agrees about the extent to which training can help fight
social engineering, because at some levels you're dealing with highly
motivated pros. "At the corporate level, user awareness and training about
social engineering won't have the same impact," said RSA's Cohen. "Pro
attackers use incredible strategic detail, and attack statistics reveal
that many companies only discover they've been attacked after a third party
warns them they're seeing odd things."

Look beyond the front door

While it's helpful to understand that social engineering is one of the key
techniques attackers use, what's the commonality of all attacks? Data theft.

A "know thy data" approach to dealing with social engineering presumes that
a talented social engineer can get past whatever controls you put in place
-- so why not model these threats against your data? It's not easy to do,
but it's becoming necessary.

"The thing you're not watching is what gets you into trouble. In this case,
data," said John Kindervag, Forrester Research vice president and principal
analyst serving security and risk professionals. "We don't know what or
where our data is, so we wander around the edges of our networks putting in
random protection."

Knowing how many digital intrusions you've had and whether you've lost data
is critical, yet many companies "simply can't answer that question because
they've been staring at the front door -- social engineering -- for so long
that they haven't looked to see if anyone's ripped the big screen TV off
the wall," he said.

The question we should be asking is: Is my data being breached right now?

Security teams should understand their data well enough to know how it
should flow, and then look to see if it's moving outside of that pattern.
"The answer to social engineering is to change the focus from trying to
prevent social engineering to ensuring you have a way to validate that your
data isn't being exfiltrated to a malicious actor right now," Kindervag
said. Ultimately, teams should watch every data egress point and constantly
monitor all of them for the exfiltration of proprietary and toxic data. "If
you don't know where your data can egress, then you're in trouble," he
warned.

Don't concentrate your security efforts solely on the Internet; also focus
on wireless networks, which tend to be poorly secured. Traditional
wide-area networks are also at risk. "WANs are considered to be secure
private networks," said Kindervag, "so attackers will hit the places you
consider to be secure."

Companies also need to look closely at internal users, he added. "A certain
percentage of them are likely malicious actors who've been bribed to
provide toxic data to a competitor or are moles sent in to do
cyberespionage."

Changes ahead

To cope with social engineering, network security will eventually need to
become less reliant on human behavior -- delinking users from any conscious
authentication.

"Analytics are helping us look at behavior in the background to try to
understand the context of movements within the network," said Cohen. "But
big data and analytics can help us delink the human conscious behavior. By
looking at the behavior, where the data is traveling and who's talking to
whom, we can use that behavior to know if we've been targeted or attacked."

It's also time to move beyond passwords, which can be socially engineered
with the simplest phishing attack. Even using two-factor authentication
with an ID token is not enough. "If someone's infected your machine with
malware, they can request your token code with a screen that looks
completely legit," noted Cohen. "This is an important piece of the puzzle;
we can't base two-factor authentication on conscious human behavior."

Apple has already ventured into biometric authentication via fingerprinting
for the iPhone, but by combining it with other authentication parameters,
in the future it may become possible to form an authenticated identity that
can't be socially engineered.

Another big frontier to watch is the Internet of Things as it rolls out in
cities. Keep in mind that as soon as your light bulb, or for that matter
anything inside your house, has an IP address, it automatically becomes
part of an attack surface. "The Internet of Things is really more the
'Internet of IP addresses,'" Kindervag noted.

The bottom line is that you can fight against a social-engineering attack,
but social engineering isn't going away. As Michele Fincher, chief
influencing agent at Social-Engineer, sums it up: "Many of the decisions we
make come from basic human nature and behavior, and we're reacting as
humans react. Good social engineers really understand how to work with
that, and it's something technology can't keep you safe from."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!