The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (38 page)

Guidelines for Training Following are some guidelines for training:

Raise awareness that social engineers will almost certainly

attack their company at some point, perhaps repeatedly. Chapter 10 Social Engineers -- How They Work and How to Stop Them 239

There may be a lack of general awareness that social engineers

constitute a substantial threat; many are not even aware that

the threat exists. People generally don't expect to be manipu-

lated and deceived, so they get caught off guard by a social

engineering attack. Many Internet users have received an

email purportedly from Nigeria that requests help in moving

a substantial amount of money to the States; they offer a per-

centage of the gross for this kind assistance. Later, you're

requested to advance some fees to initiate the transfer process,

only to be left holding the bag. One lady in New York recently

fell for the scam and "borrowed" hundreds of thousands of

dollars from her employer to advance the fees. Rather than

spending time on her new yet-to-be-purchased yacht, she is

facing the prospect of sharing a bunk bed in a federal deten-

tion facility. People really do fall for these social engineering

attacks; otherwise, the Nigerian scammers would stop sending

the emails.

Use role-playing to demonstrate personal vulnerability to social

engineering techniques, and to train employees in methods to

resist them.

Most people operate under the illusion of invulnerability,

imagining they're too smart to be manipulated, conned,

deceived, or influenced. They believe that these things only

happen to "stupid" people. Two methods are available to help

employees understand their vulnerability and make them true

believers. One method involves demonstrating the effective-

ness of social engineering by "burning" some employees prior

to their participation in a security awareness seminar, and then

having them relate their experiences in class. Another

approach is to demonstrate vulnerability by analyzing actual

social engineering case studies to illustrate how people are

susceptible to these attacks. In either case, the training should

examine the mechanism of the attack, analyzing why it

worked, and then discussing how such attacks can be recog-

nized and resisted.

Aim to establish a sense in the trainees that they will feel foolish if

manipulated by a social engineering attack after the training.

Training should emphasize each employee's responsibility to

help protect sensitive corporate assets. In addition, it's vital

that the designers of the training recognize that the motiva-

tion to follow security protocols in certain situations only 240 The Art of Intrusion

grows out of an understanding of why the protocols are nec-

essary. During security-awareness training, the instructors

should give examples of how the security protocol protects

the business, and the harm that could befall the company if

people ignore them or are negligent.

It's also useful to emphasize that a successful social engineering

attack may jeopardize the personal information of the employee

and his or her friends and associates in the company. A com-

pany's human resources database may contain personal infor-

mation that would be extremely valuable to identity thieves.

But the best motivating factor may be that no one likes to be

manipulated, deceived, or conned. As such, people are highly

motivated not to feel foolish or stupid by falling for some

scam.

Programs for Countering Social Engineering Following are some basic points to consider when designing programs:

Develop procedures for employee actions when a social engineer-

ing attack is recognized or suspect.

The reader is referred to the extensive handbook of security

policies provided in The Art of Deception. These polices should

be considered as a reference; take what you need and leave the

rest. Once the company's procedures have been developed and

put into use, the information should be posted on the com-

pany's intranet, where it is quickly available. Another excellent

resource is Charles Cresson Wood's treatise on developing

information security policies, Information Security Policies

Made Easy (San Jose, CA: Baseline Software, 2001).

Develop simple guidelines for employees, defining what infor-

mation the company considers sensitive.

Since we process information in heuristic mode much of the

time, simple security rules can be designed to raise a red flag

when requests are made involving sensitive information (such

as confidential business information like an individual's pass-

word). Once an employee recognizes that sensitive informa-

tion or some computer action has been requested, he or she

can refer to the security policy handbook on the company

intranet Web page to determine the correct protocol or pro-

cedures to follow. Chapter 10 Social Engineers -- How They Work and How to Stop Them 241

In addition, it's important to understand and to convey to

employees that even information not considered as sensitive

may be useful to a social engineer, who can collect nuggets of

seemingly useless information that can be joined to provide

information for creating the illusion of credibility and trust-

worthiness. The name of the project manager on a sensitive

company project, the physical location of a team of develop-

ers, the name of the server that a particular employee uses,

and the project name assigned to a secret project are all sig-

nificant, and each company needs to weigh the needs of the

business against the possible threat to security.

These are just a few of the many examples of seemingly unim-

portant information that can be of use to an attacker.

Scenarios such as those in The Art of Deception can be useful

in conveying this notion to trainees.

Modify organization politeness norms -- It's okay to say "no"!

Most of us feel awkward or uncomfortable saying "no" to oth-

ers. (A product now on the market is designed for people who

are too polite to hang up on telemarketers. When a telemar-

keter calls, the user presses the * key and hangs up; a voice then

says to the caller, "Pardon me, this is the Phone Butler and I

have been directed to inform you that this household must

regretfully decline your inquiry." I love the "regretfully." But

I think it an interesting commentary that so many people

need to buy an electronic device to say "no" for them. Would

you pay $50 for a device that saves you the "embarrassment"

of saying "no"?)

The company's social engineering training program should

have as one of its goals the redefining of the politeness norm

at the company. This new behavior would include politely

declining sensitive requests until the identity and authoriza-

tion of the requestor can be verified. For example, the train-

ing might include suggesting responses on the order of, "As

employees of Company X, we both know how important it is

to follow security protocols. So, we both understand that I'm

going to have to verify your identity before complying with

your request."

Developing procedures to verify identity and authorization.

Each business must develop a process to verify identity and

authorization of people requesting information or actions

from employees. The verification process in any situation will 242 The Art of Intrusion

necessarily depend on the sensitivity of the information or

action being requested. As with many other issues in the

workplace, the security needs must be balanced against the

business needs of the organization.

This training needs to address not just the obvious techniques

but subtle ones as well, such as the use of a business card by

Whurley to establish his credentials. (Recall the title character

played by James Garner in the 1970s detective series The

Rockford Files, who kept a small printing press in his car so he

could print up an appropriate business card for any occasion.)

We provided a suggestion for the verification procedure in

The Art of Deception.2

Get top management buy-in.

This is, of course, almost a clich�: Every significant manage-

ment effort starts with the awareness that the program will

need management support to succeed. Perhaps there are few

corporate efforts in which this support is more important than

security, which daily grows more vital, yet which does little to

further corporate revenues and so often takes a back seat.

Yet, that fact only makes it all the more important that a com-

mitment to security start from the top.

On a related note, top management should also send two

clear messages on this subject. Employees will never be asked

by management to circumvent any security protocol. And no

employee will get into trouble for following security proto-

cols, even if directed by a manager to violate them.

On a Lighter Note: Meet the Manipulators in Your Own Family -- Your Children Many children (or is it most?) have an amazing degree of manipulative skill -- much like the skill used by social engineers -- which in most cases they lose as they grow up and become more socialized. Every parent has been the target of a child's attack. When a youngster wants something badly enough, he or she can be relentless to a degree that at the same time is highly annoying, but also funny.

As Bill Simon and I were finishing this book, I was witness to a child's full-bore social engineering attack. My girlfriend Darci and her nine-year- old daughter Briannah had joined me in Dallas while I was there on busi- ness. At the hotel on the last day before catching an evening flight, Chapter 10 Social Engineers -- How They Work and How to Stop Them 243

Briannah tested her mother's patience by demanding they go to a restau- rant she had chosen for dinner, and threw a typically childish temper tantrum. Darci applied the mild punishment of temporarily taking away her Gameboy and telling her she could not use her computer games for a day.

Briannah put up with this for a while, then, little by little, began trying different ways of convincing her mother to let her have her games back, and was still at it when I returned and joined them. The child's constant nagging was annoying; then we realized she was trying to social engineer us and started taking notes:

"I'm bored. Can I please have my games back." (Spoken as a

demand, not as a question.)

"I'll drive you crazy unless I can play my games."

(Accompanied by a whine.)

"I won't have anything to do on the plane without my games."

(Spoken in a tone of "Any idiot would understand this.")

"It would be okay if I played just one game, wouldn't it!?" (A

promise disguised as a question.)

"I'll be good if you give me my game back." (The depths of

earnest sincerity.)

"Last night I was really good so why can't I play a game

now?" (A desperate attempt based on muddled reasoning.)

"I won't do it ever again. (Pause.) Can I play a game now?"

("Won't ever do it again" -- how gullible does she think

we are?)

"Can I have back it now, please?" (If promises don't work,

maybe a little begging will help . . . )

"I have to go back to school tomorrow, so I won't be able to

play my game unless I can get started now." (Okay, how many

different forms of social engineering are there? Maybe she

should have been a contributor to this book.)

"I'm sorry and I was wrong. Can I just play for a little while?"

(Confession may be good for the soul but may not work very

well as manipulation.)

"Kevin made me do it." (I thought only hackers said that!)

"I'm really sad without my game." (If nothing else works, try

looking for a little sympathy.)

"I've gone more than half the day without my game." (In

other words, "How much suffering is enough suffering?") 244 The Art of Intrusion

"It doesn't cost any money to play." (A desperate attempt to

guess at what her mother's reason could be for extending the

punishment so long. Bad guess.)

"It's my birthday weekend and I can't play my games."

(Another pitiful grab for sympathy.)

And continuing as we prepared to head for the airport:

"I'll be bored at the airport." (In the forlorn hope that bore-

dom would be considered a fearsome thing to be avoided at

all costs. Maybe if Briannah got bored enough, she might try

drawing pictures or reading a book.)

"It's a three-hour flight and I'll have nothing to do!" (Still

some hope she might break down and open the book that had

been brought along.)

"It's too dark to read and it's too dark to draw. If I play a

game, I can see the screen." (The forlorn attempt at logic.)

"Can I at least use the Internet?" (There must be some com-

promise in your heart.)

"You're the best mom in the world!" (She is also skilled at

using compliments and flattery in a feeble attempt to get what

she wants.)

"It's not fair!!!" (The final, last-ditch effort.)

If you want to increase your understanding of how social engineers manipulate their targets and how they move people from a thinking state into an emotional state . . . just listen to your kids.