Authors: Kevin D. Mitnick,William L. Simon
Tags: #Computer Hackers, #Computer Security, #Computers, #General, #Security
Guidelines for Training Following are some guidelines for training:
Raise awareness that social engineers will almost certainly
attack their company at some point, perhaps repeatedly. Chapter 10 Social Engineers -- How They Work and How to Stop Them 239
There may be a lack of general awareness that social engineers
constitute a substantial threat; many are not even aware that
the threat exists. People generally don't expect to be manipu-
lated and deceived, so they get caught off guard by a social
engineering attack. Many Internet users have received an
email purportedly from Nigeria that requests help in moving
a substantial amount of money to the States; they offer a per-
centage of the gross for this kind assistance. Later, you're
requested to advance some fees to initiate the transfer process,
only to be left holding the bag. One lady in New York recently
fell for the scam and "borrowed" hundreds of thousands of
dollars from her employer to advance the fees. Rather than
spending time on her new yet-to-be-purchased yacht, she is
facing the prospect of sharing a bunk bed in a federal deten-
tion facility. People really do fall for these social engineering
attacks; otherwise, the Nigerian scammers would stop sending
the emails.
Use role-playing to demonstrate personal vulnerability to social
engineering techniques, and to train employees in methods to
resist them.
Most people operate under the illusion of invulnerability,
imagining they're too smart to be manipulated, conned,
deceived, or influenced. They believe that these things only
happen to "stupid" people. Two methods are available to help
employees understand their vulnerability and make them true
believers. One method involves demonstrating the effective-
ness of social engineering by "burning" some employees prior
to their participation in a security awareness seminar, and then
having them relate their experiences in class. Another
approach is to demonstrate vulnerability by analyzing actual
social engineering case studies to illustrate how people are
susceptible to these attacks. In either case, the training should
examine the mechanism of the attack, analyzing why it
worked, and then discussing how such attacks can be recog-
nized and resisted.
Aim to establish a sense in the trainees that they will feel foolish if
manipulated by a social engineering attack after the training.
Training should emphasize each employee's responsibility to
help protect sensitive corporate assets. In addition, it's vital
that the designers of the training recognize that the motiva-
tion to follow security protocols in certain situations only 240 The Art of Intrusion
grows out of an understanding of why the protocols are nec-
essary. During security-awareness training, the instructors
should give examples of how the security protocol protects
the business, and the harm that could befall the company if
people ignore them or are negligent.
It's also useful to emphasize that a successful social engineering
attack may jeopardize the personal information of the employee
and his or her friends and associates in the company. A com-
pany's human resources database may contain personal infor-
mation that would be extremely valuable to identity thieves.
But the best motivating factor may be that no one likes to be
manipulated, deceived, or conned. As such, people are highly
motivated not to feel foolish or stupid by falling for some
scam.
Programs for Countering Social Engineering Following are some basic points to consider when designing programs:
Develop procedures for employee actions when a social engineer-
ing attack is recognized or suspect.
The reader is referred to the extensive handbook of security
policies provided in The Art of Deception. These polices should
be considered as a reference; take what you need and leave the
rest. Once the company's procedures have been developed and
put into use, the information should be posted on the com-
pany's intranet, where it is quickly available. Another excellent
resource is Charles Cresson Wood's treatise on developing
information security policies, Information Security Policies
Made Easy (San Jose, CA: Baseline Software, 2001).
Develop simple guidelines for employees, defining what infor-
mation the company considers sensitive.
Since we process information in heuristic mode much of the
time, simple security rules can be designed to raise a red flag
when requests are made involving sensitive information (such
as confidential business information like an individual's pass-
word). Once an employee recognizes that sensitive informa-
tion or some computer action has been requested, he or she
can refer to the security policy handbook on the company
intranet Web page to determine the correct protocol or pro-
cedures to follow. Chapter 10 Social Engineers -- How They Work and How to Stop Them 241
In addition, it's important to understand and to convey to
employees that even information not considered as sensitive
may be useful to a social engineer, who can collect nuggets of
seemingly useless information that can be joined to provide
information for creating the illusion of credibility and trust-
worthiness. The name of the project manager on a sensitive
company project, the physical location of a team of develop-
ers, the name of the server that a particular employee uses,
and the project name assigned to a secret project are all sig-
nificant, and each company needs to weigh the needs of the
business against the possible threat to security.
These are just a few of the many examples of seemingly unim-
portant information that can be of use to an attacker.
Scenarios such as those in The Art of Deception can be useful
in conveying this notion to trainees.
Modify organization politeness norms -- It's okay to say "no"!
Most of us feel awkward or uncomfortable saying "no" to oth-
ers. (A product now on the market is designed for people who
are too polite to hang up on telemarketers. When a telemar-
keter calls, the user presses the * key and hangs up; a voice then
says to the caller, "Pardon me, this is the Phone Butler and I
have been directed to inform you that this household must
regretfully decline your inquiry." I love the "regretfully." But
I think it an interesting commentary that so many people
need to buy an electronic device to say "no" for them. Would
you pay $50 for a device that saves you the "embarrassment"
of saying "no"?)
The company's social engineering training program should
have as one of its goals the redefining of the politeness norm
at the company. This new behavior would include politely
declining sensitive requests until the identity and authoriza-
tion of the requestor can be verified. For example, the train-
ing might include suggesting responses on the order of, "As
employees of Company X, we both know how important it is
to follow security protocols. So, we both understand that I'm
going to have to verify your identity before complying with
your request."
Developing procedures to verify identity and authorization.
Each business must develop a process to verify identity and
authorization of people requesting information or actions
from employees. The verification process in any situation will 242 The Art of Intrusion
necessarily depend on the sensitivity of the information or
action being requested. As with many other issues in the
workplace, the security needs must be balanced against the
business needs of the organization.
This training needs to address not just the obvious techniques
but subtle ones as well, such as the use of a business card by
Whurley to establish his credentials. (Recall the title character
played by James Garner in the 1970s detective series The
Rockford Files, who kept a small printing press in his car so he
could print up an appropriate business card for any occasion.)
We provided a suggestion for the verification procedure in
The Art of Deception.2
Get top management buy-in.
This is, of course, almost a clich�: Every significant manage-
ment effort starts with the awareness that the program will
need management support to succeed. Perhaps there are few
corporate efforts in which this support is more important than
security, which daily grows more vital, yet which does little to
further corporate revenues and so often takes a back seat.
Yet, that fact only makes it all the more important that a com-
mitment to security start from the top.
On a related note, top management should also send two
clear messages on this subject. Employees will never be asked
by management to circumvent any security protocol. And no
employee will get into trouble for following security proto-
cols, even if directed by a manager to violate them.
On a Lighter Note: Meet the Manipulators in Your Own Family -- Your Children Many children (or is it most?) have an amazing degree of manipulative skill -- much like the skill used by social engineers -- which in most cases they lose as they grow up and become more socialized. Every parent has been the target of a child's attack. When a youngster wants something badly enough, he or she can be relentless to a degree that at the same time is highly annoying, but also funny.
As Bill Simon and I were finishing this book, I was witness to a child's full-bore social engineering attack. My girlfriend Darci and her nine-year- old daughter Briannah had joined me in Dallas while I was there on busi- ness. At the hotel on the last day before catching an evening flight, Chapter 10 Social Engineers -- How They Work and How to Stop Them 243
Briannah tested her mother's patience by demanding they go to a restau- rant she had chosen for dinner, and threw a typically childish temper tantrum. Darci applied the mild punishment of temporarily taking away her Gameboy and telling her she could not use her computer games for a day.
Briannah put up with this for a while, then, little by little, began trying different ways of convincing her mother to let her have her games back, and was still at it when I returned and joined them. The child's constant nagging was annoying; then we realized she was trying to social engineer us and started taking notes:
"I'm bored. Can I please have my games back." (Spoken as a
demand, not as a question.)
"I'll drive you crazy unless I can play my games."
(Accompanied by a whine.)
"I won't have anything to do on the plane without my games."
(Spoken in a tone of "Any idiot would understand this.")
"It would be okay if I played just one game, wouldn't it!?" (A
promise disguised as a question.)
"I'll be good if you give me my game back." (The depths of
earnest sincerity.)
"Last night I was really good so why can't I play a game
now?" (A desperate attempt based on muddled reasoning.)
"I won't do it ever again. (Pause.) Can I play a game now?"
("Won't ever do it again" -- how gullible does she think
we are?)
"Can I have back it now, please?" (If promises don't work,
maybe a little begging will help . . . )
"I have to go back to school tomorrow, so I won't be able to
play my game unless I can get started now." (Okay, how many
different forms of social engineering are there? Maybe she
should have been a contributor to this book.)
"I'm sorry and I was wrong. Can I just play for a little while?"
(Confession may be good for the soul but may not work very
well as manipulation.)
"Kevin made me do it." (I thought only hackers said that!)
"I'm really sad without my game." (If nothing else works, try
looking for a little sympathy.)
"I've gone more than half the day without my game." (In
other words, "How much suffering is enough suffering?") 244 The Art of Intrusion
"It doesn't cost any money to play." (A desperate attempt to
guess at what her mother's reason could be for extending the
punishment so long. Bad guess.)
"It's my birthday weekend and I can't play my games."
(Another pitiful grab for sympathy.)
And continuing as we prepared to head for the airport:
"I'll be bored at the airport." (In the forlorn hope that bore-
dom would be considered a fearsome thing to be avoided at
all costs. Maybe if Briannah got bored enough, she might try
drawing pictures or reading a book.)
"It's a three-hour flight and I'll have nothing to do!" (Still
some hope she might break down and open the book that had
been brought along.)
"It's too dark to read and it's too dark to draw. If I play a
game, I can see the screen." (The forlorn attempt at logic.)
"Can I at least use the Internet?" (There must be some com-
promise in your heart.)
"You're the best mom in the world!" (She is also skilled at
using compliments and flattery in a feeble attempt to get what
she wants.)
"It's not fair!!!" (The final, last-ditch effort.)
If you want to increase your understanding of how social engineers manipulate their targets and how they move people from a thinking state into an emotional state . . . just listen to your kids.