Let’s chat a bit about social engineering. A couple of months ago, the gurus at Social-Engineer Inc. put together a Social Engineering Capture the Flag (SECTF) contest. You might be surprised at the results.
Contestants were provided with the name of a target company and a list of “flags” to capture. Each flag is actually a piece of information, such as the following:
- employee names, work schedules, and other personal information
- versions of operating systems and browsers
- names of line of business applications and vendors
- upcoming business projects and development information
Questions about credit cards, Social Security numbers, and other sensitive data are not allowed.
Each flag was assigned a point value, and the contestant with the most points at the end of the game is the winner.
In the real world, there aren’t any points given for these little bits of data, but they do have value to the social engineer. Combining several pieces of data allows an attacker to create a plausible scenario to present to the target. By coming up with a pretext, the attacker can convince the victim to take a desired action. One of the targets in the SECTF contest was convinced to visit a website of the attacker’s choice. If the attacker already knows what OS and browser is used by the company, it’s easy enough to design an attack specifically for that environment. Social engineering like this is how APTs end up on otherwise well-protected networks.
While the contest focused on demonstrating vulnerabilities, there were some good things revealed as well. One company refused to even provide a phone number on the basis that the company policy prohibited giving out that type of information.
Of course we know that just having a policy isn’t good enough; people have to follow the policy without exception. A determined social engineer will keep poking around until he finds the crack in the armor. That crack could come from social media, a careless conversation, an unsecured computer, some misplaced paper, and so on.
Hardcore criminals may spend months researching a target before ever contacting the company, but even a few hours of prep time can result in a successful attack. For an outstanding example of this, check out Social Engineering: Anatomy of a Hack. I don’t want to spoil it for you, but O.M.G. You’re going to rethink your state of security after reading that.
So how do we protect our networks from social engineering attacks? Let’s look at some of the basics:
Never believe a stranger who says something weird. Someone calls you and tells you that your credit card has been compromised and they need you to give them the credit card number and your mother’s maiden name? Admit it, that’s weird. (If there’s ever any question about a credit card, just hang up and call the credit card company using the number on the card). Similar attacks include a ‘Windows Tech Support’ calling to inform you that there’s a problem on your PC, or the ‘helpdesk’ calling to request your password.
Never believe a friend who sends you something weird. You’ve seen this; a friend or co-worker gets infected and is automatically sending you a copy of the virus. Think before you click. I once opened what looked like an awesome attachment from a co-worker who I already knew would never send anything awesome. Really, this guy was not just A stick in the mud; he was THE stick in the mud. All other sticks aspire to be him. Still, when he sent me darthvader.ico.vbs I immediately double-clicked. Please learn from my mistake, so that some good can come from the shame I have brought upon my family.
Just never believe anyone. A little social media time can tell an attacker about your family and your hobbies. That’s really all an attacker needs. Want proof?
There are plenty of other things you can do to protect yourself and your staff from social engineering attacks. Shred paper, use strong password policies, provide clear instruction on security issues, etc. And of course you should already have strong protection against phishing attacks, which are email-based social engineering.
Barracuda offers a line of security products that can help you protect your infrastructure and resources. To learn more about our security products such as the Barracuda Spam Firewall, Barracuda NG Firewall, and more, visit our products page. You can get a risk-free 30-day demo of our security products through this page.