How well are your users prepared for modern-day social engineering attacks? If you’re like the majority of management personnel I speak with during our pre-audit consultations you’re wary, but confident that your staff has properly prepared your employees from this threat to your organization.
In response, I routinely explain that it is admirable that you have that kinds of faith in your managers and user base, but based on our statistical averages be prepared for the possibility of a less than ideal result when you receive our audit findings report.
Statistically, the first time we perform a social engineering evaluation on an organization it’s not uncommon for as many as 65% of the users to fail certain areas of the evaluation and provide highly-sensitive data to an unknown party (namely our auditors). Why? For the most part it’s simply human nature to be helpful to someone who is polite, personable, and in need or attempting to do something beneficial for you.
In this article, we’ll discuss one specific scenario used in our social engineering evaluations, where the typical outcome for first-time clients demonstrates a failure rate of nearly 2/3rds of users. These users fail to follow company policy and ultimately divulge sensitive credential information to the auditor. Read on to find out how we did the evaluation and how you can better prepare users for this type of threat.
Even in social engineering evaluations that go very poorly, we commonly discover that users were in fact already told not to give out their user account and password to anyone and they are even told that the IT staff will never legitimately ask you for such information. Users are often told this directly and it’s in most company policy manuals, if the organization has one. Let me just say for the record, this type of basic user training is rarely effective and we prove it routinely.
We commonly prove these facts with a combination of in-person, phone-based and email-based social engineering evaluations as a common part of a comprehensive BAI IT Security Audit. While we have literally dozens of different social engineering evaluation scenarios, here is a set I used on a recent audit:
In-person approach: prior to my arrival on-site to conduct a recent social engineering evaluation, I obtained a company logo for the company in question (easily obtained from website). I used the company logo to create a very basic website for which I created a simple on-line User Satisfaction Survey. In addition, I obtained a business card from a company employee and mocked up one of my own business cards indicating I was an employee in the IT department of the company. Both of these tasks took less than an hour. I entered the building and avoided the front desk check-in and then approached 12 key employees in various departments. I showed them my business card and indicated I was a new “IT guy” and then asked them to fill out our new on-line User Satisfaction Survey. The short of it – 9 people agreed to complete the survey, which included questions about which applications they use and lastly it included a network logon to confirm their identity. From this exercise, we learned their key applications and their logon credentials.
Phone-based: utilizing the same User Satisfaction Survey created for the above In-person scenario, we called on 12 key employees, indicated who we were and invited them to fill out our survey. We sweetened the deal with a chance to win an Apple iTouch for everyone who filled out the survey. Out of the 12 employees tested we got 8 that responded and filled out the survey. Since it was also for a chance to win a prize, we noticed that several users actually filled it out multiple times.
Email-based: again, utilizing the same User Satisfaction Survey form, we embedded a link to the survey in a forged email that appeared to come from the internal IT department. This was easily done with freeware software available from the Internet. In short, 6 employees out of 12 filled out the survey and provided us with the same highly sensitive information.
In summary, most organizations believe they have prepared their employee base with existing policies and perhaps even reminders from time to time. However, as we prove on a routine basis, these efforts often fall short of truly educating the employees on all the different methods commonly used by malicious individuals. However, until the organization performs a round of social engineering evaluations which demonstrate the true risks, those responsible in management are often operating with a false sense of security.
These same organizations that do so poorly in the first round of testing routinely utilizing the results to generate a new sense of awareness regarding these risks and very frequently are able to significantly reduce the failure rate on subsequent evaluations. Of course, the evaluation process varies from audit to audit, so the improved results are representative of the elevated awareness initiated from the audit results.