General discussion

Locked

Social Engineering self-defense.

By Locrian_Lyric ·
Inspired by the article IRS employees socially engineered. Some of this is reposted.

I know a few tried and true tricks. I won't publish them for obvious reasons, but I do tell people what to look out for.

Included are steps to avoid.

1)"idiot traps", these are along the line of a big red button that says "don't push". The trick works by playing on basic human curiousity. A variant of that is the 'forbidden secret' be it a malicious file labeled 'HR salary info' or a secret about a celebrity.

DEFENSE: set up a few "idiot traps" of your own and catch your own employees. NOTE: this is not to be a tool for disciplinary action, but for instruction. A user falling for one of the idiot traps should have their account disabled, until they call the help desk. When they do, an email should be sent to that user detailing that they fell for a trap and that had it been an actual criminal hacker, severe damage to the company, or identity theft of the user could occur.

Again, no disciplinary action should result because the goal is to establish a culture of awareness and not a culture of fear.

2)The "I don't want to get in trouble" trap. You see this one in the movies all the time when someone bluffs their way past a guard asking them to cut them some slack because they lost their ID for the third time this month or some other sob story. This one works well too. The irony of this one is that the more tightly security clamps down, the more effective this one is. Fellow employees who have been hassled by security for seemingly trivial matters will be VERY sympathetic and hold the door open for that 'employee' who 'lost his ID card'.

DEFENSE: Once again, make security a culture of awareness, not fear. Instruct security to be polite but firm. Have a quick resolution available for the lost/forgotten ID that does not involve management. I.E. employee reports to security, informs them that their ID was forgotten. Security puts a block on that ID and issues a temporary ID until the employee returns to security with his perm ID. This will eliminate the whole fear of getting into trouble. You WANT employees to come forward immediately when security is breached, not try to hide it.

3)DO THIS OR YOU'RE GOING TO BE IN TROUBLE! Simple intimidation. The scammer pretends to be someone in a position of power and simply damands the information they want.

DEFENSE: Strict policies and procedures created to discourage this kind of bullying. If it's allowed from management, someone engaging in social engineering will be able to employ it. Furhtermore, cowed employees will not be good at security as their focus will be to keep their heads down and avoid making waves.

4)Standard procedures: This one nails bureaucracies every time. When employees are trained to be mindless robots and policies are never explained, someone can just walk in, grab anything they want and leave with it if they simply assert that they are following a new procedure.

DEFENSE: Communication, infrequent changes in policy, Low turnover and high morale. Employee apathy is the enemy here. If employees are force-fed 'embrace change' (in other words, don't ask questions, just do what we tell you) to the point of lunacy, they will not care and they will not question. No amount of precautions will help if the employees don't care. Get the employees involved. Communicate WHY something is needed in a clear, concise way without insulting their intelligence.

Any additions/amendments to the ideas above?

This conversation is currently closed to new comments.

12 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Probably, But it looks like...

by dawgit In reply to Social Engineering self-d ...

You covered the subject pretty good to me. It might sound simple to many of us, but some people need to be reminded from time to time.
Good Post. -d

Collapse -

Thanks.

by Locrian_Lyric In reply to Probably, But it looks li ...

I've seen a bit in my career.

One firm tried to crack down on security problems, any employee that forgot their badge or lost it would be disciplined.

Guess what?

Yep, plenty of people still forgot their badges, but now other employees were holding the doors open for them.

THAT was bright, eh?

Collapse -

Very Well Done!

by Tig2 In reply to Social Engineering self-d ...

I hope you don't mind but I will be taking a copy of your post to our security and compliance meeting and sharing it about. Excellent points and all should be incorporated into awareness training.

We do quite a bit of that where I work but there is always someone who can get caught.

Your last point about communicating change sensibly is particularly good. I am in a highly regulated environment and we frequently send change information when the rules change...again. What I am seeing though is a sense of "why bother to learn the rule this week? It will only change again". I am starting to think that Deep Dive sessions and Lunch and Learns might help us through some of that negative thinking.

An excellent post!


Edited for my many thumbs...

Collapse -

Thanks tiggertwo

by Locrian_Lyric In reply to Very Well Done!

and by all means, spread the word.

I think the failures in securing against social engineering come down to one root cause: Treating the employee as an enemy instead of an ally.

Collapse -

Not Bad

by Don Ticulate In reply to Very Well Done!

for a Ctrl C - Ctrl V, not bad at all!

Collapse -

Not Bad?

by catpro-54 In reply to Not Bad

You have a very negative attitude. Give it a rest and give people the credit they are due. N_o_n presented a very well-thought-out article. YOU have presented a very ugly response, and I've read some of you other replies, as well. Where are your articles of information/help/insight?

Collapse -

Maybe add...

by shardeth-15902278 In reply to Social Engineering self-d ...

I don't know if this fits or not but...

Badge of authority - The "consultant/contractor/inspector" who is working on ___ project and needs your help with _____. Naturally, people want to help, especially someone as obviously professional and knowledgable.

Defense - You can probably write a much better one than I, but I would say awareness training, and clear policies on the handling of visitors of any kind.

I really like the fact that your approaches are based on enablement and empowerment, rather than on policy and punishment. Thanks for the excellent post.

Collapse -

And, Don't Forget ...

by bluemoonsailor In reply to Maybe add...

... the 'name dropper'. I.e. "This is the <insert bigwig name here>'s hot button this week and I really need this. I'm meeting with <him/her> tomorrow and I *have* to have this ready by then."

Using an executive's name can either inspire fear and the desire to not be the next scapegoat, or reaching for brownie points and and wanting to be seen as cooperative and a team player. It's also unlikely that a low-level peon is going to pick up the phone and call the bigwig for verification of the request.

Steve G.

Collapse -

Defense:

by Locrian_Lyric In reply to Maybe add...

In addition to what you suggested, I would say a two-pronged approch.

Employee retention and high morale = more people familiar with the policies. In addition, a low turnover limits the amount of unfamiliar faces. If contractors and consultants are used, use them long term so their faces are known to full-time employees. All visitors should have a center to report to with a comfortable waiting room with a bathroom attached and refreshements available. Not only does this give the impression that your company is warm and inviting, it also gives visitors no reason to leave the secure area prior to their escort arriving or business being done.

****************************

Thank you for your comments. I've worked for sucessful companies, and companies that were crashing and burning.

You can not have effective security if you approach it from a punitive approach. Employees resent it, will try to hide mistakes if they know they will be punished for simple human error, or even actively sabatoge security efforts out of anger or revenge.

In my approach, I attempt to set up the 'win - win'.

The company's end goal is security. The money and resources spent on maintaining high morale will more than be recovered by the reduced cost of formal security precautions.

Collapse -

You hit the nail on the head

by frank.stephens In reply to Defense:

Punitive approaches do not work. As a security professional, you must develop trust and a positive relationship to all until they disprove the relationship by their premeditated/criminal actions. Just like my Grandmother used to say, you can catch more flies with honey than with vigager.

Back to Tips and Tricks Forum
12 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums