The Art of Deception: Controlling the Human Element of Security (30 page)

Within the corporate world there are probably few subjects about which all employees need to be educated that are simultaneously as important and as inherently dull as security. The best designed information security training programs must both inform and capture the attention and enthusiasm of the learners.

The aim should be to make security information awareness and training an engaging and interactive experience. Techniques could include demonstrating social engineering methods through role-playing; reviewing media reports of recent attacks on other less fortunate businesses and discussing the ways the companies could have prevented the loss; or showing a security video that's entertaining and educational at the same time. There are several security awareness companies that market videos and related materials.

NOTE For those businesses that do not have the resources to develop a program in- house, there are several training companies that offer security awareness training services. Trade shows such as Secure World Expo (www.secureworldexpo.com) are gathering places for these companies

The stories in this book provide plenty of material to explain the methods and tactics of social engineering, to raise awareness of the threat, and to demonstrate the vulnerabilities in human behavior. Consider using their scenarios as a basis for role-playing activities. The stories also offer colorful opportunities for lively discussion on how the victims could have responded differently to prevent the attacks from being successful.

A skillful course developer and skillful trainers will find plenty of challenges, but also plenty of opportunities, for keeping the classroom time lively, and, in the process, motivate people to become part of the solution.

Structure of the Training A basic security awareness training program should be developed that all employees are required to attend. New employees should be required to attend the training as part of their initial indoctrination. I recommend that no employee be provided computer access until he has attended a basic security awareness session. For this initial awareness and training, I suggest a session focused enough to hold attention, and short enough that the important messages will be remembered. While the amount of material to be covered certainly justifies longer training, the importance of providing awareness and motivation along with a reasonable number of essential messages in my view outweighs any notion of half-day or full-day sessions that leave people numb with too much information.

The emphasis of these sessions should be on conveying an appreciation of the harm that can be done to the company, and to employees individually, unless all employees follow good security work habits. More important than learning about specific security practices is the motivation that leads employees to accept personal responsibility for security.

In situations where some employees cannot readily attend classroom sessions, the company should consider developing awareness training using other forms of instruction, such as videos, computer-based training, online courses, or written materials.

After the initial short training session, longer sessions should be designed to educate employees about specific vulnerabilities and attack techniques relative to their position in the company. Refresher training should be required at least once a year. The nature of the threat and the methods used to exploit people are ever- changing, so the content of the program should be kept up to date. Moreover, people's awareness and alertness diminish over time, so training must be repeated at reasonable intervals to reinforce security principles. Here again the emphasis needs to be as much on keeping employees convinced of the importance of security policies and motivated to adhere to them, as on exposing specific threats and social engineering methods.

Managers must allow reasonable time for their subordinates to become familiar with security policies and procedures, and to participate in the security awareness program. Employees should not be expected to study security policies or attend security classes on their own time. New employees should be given ample time to review security policies and published security practices prior to beginning their job responsibilities.

Employees who change positions within the organization to a job that involves access to sensitive information or computer systems should, of course, be required to complete a security training program tailored to their new responsibilities. For example, when a computer operator becomes a systems administrator, or a receptionist becomes an administrative assistant, new training is required. Training Course Contents When reduced to their fundamentals, all social engineering attacks have the same common element: deception. The victim is led to believe that the attacker is a fellow employee or some other person who is authorized to access sensitive information, or authorized to give the victim instructions that involve taking actions with a computer or computer-related equipment. Almost all of these attacks could be foiled if the targeted employee simply follows two steps:

Verify the identity of the person making the request: Is the person making the request really who he claims to be?

Verify whether the person is authorized: Does the person have the need to know, or is he otherwise authorized to make this request?

NOTE Because security awareness and training are never perfect, use security technologies whenever possible to create a system of defense in depth. This means that the security measure is provided by the technology rather than by individual employees, for example, when the operating system is configured to prevent employees from downloading software from the Internet, or choosing a short, easily guessed password.

If awareness training sessions could change behavior so that each employee would always be consistent about testing any request against these criteria, the risk associated with social engineering attacks would be dramatically reduced.

A practical information security awareness and training program that addresses human behavior and social engineering aspects should include the following:

A description of how attackers use social engineering skills to deceive people.

The methods used by social engineers to accomplish their objectives.

How to recognize a possible social engineering attack.

The procedure for handling a suspicious request.

Where to report social engineering attempts or successful attacks.

The importance of challenging anyone who makes a suspicious request, regardless of the person's claimed position or importance. The fact that they should not implicitly trust others without proper verification, even though their impulse is to give others the benefit of the doubt.

The importance of verifying the identity and authority of any person making a request for information or action. (See "Verification and Authorization Procedures," Chapter 16, for ways to verify identity.)

Procedures for protecting sensitive information, including familiarity with any data classification system.

The location of the company's security policies and procedures, and their importance to the protection of information and corporate information systems.

A summary of key security policies and an explanation of their meaning. For example, every employee should be instructed in how to devise a difficult-to- guess password.

The obligation of every employee to comply with the policies, and the consequences for non-compliance.

Social engineering by definition involves some kind of human interaction. An attacker will very frequently use a variety of communication methods and technologies in attempting to achieve his or her goal. For this reason, a well- rounded awareness program should attempt to cover some or all of the following:

Security policies related to computer and voice mail passwords.

The procedure for disclosing sensitive information or materials.

Email usage policy, including the safeguards to prevent malicious code attacks including viruses, worms, and Trojan Horses.

Physical security requirements such as wearing a badge.

The responsibility to challenge people on the premises who aren't wearing a badge.

Best security practices of voice mail usage.

How to determine the classification of information, and the proper safeguards for protecting sensitive information. Proper disposal of sensitive documents and computer media that contain, or have at any time in the past contained, confidential materials.

Also, if the company plans to use penetration testing to determine the effectiveness of defenses against social engineering attacks, a warning should be given putting employees on notice of this practice. Let employees know that at some time they may receive a phone call or other communication using an attacker's techniques as part of such a test. Use the results of those tests not to punish, bur to define the need for additional training in some areas.

Details concerning all of the above items will be found in Chapter 16.

TESTING Your company may want to test employees on their mastery of the information presented in the security awareness training, before allowing computer system access. If you design tests to be given on line, many assessment design software programs allow you to readily analyze test results to determine areas of the training that need to be strengthened.

Your company may also consider providing a certificate testifying to the completion of the security training as a reward and employee motivator.

As a routine part of completing the program, it is recommended that each employee be asked to sign an agreement to abide by the security policies and principles taught in the program. Research suggests that a person who makes the commitment of signing such an agreement is more likely to make an effort to abide by the procedures.

ONGOING AWARENESS Most people are aware that learning, even about important matters, tends to fade unless reinforced periodically. Because of the importance of keeping employees up to speed on the subject of defending against social engineering attacks, an ongoing awareness program is vital.

One method to keep security at the forefront of employee thinking is to make information security a specific job responsibility for every person in the enterprise. This encourages employees to recognize their crucial role in the overall security of the company. Otherwise there is a strong tendency to feel that security "is not my job."

While overall responsibility for an information security program is normally assigned to a person in the security department or the information technology department, development of an information security awareness program is probably best structured as a joint project with the training department.

The ongoing awareness program needs to be creative and use every available channel for communicating security messages in ways that are memorable so that employees are constantly reminded about good security habits. Methods should use all of the traditional channels, plus as many non-traditional ones as the people assigned to develop and implement the program can imagine. As with traditional advertising, humor and cleverness help. Varying the wording of messages keeps them from becoming so familiar that they are ignored.

The list of possibilities for an ongoing awareness program might include:

Providing copies of this book to all employees. Including informational items in the company newsletter: articles, boxed reminders (preferably short, attention-getting items), or cartoons, for example.

Posting a picture of the Security Employee of the Month.

Hanging posters in employee areas.

Posting bulletin-board notices.

Providing printed enclosures in paycheck envelopes.

Sending email reminders.

Using security-related screen savers.

Broadcasting security reminder announcements through the voice mail system.

Printing phone stickers with messages such as "Is your caller who he says he is?'!

Setting up reminder messages to appear on the computer when logging in, such as "If you are sending confidential information in an email, encrypt it."

Including security awareness as a standard item on employee performance reports and annual reviews.

Providing security awareness reminders on the intranet, perhaps using cartoons or humor, or in some other way enticing employees to read them. Using an electronic message display board in the cafeteria, with a frequently changing security reminder.

Distributing flyers or brochures.

And think gimmicks, such as free fortune cookies in the cafeteria, each containing a security reminder instead of a fortune.

The threat is constant; the reminders must be constant as well.

WHAT'S IN IT FOR ME?" In addition to security awareness and training programs, I strongly recommend an active and well-publicized reward program. You must acknowledge employees who have detected and prevented an attempted social engineering attack, or in some other way significantly contributed to the success of the information security program. The existence of the reward program should be made known to employees at all security awareness sessions, and security violations should be widely publicized throughout the organization.

On the other side of the coin, people must be made aware of the consequences of failing to abide by information security policies, whether through carelessness or resistance. Though we all make mistakes, repeated violations of security procedures must not be tolerated.

Nine out of every ten large corporations and government agencies have been attacked by computer intruders, to judge from the results of a survey conducted by the FBI and reported by the Associated Press in April 2002. Interestingly, the study found that only about one company in three reported or publicly acknowledged any attacks. That reticence to reveal their victimization makes sense. To avoid loss of customer confidence and to prevent further attacks by intruders who learn that a company may be vulnerable, most businesses do not publicly report computer security incidents.

It appears that there are no statistics on social engineering attacks, and if there were, the numbers would be highly unreliable; in most cases a company never knows when a social engineer has "stolen" information, so many attacks go unnoticed and unreported.

Effective countermeasures can be put into place against most types of social engineering attacks. But let's face reality here--unless everyone in the enterprise understands that security is important and makes it his or her business to know and adhere to a company's security policies, social engineering attacks will always present a grave risk to the enterprise.

In fact, as improvements are made if I the technological weapons against security breaches, the social engineering approach to using people to access proprietary company information or penetrate the corporate network will almost certainly become significantly more frequent and attractive to information thieves. An industrial spy will naturally attempt to accomplish his or her objective using the easiest method and the one involving the least risk of detection. As a matter of fact, a company that has protected its computer systems and network by deploying state-of the-art security technologies may thereafter be at more risk from attackers who use social engineering strategies, methods, and tactics to accomplish their objectives.

This chapter presents specific policies designed to minimize a company's risk with respect to social engineering attacks. The policies address attacks that are based not strictly on exploiting technical vulnerabilities. They involve using some kind of pretext or ruse to deceive a trusted employee into providing information or performing an action that gives the perpetrator access to sensitive business information or to enterprise computer systems and networks. WHAT IS A SECURITY POLICY? Security policies are clear instructions that provide the guidelines for employee behavior for safeguarding information, and are a fundamental building block in developing effective controls to counter potential security threats. These policies are even more significant when it comes to preventing and detecting social engineering attacks.

Effective security controls are implemented by training employees with well- documented policies and procedures. However, it is important to note that security policies, even if religiously followed by all employees, are not guaranteed to prevent every social engineering attack. Rather, the reasonable goal is always to mitigate the risk to an acceptable level.

The policies presented here include measures that, while not strictly focused on social engineering issues, nonetheless belong here because they deal with techniques commonly used in social engineering attacks. For example, policies about opening email attachments--which could install malicious Trojan Horse software allowing the attacker to take over the victim's computer--address a method frequently used by computer intruders.

Steps to Developing a Program A comprehensive information security program usually starts with a risk assessment aimed at determining:

What enterprise information assets need to be protected?

What specific threats exist against these assets?

What damage would be caused to the enterprise if these potential threats were to materialize?

The primary goal of risk assessment is to prioritize which information assets are in need of immediate safeguards, and whether instituting safeguards will be cost- effective based on a cost-benefit analysis. Simply put, what assets are going to be protected first, and how much money should be spent to protect these assets?

It's essential that senior management buy into and strongly support the necessity of developing security policies and an information security program. As with any other corporate program, if a security program is to succeed, management must do more than merely provide an endorsement, it must demonstrate a commitment by personal example. Employees need to be aware that management strongly subscribes to the belief that information security is vital to the company's operation, that protection of company business information is essential for the company to remain in business, and that every employee's job may depend on the success of the program.

The person assigned to draft information security policies needs to understand that the policies should be written in a style free of technical jargon and readily understood by the non-technical employee. It's also important that the document make clear why each policy is important; otherwise employees may disregard some policies as a waste of time. The policy writer should create a document that presents the policies, and a separate document for procedures, because policies will probably change much less frequently than the specific procedures used to implement them.

In addition, the policy writer should be aware of ways in which security technologies can be used to enforce good information security practices. For example, most operating systems make it possible to require that user passwords conform to certain specifications such as length. In some companies, a policy prohibiting users from downloading programs can be controlled via local or global policy settings within the operating system. The policies should require use of security technology whenever cost-effective to remove human-based decision-making.

Employees must be advised of the consequences for failing to comply with security policies and procedures. A set of appropriate consequences for violating the policies should be developed and widely publicized. Also, a reward program should be created for employees who demonstrate good security practices or who recognize and report a security incident. Whenever an employee is rewarded for foiling a security breach, it should be widely publicized throughout the company, for example in an article in the company newsletter.

One goal of a security awareness program is to communicate the importance of security policies and the harm that can result from failure to follow such rules. Given human nature, employees will, at times, ignore or circumvent policies that appear unjustified or too time-consuming. It is a management responsibility to insure that employees understand the importance of the policies and are motivated to comply, rather than treating them as obstacles to be circumvented.

It's important to note that information security policies cannot be written in stone. As business needs change, as new security technologies come to market, and as security vulnerabilities evolve, the policies need to be modified or supplemented. A process for regular review and updating should be put into place. Make the corporate security policies and procedures available via the corporate intranet or maintain such policies in a publicly available folder. This increases the likelihood that such policies and procedures will be reviewed more frequently, and provides a convenient method for employees to quickly find the answer to any information-security related question.

Finally, periodic penetration tests and vulnerability assessments using social engineering methods and tactics should be conducted to expose any weakness in training or lack of adherence to company policies and procedures. Prior to using any deceptive penetration-testing tactics, employees should be put on notice that such testing may occur from time to time.

How to Use These Policies The detailed policies presented in this chapter represent only a subset of the information security policies I believe are necessary to mitigate all security risks. Accordingly, the policies included here should not be considered as a comprehensive list of information security policies. Rather, they are the basis for building a comprehensive body of security policies appropriate to the specific needs of your company.

Policy writers for an organization will have to choose the policies that are appropriate based on their company's unique environment and business goals. Each organization, having different security requirements based on business needs, legal requirements, organizational culture, and the information systems used by the company, will take what it needs from the policies presented, and omit the rest. There are also choices to be made about how stringent policies will be in each category. A smaller company located in a single facility where most employees know one another does not need to be much concerned about an attacker calling on the phone and pretending to be an employee (although of course an imposter may masquerade as a vendor). Also, despite the increased risks, a company framed around a casual, relaxed corporate culture may wish to adopt only a limited subset of recommended policies to meet its security objectives.

DATA CLASSIFICATION A data classification policy is fundamental to protecting an organization's information assets, and sets up categories for governing the release of sensitive information. This policy provides a framework for protecting corporate information by making all employees aware of the level of sensitivity of each piece of information.

Operating without a data classification policy--the status quo in almost all companies today--leaves most of these decisions in the hands of individual workers. Naturally, employee decisions are largely based on subjective factors, rather than on the sensitivity, criticality, and value of information. Information is also released because employees are ignorant of the possibility that in responding to a request for the information, they may be putting it into the hands of an attacker.

The data classification policy sets forth guidelines for classifying valuable information into one of several levels. With each item assigned a classification, employees can follow a set of data-handling procedures that protect the company from inadvertent or careless release of sensitive information. These procedures mitigate the possibility that employees will be duped into revealing sensitive information to unauthorized persons.

Every employee must be trained on the corporate data classification policy, including those who do not typically use computers or corporate communications systems. Because every member of the corporate workforce--including the cleaning crew, building guards, and copy-room staff, as well as consultants, contractors, and even interns--may have access to sensitive information, anyone could be the target of an attack.

Management must assign an Information Owner to be responsible for any information that is currently in use at the company. Among other things, the Information Owner is responsible for the protection of the information assets. Ordinarily, the Owner decides what level of classification to assign based on the need to protect the information, periodically reassesses the classification level assigned, and decides if any changes are needed. The Information Owner may also delegate the responsibility of protecting the data to a Custodian or Designee.

Classification Categories. and Definitions Information should be separated into varying levels of classification based on its sensitivity. Once a particular classification system is set up, it's an expensive and time-consuming process to reclassify information into new categories. In our example policy I chose four classification levels, which is appropriate for most medium-to-large businesses. Depending on the number and types of sensitive information, business may choose to add more categories to further control specific types of information. In smaller businesses, a three-level classification scheme may be sufficient. Remember--the more complex the classification scheme, the more expense to the organization in training employees and enforcing the system.

Confidential. This category of information is the most sensitive. Confidential information is intended for use only within the organization. In most cases, it should only be shared with a very limited number of people with an absolute need to know. The nature of Confidential information is such that any unauthorized disclosure could seriously impact the company, its shareholders, its business partners, and/or its customers. Items of Confidential information generally fall into one of these categories:

Information concerning trade secrets, proprietary source code, technical or functional specifications, or product information that could be of advantage to a competitor.

Marketing and financial information not available to the public.

Any other information that is vital to the operation of the company such as future business strategies.

Private. This category covers information of a personal nature that is intended for use only within the organization. Any unauthorized disclosure of Private information could seriously impact employees, or the company if obtained by any unauthorized persons (especially social engineers). Items of Private information would include employee medical history, health benefits, bank account information, salary history, or any other personal identifying information that is not of public record.

NOTE The Internal category of information is often termed Sensitive by security personnel. I have to use Internal because the term itself explains the intented audience. I have used the term Sensitive not as a security classification but as a convenient method of referring to Confidential, Private, and Internal information; put another way, Sensitive refers to any company information that is not specifically designated as Public.

Internal. This category of information can be freely provided to any persons employed by the organization. Ordinarily, unauthorized disclosure of Internal information is not expected to cause serious harm to the company, its shareholders, its business partners, its customers, or its employees. However, persons adept in social engineering skills can use this information to masquerade as an authorized employee, contractor, or vendor to deceive unsuspecting personnel into providing more sensitive information that would result in unauthorized access to corporate computer systems.