If you've been with us the past few months, we've been talking about the who and why of economic espionage/insider threat. Starting today....we're about to make all you wannabe James Bonds out there understand the how.
A New Degree in Engineering
Still one of the hottest attacks around is one that you really have almost zero chance of defending against. Why? Because it targets people. This attack has been called various things throughout it's existence: con games, social engineering, and most recently: pretexting. The reason it's so hard to stop is that the attack plays on a trait that is generally found to be desirable in human beings: TRUST. (I know, most security pros live in a sort of nebulous state of securanoia.....which is easy to do when you realize everyone is out to steal your data.)
Bottom line, it's far easier to con my way into a building, get customer data, steal some IP.....then it is to hack through your Cisco PIX firewall, then navigate through your domain evading your IDS, and clear the event logs when I'm done. As I tell people all the time, the biggest hole in your firewall are the two glass doors by the Receptionist Desk. Let's take a look at how this happens.....
Kevin Mitnick: Last King of SE
I had the opportunity to meet Kevin a few months ago at an INFRAGARD meeting. Nice guy, very personable, good speaker. Never would have guessed him to be some slick con man. Well, you'd be wrong. Kevin is about the most famous (former) con man around. He's pretty much the poster boy for Social Engineering (SE). Yes, Kevin was doing bad things and was asked to spend some time at a Federally funded rehabilitation facility for his transgressions. His story makes for great reading, and if you haven't already got this book in your security library, his book The Art of Deception: Controlling the Human Element of Security is a must have. Practically a primer for how to identify and defend against these type of attacks. Get it. I've never heard anyone say it was a bad purchase. Many of the examples I'll use are straight out of this book. (If Kevin's reading....thanks man.....you're efforts in this area are really opening some eyes.)
The Video Store
I use this example every time I talk about SE. How hard is it for me to get your credit card information? Well, let's consider the fact that most people are members of one of the major video chains, which almost always includes a brick-and-mortar location near your house. (This is of course, unless you use Netflix). So here's how it goes:
(No video stores were harmed in the previous example)
Types of Social Engineering Exploits
Okay, I love to "re-purpose" content, which is perfectly legal so long as you credit the source. This source is from my co-worker, Steve Riley, who's done some great presentations on this as well. Here are some ways that these happen:
Kevin Says: Stop The Madness! How to Know If You're Getting Played by a SE
So in his most excellent book, Kevin talks about some ways to help reduce the risk of being socially engineered. (You know I like to discuss risk...but it does you no good unless I tell you how to stop it.) Here are some ways to identify if a Social Engineer is engaging you or your employees.
I'm assuming that most of you guys who live in the securanoia realm are aware of things like this. You're "spidey sense" starts to tingle when you get calls like this, or some guy shows up at the front desk trying to talk his way into the building. Problem is, you're employees don't. You can't be everywhere....so you need to take this key info and roll it into your security awareness program.
NEXT TIME: Insider Threat continues with: "How Insiders Move Your Data"