Social Engineering Investigations

Below is a general outline for investigating social engineering style attacks. This article is meant for discussion purposes only.

One thing you need to be aware of is that social engineering is not just limited to IT systems it is an issue for the entire organisation.

Social engineering attacks can vary from low tech to high tech.

There are many factors that can lead to a successful social engineering attack.

Normally an attacker would first take a look at the company website as these are normally filled with lots of useful information, such as the names, positions and phone numbers of staff.

Organisations need to be aware of just how much information they are giving away on their websites.

Its also common practice in organisations that a users email address will be the same as their network user name. The password for email may also be the same as the network logon, this is normally true in situations where a organisation is using Microsoft Exchange.

Armed with this information an attacker may call the help desk posing as someone in a senior position in the organisation asking for "help" on how to connect to the network from home. Help desk staff have been surprisingly helpful to me in the past when I have attempted this type of attack.

An attacker may also pose as a sales rep or as an employee of a IT related magazine or journal or even as someone seeking employment and ask to speak to the help desk / IT department. When connected they would ask a series of questions relating to the computer systems in place. Such as operating systems ( Windows, Apple Mac's, Linux / Unix) network infrastructure, wireless, remote access, web based email etc.

This information can help an attacker target specific areas of the network, such as wireless access points or remote access systems.

Also organisations will typically have large bins outside the premises, around the back, near the car park, basement level etc. Since the bins are collected and / or emptied by third parties access to them is rarely restricted.

The amount of information that can be recovered from looking through a companies rubbish can be very rewarding. Such as customer records, employee records, financial statements and other sensitive company data. This style of attack is commonly known as "dumpster diving".

These points would typically be the first steps as the attacker never has to enter the building to gain access to sensitive information about the organisation. This raises and interesting question, since people are volunteering the information has the attacker broken any laws ? Also if the bins are in a publicly accessible / shared area has the attacker broken any laws by "dumpster diving" ?

An attacker could also just walk in the front door, past security and reception staff. Mornings and lunchtimes are always a good time to attempt this as there is a constant flow of people leaving and going in to the building.

Other common entry points would be via the car park. But by far the best way in is with the smokers. The attacker will hang around outside and start chatting to other smokers and then just walk into the building with them. Once in the building its easier to move around because if your there people assume that your supposed to be there, after all you've been seen outside smoking and talking with genuine employees. An attacker may then install various keyloggers , covert wireless access points or other bugging devices. Even something as simple as walking up to a printer and taking "your" printout will go unnoticed.

The likelihood of the above attacks been detected are low.

Prevention of some of these types of attacks can also be difficult.

The physical security of the building and its associated property should be monitored by a combination of monitored cctv and security guards. Bins should be locked and / or held in a secure area until they are collected.

Now for the IT side of things. This is normally shorter as the trick is to get into the building. The majority of the time sensitive data in not stored on employees computers or laptops but in servers. These servers are typically stored in locked rooms that are secured by a physical lock and or an electronic lock such as a swipe card or proximity card. Access is generally restricted to a few IT staff. If the attacker wanted to gain access to this room for whatever reason, stealing the physical hardware for example, they would first need to out who has access to the room and then attempt to covertly copy their access card.

Often if the attacker really needs to access server stored data, its more efficient to attempt to "hack" into the network from the inside or even simply find a desk and call the IT department and ask them to reset "your" password.

The attacker may even simply pick up a laptop and walk out.

If the attacker really needs access to the server room they may pose as a engineer from one of the organisations 3rd party support vendors or even from the local telecoms company. A little work with some logo's downloaded from the vendors website, a colour printer and a laminator or plastic card printer are all that's needed to add credibility to the attackers "story" as to why access is needed. Add in a few businesses cards with the "office" phone number and a work order and the attacker may even be given unsupervised access to the server room or other sensitive areas of the business such as meeting and conference rooms.

The more high tech attacks are normally associated with phishing style attacks where an attacker will setup a fake website to look identical to the organisations and a URL that closely matches the organisations. The attacker will typically focus on the logon page or other page that prompt the user for sensitive information. The end user will typically not know that their details have been "stolen". In the more sophisticated version of this attack the attacker will capture the user data and then "send" that data to the genuine site for processing. If the details are correct to user will be presented with a valid session if not they will get the standard logon failed message.

Now the people side of things is always going to be the hard part to protect yourself from.

Staff will need to be trained on the Do's and Don'ts of both the security surrounding the building and the IT systems.

The help desk staff should be trained to ask specific security questions in order to verify the identity of user, relying on caller id or someones post code, zip code or date of birth is not sufficient. Caller id is easy to fake and a persons home address is not too difficult to obtain.

Reception staff, PA's and sectaries are your first line of defence against telephone style attacks. These staff members should be trained in filtering out the false calls from the genuine. Keep in mind that not all false callers can stopped here but can at least be slowed down.

All employees should be made to feel comfortable to challenge people who they personally do not recognise or any "employee" not displaying a valid id card.
All non employee visitors the building should be escorted everywhere.
Visitors should not be given access to the organisations network unless authorised.
Be wary of IP telephones in semi public areas such as a reception area, as these phones are connected to the organisations internal network and typically have two network ports all an attacker would need to do is connect their laptop to the IP phone to connect to the organisations network. The same applies to wired / wireless internet access for guests. Guest internet access should be on a separate network segment or vlan with deny access to the corporate lan.

Do you think you would fall victim to a social engineering attack.?Ask yourself the following questions:

Do I know everyone in the building ?
Would I hold a access controlled (swipe / proximity card) door open for someone if they were carrying something ?
Would I challenge someone if I could not see their employee id badge ?
Would I lend mine to someone who approached me at the coffee machine if they said they left theirs in their car ?
Would I let someone in if I saw then chatting to one of the PA's or secretaries ?
If someone called me on an internal extension claiming to be from the IT department would I give them my password ?

People are the weak link in the chain here. An attacker will use peoples natural willingness to help against then. This is why social engineering attacks work, its because they are allowed to work.

Investigating these type of attack.

The fact that you know an attack has taken place is a good start.
How was it detected ?
When was it detected ?
When did the attack take place ?
How was the attack carried out ?

How to investigate this type of attack is one that needs to be handled carefully. The aim really being "How did someone manage to steal our assets? Be that information or hardware or both."
This would typically start with interviewing any persons identified from the previous questions. One thing to keep in mind is that people will feel embarrassed about coming forward and talking about the "attack".

They may feel guilty about any information they may have divulged. I would suggest that a third party conduct these interviews anonymously, ie. people do not have to give their names to the interviewer and the interview is carried out in confidence that no disciplinary action will be taken. The attack will have succeeded because of either a lack of controls or the lack of proper implementation, monitoring and enforcement of controls. Take the employee id card as an example. Most policies state that "employees are required to have their ID cards visible at all times". Is this true for the organisation ? Is this policy actually enforced ? In my experience the companies that enforce this are few and far between.

The results of these attacks will usually result in your staff been more aware of just how easy it is to leak data without even knowing it. I feel that an organisation should notify all its staff when an social engineering style attack has been discovered so they may all learn from it. Remember that your staff are your first line of defence against a social engineer.


Popular posts from this blog

BackTrack - Cracking a WPA password with reaver

How To Reset A Forgotten root Password On A Linux Virtual Machine on XenServer

FreeNAS - Transmission and Windows Remote Client