Social engineering, tigers, and bears

16 May 2007 ,

Cross-posted from somewhere awful and edited to make sense as a stand alone:

To paraphrase number 5: Social engineering as a security audit tool, if actually providing any valuable information to anyone, is useless at affecting change in any way, and therefore, useless.

While I certainly concede that there are a few valid security controls failing that a successful social engineering attack highlights, I tend to blanket social engineering ‘hacks’ as a bit of the emperor’s new clothes.

Commonly suggested mitigating factors: ask for business cards, ask a manager to intervene, ask for photo identification, and so on. All of those controls fail if the attacker prepares for them and has the appropriate forged documents. Forging e-mail is even more trivial. The victim in each case has performed what they consider due diligence and for nothing.

The inverse cases of detected attacks are rarely security controls in action. Poor preparation or execution by the attackers raise suspicion. Human intuition can see through the con. A bogus HVAC company could be detected by a secretary who’s husband is owner/operator in the same HVAC space and is aware of all competitors. These aren’t examples of lone security conscious ‘model employees’ - just a poor attacks.

Society - at least the one I enjoy and prefer - requires that there exist trust relationships created by simple things: uniforms, badges, assertions even - some retail employee’s can only be identified because they are folding clothes, we’ve all asked or been asked ‘do you work here?’. Lying and replying “yes, how may I misdirect you? Please write down your home address, phone number, and social security number on this clipboard” doesn’t make you the smarter person performing some sort of hack, it makes you an criminal.

Luckily, the sociopaths that constantly violate these trusts tend to not be crafty social engineers. Pickpockets, petty thieves, white collar embezzlers, and so on, are practicing some of the world’s oldest professions.

Or is large scale social engineering happening right under our noses. I’ve heard the scenario: attackers then selling our information to the organleggers in Vegas that buy victims drinks. The Victim wakes up in a bathtub full of ice with surgical scars!

Corporate espionage does exist but the tried and true method is to just pay an insider, dumpster dive, or hack a network remotely. Paying an insider is a pretty foolproof attack, so worry about that first.

There are exceptions - places where trust just has to not work: Military bases, public utilities, treasury buildings, that base in Nevada full of aliens and crashed flying saucers, etc: most of them have guards with guns. Checkpoints at ever possible place. Cameras, fences, moats, and so on. Great security. Absolutely overkill in just the large majority of commonly cited cases of successful social engineering attacks, if not of all workplaces. How many of the targeted facilities even have onsite security officers?

It is pretty easy to decry a post-it note password discovered by a social engineer, but that note is often behind one or more locked doors in what can be considered a secure section of a corporate office. This one is everyone’s favorite cited example of a stupid thing to do. It is stupid but consider the risk versus the cost to prevent. Consider the actual probability of an enterprise being attacked that way. Sometimes the “well I’ve always done it and never been attacked” excuse is actually a valid risk assesment.

From a cost perspective, it is almost always cheaper to prepare for system attacks with tried and true measures - defense in depth, recovery procedures for data loss, data backup and integrity checking, etc…

I do not feel this way about all security audits - penetration testing, app vulnerability testing, and physical security controls auditing, are all great. Too many organizations skip basic risk calculations, data classification, defense in depth, and so on, to go straight to the sexy movie-theater stuff, and it is foolish. Oh but I’m sure they have an expensive firewall, and lots of blinking lights under control.

What social engineering is absolutely brilliant for, is pointing out security theater amongst the real security controls. Common airport, sports arena, concert venue security rant, etc ad nauseam.