We recently spoke with Ken Munro from SecureTest about the problem of security at the point of Humans. Staff in call centres handle our data daily while bank staff have access to our exact financial status and details. We will likely never have the perfect software security solution, but at an even more basic level we really must spend time looking at the Human side of the security issues facing us. Over to you Ken…
Where does security start? With your data? Your network? Your building? Or could it be your most precious resource: people? Human beings are at the heart of any security issue because they are fallible. The problem starts there, and can only be solved there.
Staff turnover, disgruntled or incompetent employees can all leave a business vulnerable to attack and a security policy is the saving grace that allows most CEOs to sleep at night. But few security policies are fully adhered to, so it is advisable to check how that policy you painstakingly put together is being enforced.
Social Engineering (SE) is a form of penetration test that attempts to ‘hack the human’ side of an organisation. It tests factors such as unauthorised physical entry into buildings, obtaining sensitive information, and impersonation. Thus the Social Engineer must have the same guile and ability to manipulate as the hacker.
The terms of an SE test are devised with the company and can vary considerably, from gaining physical access to a building with or without the aid of staff, to extracting sensitive material off the premises, to planting devices. With regards to the latter, you’d be surprised how often trusted members of staff dock an abandoned USB key with their PC. Often we’ll temptingly label a file Payroll which, once opened sends a sanitised Trojan back to HQ.
SE testers cannot operate with the same carte blanche as a hacker, however. Only information in the public domain can be used. Social networking sites, help forums and job sites are a mine of information, providing staff names, positions and contact details. Ironically, one of the most common culprits are IT staff who may use a forum to configure a new firewall, for example, and post on a technical newsgroup using their work email address. Far better to use an innocuous Gmail or Hotmail address.
On recent SE tests, we’ve been able to: pose as casual workers and enter the building; access confidential waste bins on the exterior of the property; pose as a new employee and obtain a ‘access all areas’ security pass; gain access to a server room; sit at a workstation or dock our own laptop unchallenged; crack the domain administrator password within 15 minutes; and, in one case, retrieve a sensitive file from a military base to name but a few. Clearly staff aren’t nearly as vigilant as they think!
Ken Munro can be contacted at ken.munro@securetest.com
