Mitnick K.D., Simon V.L. - The Art of Deception (2003)(en)

There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious workforce. This involves training on the policies and procedures, but also--and probably even more important--an ongoing awareness program. Some authorities recommend that 40 percent of a company's overall security budget be targeted to awareness training.

The first step is to make everyone in the enterprise aware that unscrupulous people exist who will use deception to psychologically manipulate them. Employees must be educated about what information needs to be protected, and how to protect it. Once people have a better understanding of how they can be manipulated, they are in a far better position to recognize that an attack is underway.

Security awareness also means educating everyone in the enterprise on the company's security policies and procedures. As discussed in Chapter 17, policies are necessary rules to guide employee behavior to protect corporate information systems and sensitive information.

This chapter and the next one provide a security blueprint that could save you from costly attacks. If you don't have trained and alert employees following well-thought-out procedures, it's not a matter of if, but when you will lose valuable information to a social engineer. Don't wait for an attack to happen to you before instituting these policies: It could be devastating to your business and to your employees' welfare.

UNDERSTANDING HOW ATTACKERS TAKE ADVANTAGE OF HUMAN NATURE

To develop a successful training program, you have to understand why people are vulnerable to attacks in the first place. By identifying these tendencies in your training--for example, by drawing attention to them in role-playing discussions--you can help your employees to understand why we can all be manipulated by social engineers.

Manipulation has been studied by social scientists for at least fifty years. Robert B. Cialdini, writing in Scientific American (February 2001), summarized this research, presenting six "basic tendencies of human nature" that are involved in an attempt to obtain compliance to a request.

These six tendencies are those that social engineers rely on (consciously or, most often, unconsciously) in their attempts to manipulate.

Authority

People have a tendency to comply when a request is made by a person in authority. As discussed elsewhere in these pages, a person can be convinced to comply with a request if he or she believes the requestor is a person in authority or a person who is authorized to make such a request.

In his book Influence, Dr. Cialdini writes of a study at three Midwestern hospitals in which twenty-two separate nurses' stations were contacted by a caller who claimed to be a hospital physician, and given instructions for administering a prescription drug to a patient on the ward. The nurses who received these instructions did not know the caller. They did not even know whether he was really a doctor (he was not). They received the instructions for the prescription by telephone, which was a violation of hospital policy. The drug they were told to administer was not authorized for use on the wards, and the dosage they were told to administer was twice the maximum daily dosage, and thus could have endangered the life of the patient. Yet in 95 percent of the cases, Cialdini reported, "the nurse proceeded to obtain the necessary dosage from the ward medicine cabinet and was on her way to administer it to the patient" before being intercepted by an observer and told of the experiment.

Examples of attacks: A social engineer attempts to cloak himself in the mantle of authority by claiming that he is with the IT department, or that he is an executive or works for an executive in the company.

Liking

People have the tendency to comply when the person making a request has been able to establish himself as likable, or as having similar interests, beliefs, and attitudes as the victim.

Examples of attacks: Through conversation, the attacker manages to learn a hobby or interest of the victim, and claims an interest and enthusiasm for the same hobby or interest. Or he may claim to be from the same state or school, or to have similar goals. The social engineer will also attempt to mimic the behaviors of his target to create the appearance of similarity.

Reciprocation

We may automatically comply with a request when we have been given or promised something of value. The gift may be a material item, or advice,

or help. When someone has done something for you, you feel an inclination to reciprocate. This strong tendency to reciprocate exists even in situations where the person receiving the gift hasn't asked for it. One of the most effective ways to influence people to do us a "favor" (comply with a request) is by giving some gift r assistance that forms an underlying obligation.

Members of the Hare Krishna religious cult were very effective at influencing people to donate to their cause by first giving them a book or flower as a gift. If the recipient tried to return the gift, the giver would refuse remarking, "It's our gift to you." This behavioral principle of reciprocation was used by the Krishnas to substantially increase donations.

Examples of attacks: An employee receives a call from a person who identifies himself as being from the IT department. The caller explains that some company computers have been infected with a new virus not recognized by the antivirus software that can destroy all files on a computer, and offers to talk the person through some steps to prevent problems. Following this, the caller asks the person to test a software utility that has just been recently upgraded for allowing users to change passwords. The employee is reluctant to refuse, because the caller has just provided help that will supposedly protect the user from a virus. He reciprocates by complying with the caller's request.

Consistency

People have the tendency to comply after having made a public commitment or endorsement for a cause. Once we have promised we will do something, we don't want to appear untrustworthy or undesirable and will tend to follow through in order to be consistent with our statement or promise.

Example of attack: The attacker contacts a relatively new employee and advises her of the agreement to abide by certain security policies and procedures as a condition of being allowed to use company information systems. After discussing a few security practices, the caller asks the user for her password "to verify compliance" with policy on choosing a difficult-to-guess password. Once the user reveals her password, the caller makes a recommendation to construct future passwords in such a way that the attacker will be able to guess it. The victim complies because of her

prior agreement to abide by company policies and her assumption that the caller is merely verifying her compliance.

Social Validation

People have the tendency to comply when doing so appears to be in line with what others are doing. The action of others is accepted as validation that the behavior in question is the correct and appropriate action.

Examples of attacks: The caller says he is conducting a survey and names other people in the department who he claims have already cooperated with him. The victim, believing that cooperation by others validates the authenticity of the request, agrees to take part. The caller then asks a series of questions, among which are questions that draw the victim into revealing his computer username and password.

Scarcity

People have the tendency to comply when it is believed that the object sought is in short supply and others are competing for it, or that it is available only for a short period of time.

Example of attack: The attacker sends emails claiming that the first 500 people to register at the company's new Web site will win free tickets to a hot new movie. When an unsuspecting employee registers at the site, he is asked to provide his company email address and to choose a password.

Many people, motivated by convenience, have the propensity to use the same or a similar password on every computer system they use. Taking advantage of this, the attacker then attempts to compromise the target's work and home computer systems with the username and password that have been entered during the Web site registration process.

CREATING TRAINING AND AWARENESS PROGRAMS

Issuing an information security policy pamphlet or directing employees to an intranet page that details security policies will not, by itself, mitigate your risk. Every business must not only define the rules with written policies, but must make the extra effort to direct everyone who works with corporate information or computer systems to learn and follow the rules. Furthermore, you must ensure that everyone understands the reason behind each policy so that people don't circumvent the rule as a matter of convenience. Otherwise, ignorance will always be the worker's excuse, and the precise vulnerability that social engineers will exploit.

The central goal of any security awareness program is to influence people to change their behavior and attitudes by motivating every employee

to want to chip in and do his part to protect the organization's information assets. A great motivator in this instance is to explain how their participation will benefit not just the company, but the individual employees as well. Since the company retains certain private information about every worker, when employees do their part to protect information or information systems, they are actually protecting their own information, too.

A security training program requires substantial support. The training effort needs to reach every person who has access to sensitive information or corporate computer systems, must be on-going, and must be continuously revised to update personnel on new threats and vulnerabilities. Employees must see that senior management is fully committed to the program. That commitment must be real, not just a rubber-stamped "We give our blessings" memo. And the program must be backed up with sufficient resources to develop, communicate, test it, and to measure success.

Goals

The basic guideline that should be kept in mind during development of an information security training and awareness program is that the program needs to focus on creating in all employees an awareness that their company might be under attack at any time. They must learn that each employee plays a role in defending against any attempt to gain entry to computer systems or to steal sensitive data.

Because many aspects of information security involve technology, it's too easy for employees to think that the problem is being handled by firewalls and other security technologies. A primary goal of training should be to create awareness in each employee that they are the front line needed to protect the overall security of the organization.

Security training must have a significantly greater aim than simply imparting rules. The training program designer must recognize the strong temptation on the part of employees, under pressure of getting their jobs done, to overlook or ignore their security responsibilities. Knowledge about the tactics of social engineering and how to defend against the attacks is important, but it will only be of value if the training is designed to focus heavily on motivating employees to use the knowledge.

The company can count the program as meeting its bottom-line goal if everyone completing the training is thoroughly convinced and motivated by one basic notion: that information security is part of his or her job.

Employees must come to appreciate and accept that the threat of social engineering attacks is real, and that a serious loss of sensitive corporate