Tricking, not hacking – protecting public sector IT against social engineering
By Gavin Ewan and Colin McLean, University of Abertay, Dundee
Awareness of cyber security is growing across the public and private sectors, particularly following the UK Government’s 2010 decision to upgrade cyber crime to a ‘tier 1’ national security threat alongside physical terrorism.
The nation is investing to protect itself, but are you? Within your organisation, a solid understanding of the tricks malicious hackers can use is essential to avoid the loss of confi dential data and your computer systems being compromised. And sometimes the simplest attacks are the most devastating. Welcome to the murky world of ‘social engineering’.
SOCIAL ENGINEERING AND SPEAR PHISHING
What is computer hacking? You might think of technical experts looking for weaknesses in your system and breaking in. Social engineering is much easier and much more worrying for your organisation – with attacks successfully hitting their targets just by manipulating the weaknesses in human psychology that we all have.
Many companies that have been in the news for ‘hacking’ attacks were actually the victims of social engineering. Last year, one of the most serious public security breaches was that of authentication fi rm RSA SecurID. This started not with a sophisticated technical hack, but a simple spear phishing email. An email with an attachment titled ‘2011 Recruitment Plan’ was opened and compromised the security company.
What really stands out about this attack is that the spam fi lters actually did their job and put the spear phishing email into the junk folder. The email was, however, enticing enough that at least one employee moved it out of junk email and opened it. These emails were aimed at lower-level employees in the organisation – the human psychology fl aw was wanting to see a document that was apparently private and for senior managers only.
Another highly visible attack that recently came to light with spear phishing at the centre was on UK defence contractors. The attacks themselves have not been publicly dissected, but they have been brought to light through an information sharing hub implemented as part of the new UK cyber security strategy. We can see that spear phishers are not afraid even to attack what would be assumed to be the most heavily defended organisations. The implications for public sector IT are therefore very serious.
Social engineering is becoming increasingly mainstream but is also, sadly, the main type of attack organisations fi nd diffi cult to defend against. In some cases, people claim any defence is unethical, as launching a fake spear phishing campaign to heighten staff awareness might suggest ‘offenders’ should be named and shamed. This attitude is entirely wrong – and proper training against social engineering is important and never needs to highlight or humiliate anyone.
In order to better protect against social engineering attacks, we must fi rstly reduce the opportunities available to the attacker. By using only a handful of tools, a very powerful social engineering attack could be constructed by a not particularly technical attacker. Removal of personal details from company websites will probably not stop a determined attacker, but it will certainly deter attackers looking to ensnare lowerlevel employees by sending enticing-looking email attachments.
While individual members of staff can take precautions against a social engineering attack, organisations as a whole must take steps as well. First and foremost, personal information should be removed from work websites entirely. If information must be displayed about individual members of staff, keep it to work information and even then keep the information to an acceptable level.
Displaying a member of staff’s CV is another invitation for an attack and could even invite a direct attack, as the social engineer can prepare a similar CV and use that to win a role within the organisation and then attack from within. On a smaller scale, when attacking an individual, the social engineer can mimic an employee that worked at the same organisation and exploit them this way.
In order to protect staff, defence must be staged at two levels: passive and aggressive. Passive defence involves enshrining in policy good practices that staff members must follow.
These practices may include not opening email attachments under any circumstances, for instance, in organisations where people have access to highly sensitive data like childprotection records. A social engineer can easily mimic a trusted email address, and if a website is recommended within an email then the member of staff should never click the link. While it might be tempting to even Google the website and then browse to it from within Google, a determined attacker will have prepared the malicious website and will allow the search engine’s spiders to crawl the website and genuinely list it.
In short, because a website can be found on Google does not mean it is not malicious. Best practice would be to avoid visiting unknown websites on any critical work machine.
A further measure of passive defence would be to implement strong spam fi ltering. Spam fi lters are not great at picking up the content of a spear phishing email if it is heavily targeted, but they are useful for picking up evasion techniques like displaying email addresses in the header that do not match the address the email came from.
If spear phishing emails can be blocked before a member of staff sees them, then the element of human weakness is removed from the equation.
Aggressive defence involves actively testing staff against this type of attack. Spear phishing exercises should be carried out, either by internal system administrators or contracted out externally. The idea is not to humiliate individual users that click on the rogue link or open attachments, but rather to harden all users against this type of attack.
By adopting an aggressive stance towards defending against social engineering attacks, staff can be trained and hardened against them. It is far better to have staff fall victim to an internal test than a malicious hacker. Individuals do not need to be humiliated as ‘punishment’ for falling victim to a social engineering test that is conducted internally. Rather, the results can be published to all staff involved and education delivered to them all. Those that fail the test will know who they are.
Through persistent testing and re-testing like this, staff will eventually know what to look for and how to avoid a social engineering attack. Regular education can make huge differences to the security of public sector IT systems.
Now ask yourself honestly – what’s your weakness?