Monday, December 16, 2002

Social Engineering

I have had three opportunities to speak to different audiences on the topic of Social Engineering. The first was at a cybercrime conference here in Central Ohio that included several Law Enforcement personnel from Federal, State, and Local agencies. The next was for the Ohio State Bar Association on December 6th in Cleveland. I'll be repeating the OSBA seminar on the 18th here in Columbus. Social Engineering is the most effective method for intrusion into 'protected' networks. In fact, Security Professionals often make it easier for Social Engineers to succeed.

An article about Authentication Systems for computer networks points out the evolution of methods for assuring that the person requesting certain computer systems are who they say they are. The article mentions Smart Cards, Tokens, Biometrics, and Passwords, and says that the market is still immature. It is interesting that the last sentence of the article reads:

"When administrators do have a choice over which kinds of authentication to use, Rolfe suggests using a risk management approach, balancing the strength of the authentication solution against the costs and other drawbacks involved."

Yes that is the whole secret behind successful Information Technology Security implementation: Risk Management.

Social Engineers attempt to fool people into divulging information that will give them access to whatever systems happens to be the target du jour. You would think that with all these different forms of protection (Smart Cards, Biometrics, etc) it would be very difficult.

It in fact makes it much easier.

Often, IT Professionals institute draconian security measures once they are unleashed and given the power to do so. Forcing password changes every 30 days, along with password complexity requirements so strict that one cannot hope to memorize them, cause people to write them down on big yellow post-it notes attached to their monitors. Hardly secure eh? Easy enough for a Social Engineer who gets himself hired at an organizations cleaning company for a short stint.

Now any IT Security people reading this are now ready to strangle me. Am I saying that users should be allowed to have one of the three most common passwords: "password", "secret", or "sex"?

No, of course not. There should be some password complexity, but not so terrible that it defeats its purpose in the first place. Sure, the mega-passwords aren't easily cracked with 'l0phtcrack' or 'John The Ripper', but they cause other more undesirable behavior on the part of the user. If you want to make users have passwords like: "O7-21IagtS,Afmv." at least train them to come up with a mnemonic like "On 7-21 I am going to Sydney, Australia for my vacation." And don't make them change them every 30 days. There, I said it.

Yes, yes, people who keep the same passwords for long periods of time are more likely to have given them to someone else, and/or have them used by hackers if they have been 'cracked'. But then again, if they were cracked and they are that complex, you've got bigger problems. Teach them to change them only whenever they think someone has guessed it, or maybe once per year. This way they might actually throw that post-it note away after a few months, and will try to comply with your requests that they will see as more reasonable. Remember, if your users don't think your requests are reasonable for what they perceive the situation, they won't comply or will try to get around your requirements.

How many password systems check to see if an entire departments' users all have the same password? I've seen that at sites with overly complex password requirements. Think about it before you institute your policies.

This relates directly to Social Engineering in that where such draconian (I'm going to try to use that term 10 more times) security measure exist, most users have had login problems at some point. Those problems have probably been very frustrating, and most IT departments I know of treat 'forgotten password' callers like scum, often deriding or speaking to them very condescendingly. Therefore it is not unusual for a "fellow employee" [nudge, nudge, wink, wink] to call another for help, maybe even asking them for their password so that they can get a quick memo typed up, or to leave a help-desk request e-mail. Tokens, Smart Cards, and the like only add to potential confusion. However, if implemented with proper training and forethought these added measures can be effective. Just try not to layer security too deep for the normal user, for you'll end up doing more damage to your security than good.

Sometimes even the IT departments are victims of these draconian methods (9 to go...just kidding, I'll stop now).

Unfortunately on the flip side, many don't have any sort of security at all other than a Firewall at the border. I (and others) call that the "Castle-Wall" mentality of security. No protection for the soft interior, or spies who might be invited in. "Security through obscurity" doesn't work either. This is the mentality of "No one knows we are here" security, or "we're too small" to be bothered with. With identity theft being epidemic, even computers at home can be a treasure trove for identity theft criminals.

So be wary, and be careful. Be just this side of paranoid.

Remember, its "Risk Management".

Author's Note: When I first wrote this article and tried to post it, I received a "Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC SQL Server Driver][SQL Server]Could not allocate space for object 'Items' in database 'blogger' because the 'PRIMARY' filegroup is full. /blog_form-action.pyra, line 54" error. Maybe I need to shorten my articles a bit.