Tips on the Prevention of Social Engineering?

SecGuy asks: "I'm constantly bombarded with news about gee-whiz security technology aimed at protecting the "front door" of an organization. Yet social engineering -- and, more broadly, human failures of various kinds -- lead to a large percentage of successful hacks. I'm curious about what systematic approaches (if any) have been successful at building up an organizational immunity towards social engineering attacks and generally reducing the types of human failure that lead to security compromises. A lot of approaches I've seen boil down to hectoring and punishing, which (a) doesn't seem to work well, and (b) generally pisses people off."

Re:Social Engineering - strategies to stop it

[mrzaph0d]

i've found that guards are no match for the evil power of 'looking like you belong there'.

i was a contractor at a major telephone company and i was asked one time to help move a bunch of laptops (brand new, still in their boxes) from one building to another. i had permission, but the bad part was that only after i'd taken about $24,000 worth of laptops out of the building was i asked where i was going. this was after about 20 trips (80 laptops, 80 monitors, 80 docking stations).

sure, i had to have a badge to do get in and out of the doors, but there was always someone coming in or out who was willing to hold the door for me. would you make someone carrying a bunch of stuff stop to fumble with their card key when you know you could just stand there a few second longer and hold it open for them?

when i left there i noticed that if i took my parking card from my new job and clipped it to my belt with the back facing out, i was never challenged as to whether or not i was supposed to be there. (the employees all had to wear badges, and regulations were supposed to be that the badges had to have the picture facing out.) which brings up another point, if you are supposed to wear a badge at a place, why doesn't anyone ever challenge you? because they're embarressed to try since you may be legit. i mean this place used to issue temp badges (stickers that were supposed to be worn at all times), but no one ever wore them because they were a nuisance.

and security guards are no help unless they actually do something other than sit at their kiosk and read the paper/watch the video monitors..

OK I'm a Luser

[Deanasc]

I'm embarassed to say that once I refused a collect call from the Dominican Republic that turned out to be a client. The thing is just that morning the office manager sent around a memo warning us of suspicious telephone activity from the Carribean. I thought "Ah Ha! Here's some of that suspicous telephone calls they warned me about." And boy was the client pissed off. If it hadn't been for the fact that I was a recent transfer to the department and nobody informed me there was a client in the DR I'd've been fired.

The point is when you operate a business sometimes it's better to write off a couple thousand dollars of fraud then tick off someone wealthy enough to retire to a Carribean Island.

Now that I get this off my chest it occurs to me that if the guy was rich enough to retire to an island he could've afforded a quick phone call to clear things up.

Social Engineering - strategies to stop it

[maggard]

Social Engineering is effective because it starts with the folks most often overlooked - the front line.

Clear company policies need to be set up regarding what information is divulged & how. This is of interest not only to IS but to HR (keeping away poachers) and to individuals (stalkers, toner salesmen.)

Some basic strategies I've used are:

• The switchboard never gives out direct lines numbers. If someone needs a direct number the person can give it himself or herself.
• All staff is requested not to give out information regarding other employees. All such calls or emails are to be referred to HR. There calls are then screened, phone numbers are taken and callbacks used. Generally only a message is taken and passed along.
• Generic accounts are set up for key positions on voicemail & email. Callers requesting the name or contact information for unspecified folks (job titles) are referred to these generic accounts where an AA can sift through them later.
• Functional addresses & numbers are used where possible. Not only do these maintain privacy & security they also facilitate job turnover/movement (outsiders don't play chase only to discover the person has either left the company or moved to a different position, is no longer who they want.)
• "Out of Office" auto responses are not allowed to propagate outside of the business if allowed at all. They are specifically flagged at creation and blocked at the company's outbound servers.
• Identifying information is stripped from client-applications. This includes web-browsers not giving out names or other non-relevant information.
• The corporate phone & email directories are not allowed to be visible outside of the company. Furthermore their printing or copying is discouraged, made difficult.
• Laptops are heavily secured as they can provide invaluable information on a company's internals. This means using encrypted file systems, etc.
• Support & security folks have access to up-to-the-moment company directories that indicate a employee & contractor's names and where they fit in the org chart. Outside calls requesting possibly sensitive information from folks not known personally to the support person are conference-called to someone knowing them to verify their identity. If in doubt a callback is arranged and some method of determining their identity is found even if it means their describing what's in their top left desk drawer.
• Security is encouraged to be vigilant and backed up! Refusing access, even to a VIP or someone with a good story is respected and the employee commended if the refusal was warranted (doubt is in their favor.)
• Paper-shredders are made availaible and easy-to-use. In cases of bulk-shreddings special bins (recycling bins sprayed an ugly color) can be used & the shredding will be done by someone else.
• Outside trash containers are not hidden behind the building but in a secured and/or visible location. If necc. some sort of beautification can be undertaken but putting them where activity will be noted is important, more important then hiding them.
• Outside access to company resources is heavily controlled. Some possible common-sense measures include not making VPN's full peers on the network but filtering them from sensitive areas, no use of direct-inbound-dialing-to-computers (PC-Anywhere etc.) Furthermore 'unreasonable' hours should be implemented; there's rarely a pressing need to work remotely at 4am even if one employee might want to do so once a month, it's not worth the hazards.
• "Public" & unused parts of all facilities should not have live network drops without a specific need & their being kept in visible places. Network drops in unused parts of facilities are deactivated from the closet. Large-areas that are unused are completely deactivated. This means no drops behind the couch in the lobby and no working drops in the empty offices/floors.
• Settings given to outsiders within the company (folks using conference rooms etc.) should be filtered to give only limited access. The handy how-to-get-on-our-network sheets posted on the walls of these rooms *only* give information to 'guest' settings.
• "Honeypot"-like devices should be placed within the company firewall & monitored. SNMP, network scans or the like traffic should be flagged and correlated with a specific employee with a need / right to do such.

In my experience many companies leak like sieves. Web pages are full of names & numbers, especially MS Office-created ones replete with embedded names, titles, server-addresses & other identifying information nuggets. Helpful folks are often all too willing to give out names & contact information, especially on weekends and off-hours. Help desks can be snowed by a "remote contractor" or "new employee, not in the directory yet" brandishing their supposed boss's name and demanding information so they can "get their job done".

The best strategy? Cleaning up the leaks. Providing avenues of communication that are non-specific about their destination. Supporting folks when they refuse to give out information to unverifiable folks, defending them to those denied or their supervisors.

Finally it's not just a matter of keeping the crackers at bay; it's also stalker ex-dates, aggressive sales-weasels & other unwelcome harassers. While protecting the company folks are also protecting themselves.