Social Engineering Audit & Security Awareness


Published on

A closer look at social engineering and it's different types when dealing with security and protecting valuable information.

Published in: Business, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Engineering Audit & Security Awareness

  1. 1. Social Engineering Audit & Security Awareness Hacking the Human Kyle Konopasek, CIA CBIZ MHM, LLC – Kansas City
  2. 2. Tony Coble, CPA Managing Director – CBIZ MHM and Shareholder, MHM 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1031  Email: Presenters Kyle Konopasek, CIA, CICA Manager – CBIZ MHM, LLC 11440 Tomahawk Creek Parkway Leawood, KS 66211  Direct: (913) 234-1020  Email:
  3. 3. About CBIZ and Mayer Hoffman McCann P.C. With offices in major cities throughout the United States, CBIZ is one of the nations leading providers of outsourced business services, including accounting and tax, internal audit, risk management, and a wide range of consulting services. CBIZ is strategically associated with Mayer Hoffman McCann P.C. (MHM). MHM is an independent public accounting firm with more than 280 shareholders in more than 35 offices. MHM specializes in attest services for mid-market and growing businesses, with a specialty practice devoted to financial institutions. Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top accounting providers in the country.
  4. 4. Learning Objectives • Understand regulatory compliance issues • Learn exactly what social engineering is and the various types used. • Understand how to identify a social engineering attack. • Gain insight on methods to deter or mitigate social engineering risk.
  6. 6. • Security awareness reflects an organization’s mindset or attitude toward protecting the physical and intellectual assets of an organization. This attitude guides the approach used to protect those assets. In general, the approach is referred to as a security awareness program. What is security awareness?
  7. 7. • What elements reflect the overall strength of an organization’s security culture? – What causes a security awareness program to fail? – What comprises a successful security awareness program? • Even the best technical security efforts will fail if the organization has a weak security culture. Security awareness success
  8. 8. 1) Not understanding what security awareness really is. – Major difference between security awareness and security training. • Watching an online video about security awareness is training. – The primary goal of security awareness is to change behavior. 2) Reliance on checking the box. – Satisfying compliance standards equate to strong security awareness or even that security exists. • Merely prove the minimum standards have been met. • Standards are vague and difficult to measure. – EXAMPLE: “A security awareness program must be in place.” Why do security awareness programs fail?
  9. 9. 3) Failing to acknowledge that security awareness is a unique discipline. – Who is responsible for the function? – Does the person have the knowledge, skills, and abilities? – Does the person have soft skills such as strong communication and marketing ability? • Initial efforts to implement security awareness and to affect change over time require such skills. Why do security awareness programs fail?
  10. 10. 4) Lack of engaging and appropriate materials. – Annual computer-based training is not enough. – It is critical that multiple versions or styles of security awareness materials be implemented. • Ensure the materials are appropriate to the organization based on industry and employee demographics. • Younger employees respond better to blogs and twitter feeds while older employees prefer traditional materials like posters and newsletters. Why do security awareness programs fail?
  11. 11. 5) Not collecting metrics. – Without metrics, there is no way to determine if security awareness goals are being met. • Are we wasting money or providing value? • What is working and what is not? • Are our losses decreasing? – Collecting metrics on a regular basis allows for adjustments. – Measure the impact to the organization. Why do security awareness programs fail?
  12. 12. 5) Not collecting metrics (continued). – Example metrics include: • Number of people who fall victim to a phishing attack. • Number of employees who follow security policies. • Number of employees securing desk environment at end of day. • Number of employees using strong passwords. • Number of employees who follow and enforce policies for restricted access to facilities. • Who has or has not completed annual security awareness training. • Types of reinforcement training, who is it communicated to, and how often. Why do security awareness programs fail?
  13. 13. 6) Unreasonable expectations. – No security counter-measure will ever be successful at mitigating all incidents. 7) Relying upon a single training exercise. – Focusing on a single security weakness or threat approach when there are dozens leaves an organization open to attack to ignored approaches. Why do security awareness programs fail?
  14. 14. 1) C-suite support. – Awareness program support from executive management leads to more freedom, increased budgets, and support from other departments. – Obtaining strong support from top level management is first priority. • Consider materials designed specifically for executives—newsletters and brief articles that highlight relevant news and information. Keys to security awareness success
  15. 15. 2) Partnering with key departments. – Get other departments involved in the program that might provide additional resources toward program success. • Human resources, legal, compliance, marketing, etc. • Consider the needs of these other departments and incorporate into the overall security awareness approach. 3) Creativity – Small budgets for security awareness are common, however, creativity and enthusiasm can bridge the gap created by a small budget. Keys to security awareness success
  16. 16. 4) Metrics. – Prove the security awareness program effort is successful—utilize metrics. 5) Explanation and transparency. – Focus and how to accomplish specific actions through clear explanation. – Instead of telling people to not do certain things, explain how they can do certain things safely. Keys to security awareness success
  17. 17. 6) 90-day plans. – Many programs follow a one-year plan with one topic covered monthly. • Does not reinforce knowledge and does not permit feedback or consider ongoing events. – A 90-day plan is most effective as it permits re-evaluation of the program and its goals more regularly. • Focus on 3 topics simultaneously and reinforce during the 90 days. • Can be easily adjusted to address current and key issues. Keys to security awareness success
  18. 18. 7) Multimodal awareness materials – Utilize multiple forms of security awareness materials. • Newsletters • Blogs • Newsfeeds • Phishing simulation • Games – Participative approaches have the most long-term success. Keys to security awareness success
  19. 19. 8) Incentivized security awareness programs. – Develop “Incentivized Awareness Programs”. – Focus on creating a reward structure to incentivize people for exercising desired behaviors. – This technique switches the entire awareness paradigm by encouraging employees to elicit a natural and desired behavior rather than forcing them. Keys to security awareness success
  21. 21. • Attacker uses human interaction to obtain or compromise information. • Attacker may appear unassuming or respectable. – Pretend to be a new employee, repair man, utility provider, etc. – May even offer credentials. What is social engineering?
  22. 22. • By asking questions, the attacker may piece enough information together to infiltrate an organization’s network. – May attempt to get information from many sources. What is social engineering?
  23. 23. • Quid Pro Quo – Something for something. • Phishing – Fraudulently obtaining private information. • Baiting – Real world Trojan horse. • Pretexting – Invented scenario. • Diversion Theft – Lying and convincing others of a false truth—a con. Types of social engineering
  24. 24. • Something for something – Call random phone numbers at an organization claiming to be from technical support. – Eventually you will reach someone with a legitimate problem. – Grateful you called them, they will follow your instructions. – The attacker will “help” the user, but will really have the victim type commands that will allow the attacker to install malware. Quid Pro Quo
  25. 25. • Fraudulently obtaining private information – Send an email that looks like it came from a legitimate business. – Request verification of information and warn of some consequence if not provided. – Usually contains a link to a fraudulent web page that looks legitimate. • Example: Update login information to new HR portal. – User gives information to the social engineer/attacker. Phishing
  26. 26. • Spear phishing – Specific phishing that include your name or demographic info. • Vishing – Phone phishing—may be a voice system asking for call back. Phishing - continued
  27. 27. • Real example – Obtain email address of many employees in target organization including key individual targets like Controller, Staff Accountant, Executive Assistant, etc. – Develop website to “change password” or “setup new account” for a human resources vacation request system. • Actual organization website is “Western States Credit Union” • Link to attacker’s website is “Western States Credlt Union” – Email website link to obtained email addresses. Phishing - continued
  28. 28. • Real world Trojan horse – Uses physical media. – Relies on greed and/or the curiosity of the target/victim. – Attacker leaves a malware infected CD or USB thumb drive in an obvious location so that it is easily found. – Attacker uses an intriguing or curious label to gain interest. • Example: “Employee Salaries and Bonuses 2014” – Curious employee uses the media and unknowingly installs malware. Baiting
  29. 29. • Invented scenario – Involves prior research and a setup used to establish legitimacy. • Give information that a user would normally not divulge. – This technique is used to impersonate and imitate authority. • Uses prepared answers to a target’s questions. • Other useful information is gathered for future attacks. • Example: “VP of Facilities” visiting a branch. Pretexting
  30. 30. • Real example – Telecom provider Pretexting - continued
  31. 31. • Real example – Pose as a major telecom provider. – Props: • rented white van with magnetic logo • logo polo shirts and hats • business cards • work order • ID badge. – Enter credit union branch and ask to inspect the “roving telecom adapter” because they have been recalled. Pretexting - continued
  32. 32. – Illegal examples from an auditing perspective • Law enforcement • Fire • Military/government official Pretexting - continued
  33. 33. • Con – Persuade deliver person that delivery has been requested elsewhere. • When delivery is redirected, attacker persuades delivery driver to unload near a desired address. • Example: Attacker parks a “security vehicle” in bank parking lot. Target attempts to deposit money in night drop or ATM but is told by attacker that it is out of order. Target then gives money to attacker for deposit and safekeeping. Diversion Theft
  34. 34. • Scavenging key bits of information from many documents put out in the trash. – Literally involves getting in a dumpster during off-peak hours and looking for information. – Janitorial crews could be involved. Are they bonded? • Document shredders are not always the answer – Vertical cut, cross cut, micro cut, and security cut. Dumpster diving
  35. 35. • Training – User awareness • User knows that giving out certain information is bad. • Policies – Employees are not allowed to divulge information. • Every organization must decide what information is sensitive and should not be shared. – Prevents employees from being socially pressured or tricked. – Polices MUST be enforced to be effective. How to prevent social engineering?
  36. 36. • Password management • Physical security • Network defenses may only repel attacks – Virus protection – Email attachment scanning – Firewalls, etc. • Security must be tested periodically. How to prevent social engineering?
  37. 37. • Third-party testing – Hire a third-party to attempt to attack targeted areas of the organization. – Have the third-party attempt to acquire information from employees using social engineering techniques. – Learning tool for the organization—not a punishment for employees. How to prevent social engineering?
  38. 38. • What is the overall risk appetite and risk tolerance levels of the audit/supervisory committee? – Board of Directors? – Executive management? • Do those charged with governance value testing the security of information through social engineering? – Are they afraid of what the results might reflect? • Social engineering testing may need to be “sold” for testing to have any value. – Consider elements of a security awareness program. Social engineering as an internal audit unit
  39. 39. • Risk assessment – Identify types of social engineering that may be most applicable to the organization. What are the weaknesses? – What types of attacks is management most concerned about? • Pretexting planning – What is the goal? – Identify the roles to be used and draft the pretexting script. • Who are we going to be? • What are we going to say? – Signed letter from executive management the social engineering testing. • “Get out of jail free” card. Social engineering as an internal audit unit
  40. 40. • Example authorization letter January 31, 2014 To whom it may concern, The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this security review the internal audit department may perform any of the following procedures during the following time period: February 16, 2014 through February 28, 2014. 1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours. 2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as testing evidence. 3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of social engineering which may include:  Internal audit personnel disguise themselves as employees of XYZ and/or vendors.  Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the willingness of XYZ employees to disseminate confidential information about the credit union. 4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact immediately after the testing for XYZ has concluded. If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the following individuals immediately. All authority granted by this letter expires promptly at 11:59PM on February 28, 2014. Social engineering as an internal audit unit
  41. 41. • Phishing planning – What is the goal? – What is the setup? • Document: – Test scenario (e.g. spear phishing to install malware) – Inherent risks to the scenario (e.g. embedded links in emails) – Character (e.g. Human Resources department of XYZ Credit Union) Social engineering as an internal audit unit
  42. 42. • Example phishing email Subject: Vacation Policy Attention, An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR portal. Please let us know if you have any questions with the changes made to the vacation policy. Regards, XYZ Credit Union HR HR@xyzcucom Social engineering as an internal audit unit
  43. 43. • Reporting on social engineering test results – Be as detailed as possible when describing the scenarios/scripts and the results. – Do not implicate a single person—social engineering testing is a learning tool, not a punishment. • How this is handled may cause internal audit to be viewed poorly within the organization. – Consider a grading scale. • Many audit reports report findings as pass/fail. Social engineering results may be partly pass and partly fail. – Example: Allowed into telecom closet, but not behind the teller line. • Use a letter grading system for social engineering. – Clearly define what each aspect of the grading scale means. Social engineering as an internal audit unit
  44. 44. • Real example of a pretexting report finding. Condition On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division” who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script. At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that location at times. At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that person followed procedure and ultimately ended our test and did not grant us access. Social engineering as an internal audit unit
  45. 45. • No matter how robust an organization’s: – Firewalls – Intrusion detection systems – Anti-virus/malware software – Other technological and physical safeguards • The human is always the weakest link when dealing with security and protecting valuable information. • Knowledge is power. – People sometimes want others to “know what they know” to demonstrate importance. Weakest Link?
  46. 46. • Good habits drive security culture and there are no technologies that will ever make up for poor security culture. • Social engineering audit is one method commonly used to assess the condition of the overall security culture. Key take away
  47. 47. Questions?