Hacking the human
Any IT security can be circumvented by hackers who target the human factor - but risk can be minimised
Information security is about people as much as procedures. Research into the methods used by hardened hackers to compromise IT systems indicates that the human factor is crucial to the success of most attacks. In many cases attackers do not need to find technical vulnerabilities: hacking the human is sufficient.
This flaw has been understood for a long time. So why is this critical area of information security neglected by most organisations? There are two primary reasons.
First, the 'business' of information security is dominated by IT security hardware and software vendors. While vendor products have their place as part of a technological provisioning strategy, they do not address the greatest weakness - the employees.
Second, most information security improvements concentrate on technical counter-measures because they are relatively easy to implement. This is not to trivialise the technical challenges in IT security, only to suggest that - with the appropriate technical skills, the supporting management systems, and the right technology - technical problems can be solved.
Humans, meanwhile, are much more complex, less well-understood, and present a bigger challenge in addressing their security vulnerabilities. However, as technologists come to grasp the nature of technological security, so the market is progressing toward a better understanding of making humans more secure.
As we make access to information - and tools to communicate it - more freely available within organisations, the opportunities to trick someone into releasing that information, beyond the boundaries intended, are becoming much easier. In many cases a few mouse clicks can direct confidential information straight from the user to the attacker via an email.
In the first instance it is helpful to pose some fundamental questions. Who is responsible for this crucial aspect of information security? In most organisations there are members of staff with responsibility for IT security (firewalls, intrusion detection, anti-virus and so on), and other colleagues with responsibility for physical security (such as doors, windows, access and CCTV). Quite who should be thinking about the human element of security, is less well defined - if it is defined at all.
To maximise impact, an attacker will seek to gain the access credentials of a user. With more pervasive remote access, this can be a direct route to the corporate network. Using social engineering techniques, simply asking for the information often gains results. Sometimes the simplest of techniques work best, and savvy attackers know this.
That said, there are various psychological techniques that can be deployed to improve an attacker's chances of success. Imagine you are the attacker: if you wade in, saying, 'will you tell me your password', you will probably have limited success. However, you can make the user believe you might be allowed to know their password - perhaps you are calling from the IT department?
How many staff in other departments know all of their IT department colleagues by name? And how many would be minded to challenge a caller whose name they do not recognise? (This is another good argument for IT personnel being more 'visible' to the colleague they support.)
A proven technique is to develop a strategy of multiple contacts to develop trust and rapport. Over a short period of time, people tend to believe they know you, even if all the information they have received to 'prove' your identity has come from you alone.
Sleight of tongue
Another well-established technique for winkling out access keywords is to conversationally ask multiple questions, with the crucial 'information-gathering' question hidden in the middle. We are conditioned to answer questions; once in the flow it is much easier to answer a question than to challenge the validity of a specific request.
From a technical IT security perspective, usually we base our security efforts on understanding where vulnerabilities exist, and how to develop strategies to remove them, or build layers of protection around them. People can be secured in the same way.
To identify specific improvements to your security it is vital that you can assess human vulnerabilities in a similarly methodical way. Without this systematic approach security strategists can end up wasting investment in areas that are relatively unimportant to their overall protection.
If IT professionals understand the threats that their organisation faces, and identify specific human vulnerabilities, then immediate improvements that will have maximum benefit can be targeted. The aim is to combine examination of specific environments with a greater understanding of human behaviour, and their interaction with security systems.
So what are some of the riskiest human vulnerabilities that relate to information security exploited by a malevolent social engineer?
- Following instructions The majority of people have been conditioned to follow instructions all their lives. We comply with many more instructions than we ever question or challenge. Compliance is our natural instinct.
- Ignorance People are more likely to comply with an instruction if they feel relatively unsure about the situation they are in. IT systems make the majority of users feel this way. If they feel the person giving the instructions is an 'expert', people are more likely to comply. This inroad is broadened if an individual happens to feel their may have been lax in getting down to understanding operational instructions or procedures.
- Desire to be liked 'But she was so nice,' explains the victim of a hack attack. A few contacts from a 'nice' person, and many targets believe they have made a new buddy, a friend that they are more than willing to share information with. (Suscept-ibilities between genders may also play a part here.)
- Being helpful Although you might feel otherwise, IT helpdesks are trained to be helpful. As this is usually combined with the ability to change passwords, it makes them a useful target.
- Gullibility A tendency to get caught up in the gains on offer helps an attacker. For example, people do continue to respond to frauds involving telling them they have won a lottery that they never even entered. The size of the offer is proportional to the gullibility it induces in the victim.
Methodologies for testing an organisation's social engineering vulnerabilities range from smart thinking to basic common sense. The exact details of the methodology deployed should be matched to specific requirements, but the following outline shows some common elements:
- Public information gathering Many organisations are surprised to learn how much of their information useful to a hacker is already in the public domain. This may come from suppliers or partners, and even customers (in blogs, say). Another useful source is the Internet postings your employ-ees make, leaking information that, when collated, can be very interesting to an attacker.
- People information gathering Further investigation can begin to uncover useful information about your employees. Temporary employment availability and information about employee activities outside of the work place can all be useful. Social networking sites also can assist hackers in their prep.
- Target selection Depending upon their role and/or observed behaviour, certain people can be selected. Following initial contact, targets can be profiled according to their usefulness to an attacker. During this process comes relationship-building that makes final exploitation much easier.
- Target exploitation At this stage some elements of technology could be introduced, depending upon the specification agreed with the client. A number of attack scenarios can be tested, combining human, technical and physical security.
- Reporting Risk analysis usually forms the basis of a full report to help address vulnerabilities. Compare tests with any alerts generated by the more aware employees. As with IT security penetration testing, it is useful to compare each test with what was detected, and who was alerted.
By testing current protection systems, you can understand where key vulnerabilities exist, and then look to address them.