What was your organization’s top security concern in 2016? And what will it be in 2017?
If your company is like most, breaches that lead to compromised data is at the top of the list. Sure, continuity issues are always a concern, but nothing makes us quake in our boots quite like a breach. Breaches have been at the top of CIO’s list of security concerns for years. And in Wired’s article on the biggest security threats of 2016, four of the top five concerns were related to compromised data and unauthorized access.
Security experts know that as long as there is someone out there with access to a computer and malicious intent, breaches will be a top concern for companies.
Of course, this isn’t earth-shattering information. It’s the reason that companies spend time and resources on both user-awareness training and penetration testing.
Your pen tests check for vulnerabilities in your network, your systems, even your internally developed software before it’s deployed. And your IT security group works to proactively plug those holes before they are discovered by the outside world.
At the same time, user-awareness testing does just that – makes your organization’s users aware of threats that they might encounter and the importance of diligence. Securing physical information is usually part of training, but most of it is centered on countering social-engineering tactics and phishing schemes.
And with good reason. Studies show that an average large company will spend $3.7 million annually to combat and correct phishing attacks. But is that training actually working? Or is it working only some of the time, or with only some of the staff? How can you tell?
Just like with your networks and systems, you should consider penetration testing your human network as well. And while there are companies that will execute social-engineering pen tests for you, you might want to start by testing the low-hanging fruit yourself.
Vulnerabilities to test
You might not have the resources and time to do sophisticated and thorough social-engineering pen testing, but you can hit the big ones with a minimal of time and effort, and these three will give you the biggest bang for your buck.
Several of these are discussed in our article Social Engineering: Why Humans are the Greatest Threat as being some of the most common means of social engineering. That’s a good reason to start with these. By ensuring that your training is addressing the most common threats effectively, you know that you can move on to building awareness around less common, but nastier, tactics.
Phishing and spear phishing
Phishing is one of the biggest threats your organization faces, if only from a volume standpoint. Phishing.org estimates that half of the Internet gets at least one phishing email a day. Setting up to test for phishing within your organization might take a little more effort than some of the other scenarios, but because of the volume it’s worth the extra time to make sure your organization is vigilant and aware of the dangers.
There are two types of phishing exploits that could be added to your human network pen-testing schedule. The first is a general attack, one that is foisted on a broad range of people within your company. Here's what you do: You send an email with a message that is aimed at encouraging the receiver to click on a link to a webpage that your IT security team has set up. For ethical reasons, that webpage shouldn’t actually record any personal information. Instead, you simply want to count the number of people who clicked on the link so you can compare that to the number of recipients targeted.
The second test addresses spear phishing. These are highly targeted attacks, where the goal of the exploit is to get information, not just access to a system. In spear phishing, the target receives an email that appears to be from someone they know, from a company they have done business with, or is from someone who references a supposed common acquaintance or other information that makes the attacker seem trustworthy.
Because this second attack type is more targeted than general phishing, this type of test needs to be highly planned and well thought out to mimic a real world scenario. For these reasons, you may want to hold off on this type of testing until you’ve had time to evaluate who the highest value targets would be in your organization and worked through the proper internal channels to gain all the approvals you’ll need.
Pretexting is a form of social engineering where an attacker lies to the target to gain sensitive information or even physical access to secure locations. The attacker may use a number of tactics to gain trust, bully, or create a sense of urgency and need with the target.
Your most likely attack vector in this case is a phone call, so you should concentrate your testing on that type of attack. While phone pretexting takes some talent, it can be easier to get someone on the phone with an outline of the scenario than to have them attempt to lie in person.
Much like the phishing test above, an ethical pretexting test shouldn’t attempt to get personal information, like Social Security numbers or corporate secrets. Instead, in a large company consider adding dummy accounts and seeing if you can get the password to that account changed, or information about the fictitious employee.
Baiting is an attack that lets humans be human. For baiting, some physical media such as a USB drive or CD-ROM, is delivered or left lying around at or near the office location. Curiosity, or sometimes even greed, may get the better of a user and they will pick up the abandoned media and attempt to use it.
Like the phishing test, this one requires some time and effort to prepare. Ideally you’ll set up the physical media with a payload that would let you know the machine that was used to review the media. Identifying the machine will be important, as you’ll want to “clean up” the test afterward and make sure that you didn’t unintentionally leave a hole on the system.
Organizing your tests
It’s unlikely that all of these tests will be required immediately by your organization, especially if you’ve never tested social-engineering attacks before. Look closely at each scenario and see what specific policies or issues within your organization you’re trying to understand. For instance, as a forced example, if you didn’t have any physical locations that needed to be secured, there would be no reason to use a face-to-face pretexting test.
Once you’ve come up with a list of the social-engineering tests you think will be most effective, prioritize the list by biggest threat to your organization. You may not get the funding or approval to do everything you want immediately, so having this list handy for the next step will increase your chances of moving forward with the most critical of your proposed tests.
With your planned tests and your priorities in hand, it’s time to begin talking to your stakeholders. At this point I’d assume your CSO or security manager knows about your efforts, but now you need to give them the details. At that point, other stakeholders you’ll want to loop in are, minimally, leadership in HR and IT executives.
HR will need to be involved to ensure that the tests get their seal of approval and are all on the up and up. IT executives should be in the know for two reasons — they will likely need to approve the tests, and they can provide air cover if one of the tests uncovers significant issues. Obviously, because of the sensitive nature of the testing, you’ll want the circle of trust to be tight. But without the support of the right people in your organization, you might be stepping into a minefield.
So you’ve planned your tests, you’ve gotten buy-in and you’ve gotten your results. What’s next?
Resist the urge to immediately blame the end users. A test with poor results may require a little soul searching on the part of the IT security and training groups. Any widespread holes indicate a need for better and more effective education.
Review your training materials that cover the subjects that had problems during testing. Then ask yourself — are the materials clear enough? Does everyone understand the risks? Have you made the impacts of a breach something that they understand, personally?
Plan out your strategy for updating the training materials and schedule the next set of awareness training. Reviewing the materials, updating them, and editing them and administering the training will take time. Once that process is complete — test again. Compare your results. And keep improving.
When you pen test systems and networks, you don’t do it once then stop. Because an organization’s systems are constantly in a state of flux, with new software installs, system upgrades, and network changes, you test on a regular basis to make sure none of the changes created a new hole.
The same is true for testing your human network. New employees are added; people are given different levels of access. And so, your social-engineering testing should repeat as well to ensure staff changes haven’t caused a change in your risk levels.
When you’re ready to start social-engineering pen testing, use the steps we’ve outlined here. Know the most common types of social engineering. Review your company and its policies to identify the biggest threats. Get support from the organization’s stakeholders. And then be sure to apply what you’ve learned from the test to improve training. Lastly, make sure that the employees all know how important they are in keeping company data safe and secure.
Photo credits: Freerange Stock