 |
|
 |
|
|
Redspin Security Management Advisory
|
 Back To Redspin Security Management Advisory Headlines
|
 |
Volume 15 | September 2009 |
 |
Social engineering is a security term used to describe the manipulation of people to get information, data or system access.
The Classic Con Game Updated for the Internet Age
|
|
Hackers can spend hours and hours trying to figure out a way into a company's computer network — or, in minutes trick employees into giving up their log on information. For some hackers, firewalls are hard, but people are soft.
Employees are great; they're helpful to both their customers and to their IT department. Everyone wants to be on the good side of their IT department — otherwise you end up with the Commodore computer running MS-DOS and having to hand-deliver your email.
Unfortunately, nobody loves employees more than hackers.
Redspin's Audit Process
As part of Redspin's audit process, we've run a number of social engineering tests for a great variety of companies. For our typical email test, we spoof the IT department's email, and send employees a link to a fake web page for a web-based email system which asks for the user's log on information.
Ninety-four percent of the companies we've audited have failed our email social engineering test, with nearly a quarter of all employees clicking on the link. One employee wrote back to us (thinking we were his IT department),
"You ROCK!!!! I've been wanting web mail forever!!!"
One company had a failure rate greater than 100%; the employees were so helpful that they forwarded the spoofed emails to colleagues.
Thumb Drive Candy
Another test that Redspin performed involved thumb drives. "It's my favorite," says John Abraham, Redspin CEO. "We put out a candy dish filled with brightly colored thumb drives. Employees snapped them all up and promptly plugged them into their computers."
There was a simple little program that launched when the drive was plugged in, which would have been malicious if designed by hackers, but in this case sent Redspin a notification. "If we were the bad guys, we would have owned that company's system. We still get hits from some of those thumb drives."
Implement a Solid Security Policy and Employee Education
The strongest protection that any company can use to prevent these attacks is a solid security policy and employee education. But how can the typical IT manager make sure that their company's employees are actually following the security policy he spent three months crafting?
One of the tools that Redspin uses is a new automated social engineering tool from its spin-off company Jetmetric: SocialPET (Policy Evaluation Tool).
SocialPET is an automated email spoofing tool with easy-to use drop-down menus. Users can customize an outgoing message ("It's mandatory that all employees sign up for our new Webmail service..."), and there are a number of web page facades to choose from depending on the email system or programs employed by the company.
For obvious reasons, SocialPET only spoofs domains that Jetmetric has validated are owned by their subscribers.
"We see the tool as having two functions," says Brian Hayes, Jetmetric CTO. "First, it lets you know whether or not your employees understand some basics about their security policy. Second — and really, this is why I love this thing — it's a great educational tool. After employees click through just one time, success rates shoot way up on subsequent tests. It's so much better to learn about phishing and social engineering this way than when it really counts."
Helpful employees are great; well informed, well trained employees are even better.
|
|
For further information and a free trial of SocialPET, please visit:
|
|
|
|
 |
