Listen to this article
Holding a security door open for someone laden with cups of coffee or a big stack of documents may seem the polite thing to do. But you may have fallen for a classic trick deployed by hackers.
The person might have been smartly dressed and looked legitimate, but that is a key part of the deception of “social engineering”, which uses simple, everyday situations to deceive individuals into giving out physicial or technical access to facilities that can be a mine of valuable information.
Whether getting into a building, eliciting a password over the telephone or persuading a phishing victim to e-mail their banking details, “social engineering” is responsible for more than half of security breaches, and some estimates claim the proportion is as high as 90 per cent.
Deploying a powerful firewall or maintaining up-to-date software patches on thousands of desktop machines is easy compared with raising employees’ awareness of their own risky behaviour.
Last year, for example, three call centre staff at Mphasis, an Indian outsourcer, tricked several Citibank customers into revealing their Pin numbers and then stole hundreds of thousands of dollars, in an incident that rocked the outsourcing industry.
Bob Blakley, chief scientist for security and privacy at IBM’s Tivoli division, says it is partly because there is no “standard set of social behaviours” for tasks such as resetting a password over the phone, so many people are easily persuaded to go along with risky procedures.
The problem is worsening, as hacking attempts and malware are increasingly used by organised criminals, rather than fame-hungry or curious geeks.
Despite a consensus that it is always people who are the weakest point in any security system, workplace prevention tactics are often neglected or relegated to a set of acceptable use policies that are largely ignored by staff.
By contrast, meticulous and detailed documents on the dishonest use of “social engineering” techniques are easily available on the internet.
One such document details a vast number of techniques, ranging from “dumpster diving” to shoulder surfing – looking over someone’s shoulder as they key in a password or Pin – to “conformity”: for example, telling the target that everyone else has given out their password over the phone.
Appealing to people’s better nature by phoning up and pretending to be an out-of-town colleague who urgently needs to access the network is another.
In spite of all the experimentation and refinement of techniques to persuade and confuse potential “social engineering” targets, the security industry’s response is almost exclusively focused on technology rather than psychology.
What can be done about it? The first thing is to take a wider view of security, says Jan Babiak, Head of Information Security at Ernst & Young.
“For example in certain countries, you have a very good chance of kidnapping senior executives. The physical security [team] take enormous precautions, but the IT people might have left something like a calender somewhere where it’s easy to hack into.”
Cisco, meanwhile, urges executives to create a “top-down” culture of security awareness instead of palming off all security to a separate team.
Dave Shackleford, the director of security solutions and assessment services at Vigilar, a US security consultancy, says that executives are often the softest target for “social engineering” experiments. They tend to think they are “above the law” and have access to high level information. They are also used to associating with other top-level people, says Shackleford, so their trust levels are higher.
Mr Shackleford frequently puts clients’ security defences to the test by, for example, photographing staff IDs with a telephoto lens to copy them. No attempted physical test undertaken by Vigilar has failed, he says.
Mr Shackleford says companies need policies in place: “If they don’t have explicit policies laid out for their employees, then they may not know any better.”
Vigilar’s clients act on the information gleaned from the tests in different ways, but punishing employees who fell for a “social engineering” trick is not usually one of them.
“It’s human nature to be helpful,” says Mr Shackleford. Instead, they tend to respond by improving training and awareness procedures.
Some of Mr Shackleford’s techniques are frighteningly simple: “Just phoning someone’s extension can reveal if they are out of town, for example, and for how long.”
Robert Chapman, chief executive of The Training Camp, which runs security awareness courses for non-IT staff, says: “All the talk and all the money really is on technology. People in a sense brag about how much they spent on their Cisco firewalls.” But they overlook the obvious weaknesses.
His company recently ran the well-publicised “CD test” in London in which 100 CDs were handed out to workers in the City, promising a free Valentine’s Day gift if they installed it. Once installed the CD reported back to Chapman; he says the majority of recipients did so.
Bruce Schneier, the cryptographer who also works as a security consultant, is not so sure.
He believes technical security must take into account behaviours, but does not believe “social engineering” can be adequately guarded against by training: “Have you ever met a user?” he replies when asked about efforts to improve staff awareness.
Technology, Mr Schneier says, must be more tailored to each user’s needs and risk levels. Does a typical office worker, for example, need to have access to a USB port or even a CD drive?
“This is not just a ‘get some guys on and solve it’ problem,” says Schneier. “It’s like murder, burglary – all of these things, they’ve been around for ever.”