• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

are anti-SE courses the solution?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
HAVOK
Just Arrived
Just Arrived


Joined: 02 Dec 2005
Posts: 0
Location: Spain

Offline

PostPosted: Sat Dec 10, 2005 12:38 pm    Post subject: are anti-SE courses the solution? Reply with quote

Hello,

I work in a company where security is supposed to be *crucial*. There, most of the non-IT staff are coders/analyists who ignore absolutely everything about hacking, viruses, trojans, etc. Many of them don't even come from the computer science students branch.

In an attempt to prevent from Social Engineer attacks, the last year it was a talk about hacking, where they were explained what this all is about. However, it hardly worked.

Example: a few days ago, a guy in a high position was found to have a very nice collection of virii, mp3, etc in his windows machine. He needs special access to the internet to download some exe files. His reply?. "I do not think having virii is a threat".

Most people, in my opinion, ellude their responsability. The IT staff blames the non-IT workmates of the success of SE attacks. The non-IT staff argues that security is not their work. At the end, there is a huge security hole, regardless of who is guilty.

Given that most pen-testing includes some sort of succesfull SE attack, i would like to know if this is generalized problem or not. If so, who is responsible of educating people?.

Do you also organize anti-SE training courses? Do they succeed?
Back to top
View user's profile Send private message
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Sun Dec 11, 2005 12:35 am    Post subject: Reply with quote

Making people aware of the dangers of SE is ALWAYS a good thing.
when it comes to security people are the weakest link and this type of security is everyones responsibility!

Just make sure when you start teaching people about it you do it in a nice and challenging way, otherwise people tend to forget it almost immediately.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
AZOR
Just Arrived
Just Arrived


Joined: 25 Jun 2006
Posts: 0
Location: Czech Republic

Offline

PostPosted: Sun Jun 25, 2006 9:39 pm    Post subject: ? Reply with quote

Who know?
But first and last thing what you can do against SE is prevention.
Here prevention is only 2 messages:

1)Do not belive !
2)Your admin will never ask you for your password Laughing
Back to top
View user's profile Send private message Visit poster's website
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Mon Jun 26, 2006 7:17 am    Post subject: Reply with quote

Hi Azor, and welcome to the board Laughing
Your advise would be nice in a perfect world, but unfortunately in practice this won't work.
Think of helpdesks and receptionists, they are a high target for Social Engineering since they often help people.
It is impossible for them to "not believe" since it's part of their job description to help people.
Example:
I legitimately give the helpdesk a call to reset my password since i have forgotten it.
The helpdesk now has 3 choices:
1. They reset my password, no questions asked.
2. They don't believe me.
3. They ask some verification questions, and if they are convinced that i'm legit, they will help me.
Otherwise they will report it to a security person at the department.

Case 1: An attacker could call as well asking to reset my password.
Case 2: I'm pissed since i have to finish the presentation, so i give my manager a call.
If this happens a lot then eventually the helpdesk will be told to reset every password, no questions asked.
Case 3: This is what social engineering training is about.
Make people aware of the risks and make sure they ask enough questions to be confident it is a legit call.
Policies can be created within a company for the type of questions that must be answered.

examples could be:
1: staff id number
2: the name of the persons manager
3: a predefined password reset question
4: the name of the persons department and his internal phonenumber

Of course above examples are highly dependable on the environment the person is working in.
In some companies above info is freely available for everyone within the company (except the predefined password question), so you must change your questions depending on the data that only the caller should know.

As you can see social engineering prevention isn't a static knowledge, you must make people aware of the dangers since they have to think for themselves to prevent attackers from retrieving important data Wink
Back to top
View user's profile Send private message Send e-mail Visit poster's website
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Wed Jul 26, 2006 11:57 am    Post subject: Reply with quote

During the early stages of the cold war it was discovered that people cannot always be relied upon to do what is expected of them regardless of training and tight psychological screens for suitable personel.

The solution was to perform a complete "launch" regularly with dummy codes that were indistiguisable from valid ones. They did this both during peacetime and with increased regularity during times of friction... since the launch personel never knew if it wasn't real some inevitably failed to complete and were thus removed long before they would ever be required.

What does this have to do with SE awareness ?

Well, why not SE your own operators? It will allow you to identify those who require retraining. Of course, the main objection is that it may demoralise staff based upon a perception that the company is trying to trick them - so? Turn it into a fun and rewarding game.


Announce that there will be two 'mystery callers' per day who may strike anywhere within the organisation. Preventing the mystery caller from succeeding gets you some form of reward... perhaps you get to go home an hour early... perhaps preventing all of your mystery calls in quarter earns you bonus holiday entitlements.

Alternatively, make it team based... The team that prevents the most mystery calls in a month (After deducting 2x the number of failures) gets a reward.

Perhaps when senior staff or team managers fail a mystery call they are required to work at the lower positions in the company for a morning... perhaps answering customer enquiries on the leading teams desk. This is always fun and does boost morale.


Just set the appropriate rules and publish the successes either via email or on a mystery caller noticeboard. Try to air the successes as much as possible whilst keeping failure of individual operators to personal review. This should keep morale up and threat awareness high. These tests should be made at every level from the janitor to the senior management staff to avoid giving the game a 'them and us' feel.


Also, if your company is actively contracting then the statistics compiled from these mystery calls can be used in promotional pitches.

The only way you will ever be sure that your organisation is performing well in this regard is make ongoing tests. Done right this can be a great way to build teamwork, lightly embarass more senior staff (A great morale builder) and have a little fun along the way. Before long your operators will be actively aware of policy breaching requests.

-Meds
Back to top
View user's profile Send private message
AZOR
Just Arrived
Just Arrived


Joined: 25 Jun 2006
Posts: 0
Location: Czech Republic

Offline

PostPosted: Fri Jul 28, 2006 7:21 pm    Post subject: Reply with quote

lepricaun wrote:
Hi Azor, and welcome to the board Laughing
Your advise would be nice in a perfect world, but unfortunately in practice this won't work.
Think of helpdesks and receptionists, they are a high target for Social Engineering since they often help people.
It is impossible for them to "not believe" since it's part of their job description to help people.
Example:
I legitimately give the helpdesk a call to reset my password since i have forgotten it.
The helpdesk now has 3 choices:
1. They reset my password, no questions asked.
2. They don't believe me.
3. They ask some verification questions, and if they are convinced that i'm legit, they will help me.
Otherwise they will report it to a security person at the department.

Case 1: An attacker could call as well asking to reset my password.
Case 2: I'm pissed since i have to finish the presentation, so i give my manager a call.
If this happens a lot then eventually the helpdesk will be told to reset every password, no questions asked.
Case 3: This is what social engineering training is about.
Make people aware of the risks and make sure they ask enough questions to be confident it is a legit call.
Policies can be created within a company for the type of questions that must be answered.

examples could be:
1: staff id number
2: the name of the persons manager
3: a predefined password reset question
4: the name of the persons department and his internal phonenumber

Of course above examples are highly dependable on the environment the person is working in.
In some companies above info is freely available for everyone within the company (except the predefined password question), so you must change your questions depending on the data that only the caller should know.

As you can see social engineering prevention isn't a static knowledge, you must make people aware of the dangers since they have to think for themselves to prevent attackers from retrieving important data Wink


Hi !
Thx, nice too be invaited.
But your post is really long and hard for my english Laughing

I think the company should have/has internal rulez and personal must know all about "security in comapny" and
peoples who can know for all informations.

Reset password is really bad for security, pople usualy has question as: my driver licence, favourite colour.

My typical ask and question for reset password is :
My favourite color?
And answer is : Elephant23K Wink (only example)
Back to top
View user's profile Send private message Visit poster's website
White Scorpion
Just Arrived
Just Arrived


Joined: 19 Sep 2003
Posts: 5
Location: The Netherlands

Offline

PostPosted: Thu Aug 03, 2006 11:12 am    Post subject: Reply with quote

Quote:
My typical ask and question for reset password is :
My favourite color?
And answer is : Elephant23K (only example)

Of course this brings dangers with it as well.
- What if the user forgets the secret answer?
- In a large company (500+ employees) the helpdesk can surely not remember all the secret answers, so they must store them somewhere. The location of this data can be compromised as well making all other security useless since people will rely on the answer and on the answer alone.
Personally knowing every employee would be the best way for this, since you can recognize the employees voice and from there on you can judge if the person is legit.

In large companies you could setup a sort of structure. employee 10 knows employees 1-9 and the helpdesk, so employee 10 gives the helpdesk a call when any of the 1-10 employees needs to have their password reset.
This way you can make it a workable situation in which the helpdesk doesn't necessarily have to know any employee, but just some keyfigures.

But even though this is related to the subject, it's a bit too detailed imo. take a look at the books that Kevin Mitnick wrote, they are quite nice to learn more about SE.
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register