The recent HP/AT&T debacle underscores the importance of protecting the enterprise from attack by social engineers. Firewalls, intrusion detection systems, and anti-virus software aren't always enough: include the human factor when securing corporate data.

Trigger Point

HP's involvement with a potentially illegal probe revealed a disturbing fact: it was far too easy for private investigators to obtain account access to the personal phone records of HP board members and reporters. The phone provider in this case is AT&T.

The private investigators hired by HP allegedly used a tactic known as "pretexting" to obtain the desired records. The Federal Trade Commission (FTC) defines pretexting as "the practice of getting your personal information under false pretenses. Pretexters sell your information to people who may use it to get credit in your name, steal your assets, or to investigate or sue you. Pretexting is against the law."

The Social Engineering Tie-In

Pretexting is a form of Social Engineering (SE). SE encompasses a range of methods used to manipulate and deceive employees in order to gain sensitive or confidential information such as personal employee facts, names of important servers, customer data, and other sensitive material.

In most cases of SE, perpetrators exploit human vulnerabilities by seeking the personal information of clients - or in the case of hospitals, patients - in order to commit identity theft. All an ID thief requires to fraudulently obtain credit cards in someone else's name is the full name, birth date, and social security number of the victim. Methods employed by pretexters and social engineers include:

• Impersonating an employee or customer and pretending to have forgotten a password or login information.
• Hampering help desk personnel's ability to make logical decisions by invoking fear, excitement, sympathy, or panic.
• Posing as an authority figure to extract valuable information from company employees that are afraid or unable to confirm the legitimacy of the authority.
• Building a fake Web site that requires users to register with a user name and password to access information, or provide information in exchange for a "grand prize." This works because many employees will use the same username and password for both personal and network purposes.
• "War mumbling," which involves calling customer service representatives and mumbling or speaking in a thick accent when asked for ID authentication until the representative finally gives up the password information out of sheer frustration.
• Gaining a help desk representative's trust through seemingly innocent conversations, and then sending an e-mail attachment with a backdoor exploit. If contacted in advance by the sender, users are more likely to open suspicious attachments.

Some Industries More Concerned Than Others

The following question was asked of Info-Tech client companies worldwide, as well as third-party US panelists who were designated as IT decision makers: please rate the importance your organization places on protection from targeted external attacks. "External attack" was defined as "experts penetrating corporate defenses with an objective." SE and pretexting fall under this definition.

Figure 1. Importance Placed on Protecting Against External Attacks

Source: Info-Tech Research Group, 2006

Finance N=59, Communications N=34

On average, the finance industry rates such concerns much higher than the telecommunications industry. This is likely due to the fact that financial institutions are much more highly regulated than telecommunications providers with regard to data privacy and protection.

Most disturbingly, a number of telecom providers ranked external attacks as "not important" (6%) or only "somewhat important" (9%). This is a serious mistake on the part of 15% of telecom providers, who view their assets in terms of the services they provide rather than focusing on the importance of customer privacy and data security.

Recommendations

1. Educate frontline staff about SE tactics. In many cases, employees will inadvertently share information through seemingly innocent conversations. By knowing the tactics that pretexters use, staff and help desk personnel will be better equipped to handle suspicious calls. Specifically at risk are receptionists, customer service representatives, and help desk staff.

• Often employees will fall victim to a sense of personal invulnerability. No one thinks they will get scammed, so the best way to have users acknowledge their weakness is by hiring an expert and having them run SE ploys on staff.

2.Issue PINs for customer access to personal records and accounts. Canadian wireless provider Telus forces its customers to select a Personal Identification Number (PIN) upon signing up for services. Every time a customer interacts with Telus, the first thing the customer service representative asks for is the customer's PIN. Without the PIN, access to the account is denied, along with any request for account information. This practice should be adopted by all telecoms and ISPs.

• Advise customers to avoid using numerical sequences from their social security numbers, dates of birth, and so on for their PINs.

3.Predefine what information is sensitive and private. Frontline customer service representatives and customers alike should not have to consider whether or not information is confidential - this should be predefined and managed for them. For example, create a policy that prohibits the creation of passwords based on easily accessible personal information and prevents password sharing. Info-Tech Advisor subscribers can use this Password Policy as a guideline. Internally, ensure that passwords are not written down, employees log off networked machines during lunch hour, and laptops containing sensitive materials are properly secured.

4.Create a callback policy for questionable material. Create a policy that requires help desk or customer service personnel to call back anyone requesting sensitive information. An individual not willing to provide a callback number - or provides a callback number that isn't the same as the phone number attached to the account - is a red flag. If a number is provided, the callback feature allows help desk and customer service staff to assess the request and verify the authentication information before proceeding.

• Customers must be made to recognize that the price of higher security is a more rigorous security process that may seem onerous when doing transactions, but will ultimately safeguard their own privacy.

5.Maintain a centralized security log. Logs help pinpoint suspicious activity over time. Whenever an employee receives a suspicious call, or is asked to give out sensitive information or change a password, the incident should be logged. In this manner, if a social engineer is obtaining information from one employee and using it against an internal system, the activity can be traced. All users can then be warned of the attack and IT countermeasures can be initiated.

Bottom Line

The easiest way for a hacker to gain access to confidential information is by duping employees into granting entry to systems and customer accounts. Protect enterprise data assets by reinforcing the human firewall.

Pretexting Stats

In 2005, the SANS Institute reported that Treasury Department inspectors posed as IT help desk staff pretending to address an IRS network problem. The inspectors managed to persuade 35 IRS employees to disclose their login information and change their passwords to ones suggested by the impostors.

A 2003 study by InfoSecurity Europe found that 90% of office workers at London's Waterloo Station gave away their computer passwords for a cheap pen when approached at the train station.