A chain is only as strong as its weakest link. Unfortunately, attackers realized years ago that when it comes to enterprise security, employees are the weakest link. Rather than hammering away at servers in a company's DMZ, many attackers now take an easier route to compromising an organization -- sending employees alluring phishing emails in order to steal credentials or drop a malicious payload. Fortunately, security pros can test employees' resilience to these attacks, and reinforce good security habits at the same time.
Phishing emails are cheap and easy to send. To send the messages and gather new addresses, remote attackers typically leverage compromised hosts that make up huge botnets.. The Anti-Phishing Working Group reported that in the first half of 2009, the number of known, unique phishing sites reached a high of 49,084 per month in June. Over the past decade, phishing attacks have become extremely sophisticated, leveraging techniques such as fast-flux DNS rotation to increase resilience and mask the source of malware.
Voice phishing, or vishing, has also been used more frequently by attackers. The explosion of voice over IP telephony in recent years has facilitated mass calling, making it cheap and easy to make automated voice calls to thousands of targets. Typically, attackers will send a recorded voice message to a target, claiming that there are problems with the victim's credit card or bank account, and soliciting the target to enter his or her account number as verification. Attackers can also set up voice man-in-the-middle attacks, and capture account credentials as users enter them over the phone. Vishing can be a serious problem for enterprises, as attackers can (and do) use the technique to gain information about internal IT systems, voice mail passwords, employee credentials and confidential data, such as medical records.
The keys to preventing phishing attacks
An organization can and should test its resilience to email, Web and voice social engineering attacks. There are multiple benefits to conducting regular social engineering tests: first, they facilitate an accurate understanding of employees' strengths and weaknesses, identifying specific sites or departments that may need extra training. Second, when conducted properly, social engineering testing is itself a key component of security awareness training, and will help reinforce positive behaviors.
It's important to remember that social engineering testing is not so much a test of individual employees as it is a reflection of an enterprise's ability to define and communicate appropriate procedures for identifying, handling and reporting social engineering attacks. Generally, when employees receive appropriate, clear incentives, then they will act accordingly.
Here are some tricks that security pros can use to conduct beneficial, accurate social engineering tests, and at the same time boost employee morale and encourage security-conscious behavior:
- Inform employees in advance that you will be conducting social engineering testing. It's a good idea to send out a reminder regularly (instead of right before a specific test).
- Make sure you have clearly defined and communicated standard procedures for identifying, handling and reporting phishing emails and websites. Your employees need to know the right way to handle social engineering attacks in order to succeed.
- Use a third-party consulting firm. In order to get an accurate test, the persons conducting the test should have limited insider knowledge. Also, you want any negative employee feelings to be directed at outsiders.
- When deciding on scenarios for email, phone and phishing website lures, remember to test for adherence to specific, well-communicated company policies. Know what constitutes success versus failure. Remember that social engineering testers, unlike real attackers, are bound by law and ethics. Only target company information, not personal information, whenever possible.
- Track the results carefully. Make sure you record detailed statistics about the number of employees who click on phishing links or enter credentials into phishing sites. When possible, analyze the results to determine trends based on department or location. That way, you can focus future training efforts where they are most needed.
- Follow up on your findings and provide extra training where it really matters. If a significant percentage of employees did not pass, schedule extra security training for everyone. If particular individuals repeatedly fail, work with their managers to provide extra incentives and training.
- Reward good behavior. When your employees succeed, offer them prizes or bonuses! I recommend that my clients raffle off an iPod or some other cool prize for all the people that passed the test with flying colors. This strengthens staff relationships with the security team, boosts morale and provides positive incentives.
Social engineering testing is a key component of regular awareness training and at the same time produces detailed information that security professionals can use to develop and target security training campaigns. By communicating clearly with employees and conducting social engineering tests on a regular basis, it's possible to dramatically improve employees' resistance to phishing and voice phishing attacks.
About the author:
Sherri Davidoff is the co-author of the new SANS class "Sec558: Network Forensics" and author of Philosecurity. She is a GIAC-certified forensic examiner and penetration tester. She provides security consulting for many types of organizations, including legal, financial, healthcare, manufacturing, academic and government institutions.
This was first published in October 2009