Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness tips #5 - Social Engineering and Dumpster Diving Awareness

Published: 2007-10-05
Last Updated: 2007-10-06 01:00:12 UTC
by Mark Hofman (Version: 2)
0 comment(s)

Welcome to day 5 of Cyber Security awareness month.  

You won’t find much argument in the Security community that people are the generally considered to be the weakest link.   White, grey and black hats take full advantage of this at times, to verify, test or exploit.   Phishing and SPAM are just two profit making examples of social engineering and no doubt we can all come up with more or less embarrassing examples.  But what we really need to start thinking about is how we deal with this in the corporate environment as well as at home. 

Some tips:

  • Information classification – Classify your information, stipulate how things are to be handled and what can and can’t be talked about, copied, emailed and so on.   Once people become familiar with the classifications and follow the guidelines, you should find that loose lips no longer sink ships.
  • Policy –We all get those phone calls where someone asks about your servers, firewalls, etc.  Have a policy in place to outline who deals with those kinds of things.  A bit too obvious, but the sentence “don’t tell anyone your password” should also appear in your policy.
  • More Policy - make sure you cover disposal of things such as CDs/DVD, hard disks etc.  Many a company or government department has been inconvenienced in the press because of one of this.  (thanks Craig for the tip).
  • Get a shredder, preferably a cross cut one (might want to start thinking about one of these for at home as well)
  • Teach staff to challenge people they don’t recognise (politely of course).
  • Put up a poster next to doors, “check badges”, “Watch for tail gating”.
  • Provide Phishing education.
  • Teach people to pick up their printouts and faxes from the various stations
  • Don’t click on links (yep some people need to be reminded)
    • Just for fun (with permission of course) set up a targeted “SPAM” attack on your own organisation.  See how many people will click the link.
  • Have a dumpster auction.  Go down and collect some of the papers in your corporate dumpster (the one not used for secure shredding) and see what you can find.  Then publish the info (suitably anonymised).  You’d be amazed what you can find.
  • Watch for people who “just” want to fix a printer urgently. 

So plenty of room left for some of your tips, send them in and I’ll collate them at the end of the shift.

Might even include one or two “war” stories, but they have to be good.

UPDATE #1

 

We had a good response on tips #5.  Here are some of the reader contributions. (thanks Chris, Gary, Bill, Marie-Eve and anon)

  • No direct extensions or unscreened email.  Everything goes through the frontdesk.
  • Printers in inconvenient locations, makes people think twice about printing (the roof and the last cubicle of the men’s toilet might be a bit extreme though).
  • Pat was looking at introducing a scheme whereby out of towners (most companies have a few) are handed $50 and walk around without a badge.  The first person who asks, politely, who he is and what they are doing there, gets to keep the money.
  • A number of people mentioned make sure equipment is sanitised before disposing off it.
  • As part of an awareness campaign change the pattern of signs and security check off sheets, because they eventually will blend in with the background.

Marie-Eve uses role playing as part of security awareness training as a lead in to social engineering section.

“Generally, I will begin this game between two modules in the training session. They do not know what the next section will be about and they are not aware that I intend to talk about people attacks. I choose somebody in the audience, hand him a little script and simulate a phone call from a helpdesk technician to an employee (played by my volunteer). The game is about 4 minutes long and, when played coyly, most people in the audience do not really realise that I just asked an employee for his user name and password. Then, when the role-playing is done, I ask people what happened and they start to understand. Most of the time, when I ask, "would you have handed out that information too in the same context?” they timidly admit that they would have, with a new understanding of the possible risks of social engineering.”

When teaching people it is nice to see the lights go on.

Just to finish off a couple of war stories:

  • Eric Mansfield, a local reporter went dumpster diving behind a BMV license bureau in Fairlawn, OH and pulled out a lot of documents with personal info (SSN, drivers license #s, addresses, etc).  When he confronted the supervisor (who turned out to be a nephew of one of the BMV directors), he blamed the customers.  Within a few weeks that particular bureau was closed down, the managers fired and they are re-evaluating whether or not to keep it open. http://www.wkyc.com/news/news_article.aspx?storyid=74589
  • In 2003, ninety per cent of office workers at a London station gave away their computer password for a cheap pen.  In 2004, 71% provided their password for a Marks & Spencer Easter Egg. http://www.theregister.co.uk/2004/04/20/password_surveys/
  • In 2006, a firm hired to assess security scattered USB drives outside of a credit union. Of the 20 USB drives planted, 15 were found by employees, plugged into company computers and able to gather confidential information. http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1


Mark  - Shearwater

Keywords:
0 comment(s)
Diary Archives