Infosecurity Europe 2010: The human factors in security vulnerability

As many in the security profession know, not all hacking involves computers, and, further, not all information security lies in networks. In fact, it may be the case that the most vulnerable element of security includes the people who are tasked with protecting information.

Ian Mann demonstrated just how easy it is to penetrate the human face of information security throughout his seventh yearly installment highlighting social engineering techniques at Infosecurity Europe. During his business strategy session, conducted in front of an overflowing theater, the author of Hacking the Human shared his three keys to subverting security: bypassing the guardians, target selection, and password theft.

According to Mann, if you have a physical security presence in the form of a “security guard”, then this does not necessarily make the asset they are protecting more safe. “Security guards tend to make security systems less secure, not more secure”, he contended. Mann continued by revealing that, in his experience, all the savvy social engineer needs to do is observe the guardian’s behavior and determine the situations when others allowed access within the security perimeter by “mimicking the circumstance to get in”.

The ECSC senior systems consultant said his research on this shows that all an intruder needs to do in the case of a well-trained security guard is to create a simple forged document from management that enlists the guard’s help in what would be, in this case, a complete ruse to test the facility’s security protocols. “A security guard’s job tends to be particularly dull and boring”, he noted, “and if you get them into a bit of excitement, then they really quite like that.” This exercise, said Mann, was extremely easy to conduct, as official organizational letterhead and executive signatures can be obtained from, for example, corporate financial reports.

Mann said that when carrying out these tests he always carries a “get out of jail” letter, which is an authentic correspondence from the organization informing the security personnel that the exercise is indeed a test, and providing the security guard with the details. But, as Mann proudly proclaimed, he has never needed to use this bona fide letter in all of his many years of testing physical human security.

“And if you involve the security guards, you’ll find that they will help you through the [fake] testing”, Mann added, also musing that security personnel will often assist him in bypassing the security protocols to participate, effectively neutralizing their defensive capabilities.

When it comes to determining who to target within an organization, the social engineer, said Mann, has no shortage of public information from which to collect data on insiders. He provided the example of targeting staff outside the IT department while posing as an external auditor, presumably one that has a history with the organization in question. This social engineering technique is intended to target the incorrect individual at first in the hope that they will then arrange an introduction with the appropriate staff member, presumably a database administrator.

In this case it is likely that the administrator may be more willing to share sensitive or protected information if the contact is arranged for by someone else within his or her own organization. During this type of scam, the social engineer is banking on the admin’s willingness to trust in the recommendation of a fellow co-worker. “In ten minutes I have a printout of all the details of all their clients” said Mann, assuring that the practice of intentionally targeting the wrong person tends to be “quite powerful”.

Even for organizations that stress the importance of information security, Mann believes it is far too easy to obtain employee passwords. “Everybody has had it drummed into them that they must not give out [their] passwords”, Mann declared. However, employees are typically all too willing to give their passwords to IT personnel, believing that this information is in safe hands.

Once again, the role of the alleged ‘auditor’ or tester comes into play here, as Mann shared his experience in extracting passwords from personnel by telling them to enter their own passwords into a piece of software that obscures type and allegedly encrypts the data while still analyzing its strength. It is another case where Mann lured personnel into a situation of trust as he explained to his targets that their organization asked him to test the employee in question in an attempt to gain access to their login credentials, but that the program he set up to determine its strength would bypass the need for them to share it directly, and thereby avoid violating company security policy.

Mann said that, using this technique during one specific security testing audit, he was able to obtain 99% of passwords from employees even though this particular company had a rigorous security education program outlining the need to keep passwords secret.