Unless you've already done so, I recommend reading about the escape of Neil Moore from Wandsworth Prison .
He used the simplest of all security testing techniques to secure his release.
Moore created a fake web domain (in the name of Chris Soole) that closely resembled Southwark Crown Court service's official address in order to send bail instruction via email to the prison's custody inbox. After executing what I would consider to be the simplest of all Social Engineering techniques, he was released.
He did all of this on his mobile phone.
However, Moore can't really be described as a criminal mastermind – he did have to hand himself in three days later after solicitors went to interview him only to find he was gone. Furthermore, being caught committing a large scale fraud by impersonating employees from Barclays, Lloyds, and Santander saw him arrested and placed in custody in the first place.
Ease of exploitation
You may be shocked at how easily someone with talent for both tech and trickery could bypass the security controls of a prison by performing these simple steps.
However, Wandsworth Prison shouldn't feel too ashamed and we all shouldn't judge too harshly. Based on social engineering assessments I've completed to date, it's a case of ‘there but for the Grace of God'.
Every organisation has a process and / or system with risks that have not been assessed properly and as a result, not defined. All too often, risk assessments are tick box exercises. It's almost an oxymoron!
Bruce Schneier once said, “Semantic attacks directly target the human/computer interface, the most insecure interface on the Internet. Only amateurs attack machines; professionals target people. And any solutions will have to target the people problem, not the math problem.”
I strongly agree and believe that effective security was, is and will never be about hacking specific systems, reviewing a piece of vulnerable code or adhering to a specific standard. We have a significant problem that so much security is fuelled by this mind-set - isolated to systems and standard deviations. We have created ‘silo specialists' on web testing, infrastructure testing, risk, compliance etc.
Along the way we've also forgotten about the overarching component of the ‘threat' we're all defending against – the ‘trickery' displayed by Neil Moore. The art of true hacking: social engineering.
Unfortunately, the industry does little to educate peers on social engineering and clients often refuse to undergo such simulations, lest they discover an inconvenient truth. However, hackers aren't well versed on PCI and ISO controls. They have patience, ever increasing funds and an appetite for trickery - combining a variety of tools and techniques to exploit the most easily accessible business vulnerabilities and risks (translation: people and their behaviour). Go back to the basics and educate employees on the business's likely threats, so they are able to recognise such behaviours.
Simultaneously the biggest asset and security headache
The Wandsworth Prison story proves that stealing passwords, emails and impersonating employees is much easier than you think. Our clients are always shocked at how ‘helpful' employees are – providing testers with information that could very well be used to mount a large scale attack.
Moore only needed a mobile and a prison officer that diligently followed the process. Criminal convictions aside, he'd make one hell of a professional social engineer.
As employees increasingly communicate, store and share data digitally, real attackers will target and impersonate them to illicit sensitive information at the same rate. In these scenarios, the only thing within your organisation's control is education and awareness – culture. Simulate social engineering attacks with comprehensive ‘lessons learnt' training (no blame finger pointing!) and run ‘on brand', inclusive and regular awareness campaigns. These activities must impact and educate everyone in the company, from the ‘chairman to the doorman'. We're all information guardians now.
I'm not saying you won't be hacked. But if the worst does occur, education is your best chance of minimising exposure and impact.
Contributed by Fotis Gagadis, senior security consultant, IRM