A Multi-Level Defense Against Social Engineering

Allen Stone

9/14/2005

Social Engineering

Social Engineering is the process of deceiving people into giving away access or confidential information.

This paper explores the psychological means of the enemy and victims and outlines an effective defense against it. It is really the first paper to recognize all of the levels necessary for proper defense and suggest a defense to not only deter such attacks but to also identify or isolate the attacker.

Constructing an Effective Defense

• Understand the Enemy’s tactics

• Find our psychological vulnerabilities

• Identify the various levels of defense

• Devise defense strategies at all levels

The Enemy – Methods

• Develop Trust

• Reverse Social Engineering

• Avenues and Media– Avoid pigeonholing the enemy: He/she will

call/approach/email you under the pretenses of authority/customer/coworker/author/etc.

Why these attacks work

• Psychological Triggers in all of us– Strong Affect– Overloading– Reciprocation– Deceptive Relationships– Diffusion of Responsibility and Moral Duty– Authority– Integrity and Consistency

Strong Effect

• A heightened emotional state tends to impair logical thinking– Fear– Panic– Joy

• You’ve just won!• Trip to San Francisco - AoD

– Surprise• Call at 4:30am

Overloading

• Sensory Overload– 30 true statements with 5 untrue, suspect

statements in between.• The 1-cent Cell Phone - AoD

• Arguing from an unexpected perspective– We need time to process

How can we defend against this?

Reciprocation

• If someone gives us something, whether or not we asked for it, we feel inclined to help them.

• Reverse Social Engineering

• “mental shortcut” – Mitnick

• Yielding points in an argument

Deceptive Relationships

• Developing a relationship with the intent of exploiting the other person.

• AOL attack

• Hacker and mark are “alike”

Diffusion of Responsibility and Moral Duty

• Diffusion of Responsibility – the mark feels that he/she will not be held solely responsible

• Moral Duty – avoid feeling guilt– “Save the company”, “Save someone’s job”

Authority

• Impersonation attacks

Integrity and Consistency

• People generally follow through on their promises, whether or not it is wise to do so.

Levels of Defense

• Foundational Level

• Parameter Level

• Fortress Level

• Persistence Level

• Gotcha Level

• Offensive Level

Foundational Level

• End users are targeted to respond to questionable requests– They should not decide what information can

and cannot be divulged

• Confidence– Metacognition and Persuasion Theory

Defense (Foundational)

• General Policy– Explicitly state what information can be

divulged and by whom– Train early and often, post policy clearly in

public view, encourage and enforce compliance

– Combats Authority, Diffusion of Responsibility, Moral Duty

Parameter Level And Its Defense

• Employees need to know when to say “no” and that mgmt backs them

• Warning signs– No contact info, rushing, name-dropping, intimidation,

misspellings, odd questions, requesting suspect info

• Security Awareness– Know what has value– Friends are not always friends– Passwords are personal– Uniforms are cheap

Fortress Level

• Attackers Target Key Personnel– Help Desk Personnel– Customer Service– Business Assistants– Secretaries and Receptionists– System Administrators

How are they prepared?

Defense (Fortress)

• Resistance training for key personnel– Inoculation – weakened examples– Forewarning – Not just the intent, but the

methods– Reality Check – Defeat their image of

personal invulnerability. Deceive them to show how easy it is.

Persistence Level And Its Defense

• Forgetfulness and Wrongful Prioritization of Policy

• Pervasive and persistent reminders– Police Station example

Gotcha Level Defense

• Social Engineering Land Mines (SELM): traps set up to expose and stop an attack

• Active Defense Ideas– The Justified Know-It-All– Centralized Security Log– Call Backs by Policy– Key Questions

• Three Questions Rule• Bogus Question• “Please Hold” by Policy

Offensive Level Defense

• Incident Response– There needs to be a clearly written and well-

understood policy surrounding the manner in which to respond to a security incident

– If the first mark is wise to the con but does not alert security, it is only a matter of time before another mark is selected.

How well have we defended?

– Strong Affect– Overloading– Reciprocation– Deceptive Relationships– Diffusion of Responsibility and Moral Duty– Authority– Integrity and Consistency

Other vulnerabilities

• New employees

• Poor administration policies

Policy from a Social Engineer“The Art of Deception” – K. Mitnick

Kevin Mitnick outlines an excellent security policy at the end of the book with detailed reasoning at every level to defend against Social Engineering Attacks.

Conclusion

• Social Engineering will always exist, and it is extremely difficult to defend against, but the success of such attacks can be decreased substantially with proper policy and personnel training

Questions and Comments?

References

• “A Multi-Level Defense Against Social Engineering” by David Gragg, GSEC Option 1 version 1.4b, Dec. 2002

• “The Art of Deception”, Kevin Mitnick