By Alan S. Brown
In April 2004, Microsoft Corp. sent out a Windows security patch. Within 18 days, hackers had used Microsoft's own information about the patch to engineer a virus that attacked companies before they installed it.
The Microsoft patch is only one of the many attacks on information technology (IT) infrastructure over the past year. Others have included viruses, worms, denial of service phishing and mobile phone viruses. While amateur hackers launch most of the attacks, others are the work of organized crime. Security officials worry that well-funded terrorists could do even more damage.
Yet IT protection offers a unique challenge to security officials. Most came up the ranks protecting physical assets, such as people and property. They may believe that safeguarding information is a technical job best left to experts.
They couldn't be more right. Or more wrong.
IT security is truly a domain for experts. Since the surge in Internet attacks 6 years ago, they have gotten better at deflecting threats.
Yet, according to the Computer Security Institute/Federal Bureau of Investigation 2004 Computer Crime and Security Survey, half of all security breaches originate from inside organizations. Perpetrators range from disgruntled employees and ex-employees to workers looking for a quick buck.
Insiders are dangerous because others trust them. They use that trust to learn secrets that enable them to evade security systems that protect critical information.
More alarmingly, though, outsiders do the very same thing. Using a process they call "social engineering," they exploit flaws in security policy and training to unearth security secrets.
Social engineering has nothing to do with technology. It has to do with manipulating insiders. It falls squarely into the traditional pursuits of security managers.
There are many definitions of social engineering. In practice, it is nothing more establishing trust and using it to infiltrate an organization and uncover its secrets.
Sometimes walking through the front door is enough. Hackers may wear a fake ID badge and "tailgate" an employee into a restricted area. Or they may don a UPS, FedEx, utility worker or contractor uniform purchased on eBay. At night, he or she may dress up as part of the cleaning crew and log onto workstations, steal unsecured laptops, or copy passwords scribbled on Post-Its.
A hacker who shows up for a nonexistent appointment may ask to wait in a meeting room, then plug into the room's networking jack or slip out to look an for unattended cubicle. Told to wait in the lobby, he or she may attempt to break into the facility's wireless network from a laptop.
More insidiously, hackers can build trust by learning enough about an organization to sound like a part of it. Through the Internet, hackers can acquire names, titles, addresses and e-mails, as well as technical information about the IT system. They may ask IT administrators for technical information through Internet newsgroups.
Armed with this information, a hacker can begin to probe the individuals in an organization. In The Art of Deception, America's most notorious hacker, Kevin Mitnick, says his ability to act like an insider, drop names and discuss company procedures persuaded many people to reveal the information he needed to compromise their systems. His approaches ranged from impersonating executives and IT employees to offering to help people secure their systems.
Security officers have a number of ways to fight back. Many approaches are extensions of existing procedures that keep outsiders from just walking in and stealing assets.
Physical access. Physical security starts with controlling entry at the front door. Companies commonly use an entry barrier keyed to a swipe card. More advanced systems combine turnstiles or revolving doors that prevent tailgating with wireless badges.
Some firms have added biometrics to keep out people with stolen swipe cards and to secure sensitive areas. More and more $100 fingerprint readers are being used to ensure only prescreened users can unlock PCs and laptops.
Many firms have long issued special visitor badges and forbid entry except when escorted by an employee. Some also require special IDs for delivery and service personnel. Many companies now shred trash and secure their dumpsters to keep people from digging for confidential information.
Securing IT requires additional steps, explains William Plante, senior director of Corporate Security & Brand Protection at Symantec Corp., a leading IT security software business.
"Physical security needs to consider data centers as vaults containing gold," he says. "Assume that there is no power. Can the data center maintain the highest degree of physical security, especially access control, without power? You should assume a degraded environment."
Mobile security. IT has gone mobile. Plante recommends extra protection for laptops, such as security cables to keep them from being casually lifted. He also suggests external hard drives so users can store information separately from the laptop itself.
He is also alert to casual eavesdropping on wireless networks. "If I were to walk towards the facility with laptop and a wireless network card, what could I pick up?" he asks. "Could I walk into the reception area, sit down and surf? Could I patch into a live LAN drop in non-secure space?" He calls for a probative-but-helpful front desk security staff that is alert for loitering and tailgating.
Sustainable policy. Security is a pain in the neck, especially in today's hypercompetitive business climate. Make systems simple and practical enough for people to use every day.
In a white paper, Why Security Policies Fail, Control Data Systems Inc. provides several examples of unsustainable polices. One company, for example, secured costly equipment by limiting room keys to the senior managers. This proved so disruptive that managers began leaving the key in an unsecured desk draw. One day, somebody sole the equipment while the managers were out.
Another example tried to limit unassigned or inactive e-mail accounts by requiring three vice presidents to sign off on each new account. With new requests arriving each day, some VPs presigned blank forms. A hacker got hold of a form, set up an e-mail account, and then used it to steal confidential files and post them on the Internet.
The lesson: A policy that is too hard to follow is no policy at all.
Show your colors. Security should go beyond uniforms and badges to make its presence obvious. Control Data, for example, points to a security team that left yellow notes on running PCs that had been left unattended without a password-protected screen saver. Another company checked cubicles nightly for unsecured laptops and collected them for storage. Workers soon learned to secure their laptop so they did not have to disrupt their day to retrieve it at the security office.
Training. It is important for everyone in an organization – from executives and managers to secretaries and maintenance personnel – to understand how hackers use social engineering to build trust. Even a seemingly innocuous phone call or e-mail may signal a hacker probing for weaknesses or seeking to build trust.
Employees need to know how to separate a legitimate from a spurious request for information and have a simple procedure to report suspicious incidents. Security teams must alert them to the latest threats and protective practices and test frequently to ensure compliance.
When it comes to education, don't forget the top executives, says Patrick Gray, an advanced security director with Internet Security Systems Inc. "Few [of them] grasp the case for investing in safeguards against hackers," he says. "Education starts at the top and works its way down the food chain. Before any employee puts fingers on the keyboard, they must understand that it is not their computer."
Prepare. Security teams must test and retest their hacker defenses. They must try to walk through security, break the wireless network and pose as employees looking for help. Expect audits to find problems.
"These hackers are smart and most have much more time to spend attacking you than any typical system administrator can spend defending against them," Gray notes. "Prepare for the worst. When it happens, don't be caught saying, 'What do we do now?'
"Have an incident response plan and test it at least quarterly," he advises. "If you say you don't have the time to test the plan, ask yourself if you have time to go out of business."
Alan S. Brown is a contributing editor.