You feel safe from hackers: your operating systems are patched, firewalls installed and anti-virus is up to date.
What about your help desk?
At last week's annual US hacker conference in Las Vegas, DEF CON, Australia's top social engineer laid bare the dangers of an overenthusiastic help desk.
In a 20-minute call, "Wayne" (he prefers not to use his last name) elicited enough information from a helpful call centre operator to wreak havoc on the Fortune 500 company's systems, bypassing their information security precautions during a "capture the flag" competition in which he came second in a tight race. The 30 flags were answers to questions used to vivisect an organisation's border security.
Wayne was a "white-hat" hacker for Sydney consultancy Securus Global operating on the day under the watchful eye of the US FBI, so the unlucky company's secrets were safe but until it retrained staff it was vulnerable to those with malicious intent. The competition forbade gathering passwords or logins but other information equally as devastating when taken together were fair game.
The event was run by social-engineer.org, a group that aimed to elevate awareness of how the "HumanOS" was tricked into revealing its secrets, typically access or confidential information. And as technology improved, hackers were exploiting the weakest link in a computer network - people.
"Big companies are very protective about their brand and corporate secrets and this is a perfect way to exploit that quickly," Wayne said. "The information I gathered on the day we could have easily broken into the company in a matter of minutes."
And in an admission to make most information security managers wince, Wayne said the unfortunate victim of his attentions was fresh from his security training and induction.
"You need to think (on the help desk), why does the caller need to know what browser I'm running? People are so worried about whether they'll lose their job they're so happy to help. The guy I spoke to was fresh off his security training and he didn't question anything, he wanted to believe what I was saying."
What should the help desk operator have done?
- Be brave: push back on callers with unusual demands or queries
- Don't be intimidated by a caller's perceived status in the organisation
- Ring the caller back using their details in the internal phone book
- Check the caller's bona fides with their manager
- Be an active listener: ask why the caller is asking for information?
- When in doubt, transfer the caller to the help desk manager
- For sensitive queries, such as audits, tell the caller to come by in person to validate their credentials
Wayne's Australian accent was an asset when dealing with the operator: "I came in as someone who was new to the company. I was at the head office and had just had a meeting with the vice president and I was told the IT desk was the first place to call - the IT guy was pretty chuffed."
Wayne couched his questions in light-hearted banter and distracting questions, masking his intent while building a rapport with the operator. On the phone, Wayne has an easygoing demeanour that put his subject at ease.
"A lot of people say they're doing surveys but they don't work very well. My angle was I already work for your company, I'm correcting an audit so the person thinks my job is higher than theirs but they think I need their help - so you're playing on a human emotion."
Wayne's success was built on solid homework; social engineers "recce" their targets leading up to their attacks. The competition gave the competitors two weeks to learn all they could about their targets by searching for information on the web or in open sources but forbade direct contact such as by email or phone call.
And on the day of the DEF CON competition, Wayne was lucky to get an ideal candidate: "You have to cross your fingers and hope there was someone there who you could talk to".
Call centre operators need to be questioning when they get a call out of the blue, especially if it's from someone they haven't dealt with before or a voice they don't recognise. A simple call back from the desk may have crippled Wayne's attack at the outset.
Wayne asked for information that there was little reason for him to know such as the versions of browsers and mail clients used in the organisation, the type of anti-virus and even the make and model of the radio-frequency identification badges used to gain access.
"The guy on the phone told me what badges, firmware, brand and model number they were running," Wayne said. "He told me who their cleaners were; do they shred their rubbish or throw it in the bin? Their data backup and how it works and how the tapes go to the data processing and archiving company."
Wayne said that with the flags he captured his tiger team of hackers could have deployed Trojans and owned the target company client, mail and web server in a "matter of hours".
Stand your ground
Justin Gasparre specialised in IT infrastructure and management on the board of the IT Service Management Forum that worked to improve how IT staff provided services to a business's employees.
He said IT workers, especially those on help desks who tended to be younger and more inexperienced, should be alert and not take on face value what a caller told them. Staff shouldn't be so "threatened" by a caller's "escalated authority" that they were too keen to help.
In Wayne's scenario, "I'd ask to see him", said Gasparre who was also a member of the systems audit and control association.
"Most of the time, audits are structured and have validation," Gasparre said. "Even if it's an internal audit you would have that auditor come in and show the audit plan and it's usually an authorised, known activity" organised in advance with management.
Organisations in the US and Europe were adopting Sneakers-style pen tests of their employees to complement their information security audits but Wayne said Australian businesses were resistant because "they don't want to hurt anyone's feelings".
"Companies are scared to do social engineering pen tests on their staff," Wayne said. "They're happy to spend to protect servers and workstations but their most crucial thing is their people who hold all the information so that is the first place you start."
He said that when the capture the flag report was published in a few weeks most companies targeted will be able to say "that was us".
"And I hope it has a really good effect on that community because we live in times where we think about terrorism more than in the past and, as time ticks on, the idea of cyber-terrorism becomes more of a reality than a joke."