Organisations are spending up big on security software and hardware but overlooking the human element when protecting their IT systems according to Chris Gatford, director of Sydney penetration testing company HackLabs.
Gatford ran a half-day tutorial on social engineering attacks and countermeasures at AusCERT 2013, looking at the human factors in IT security.
The risks from social engineering attacks are real – last year thousands of passwords and credit card details were exposed online after social engineers breached popular hosting billing platform WHMCS.
“Organisations spend large amounts of money on all sorts of technology controls but keep refusing to educate employees about the social engineering threats of malicious people just asking for the information,” says Gatford.
“Social engineering is based upon psychological principles – influence, tactics, inference. There’s a whole process involved in manipulating people. It’s very much a science.”
One of the services Hacklabs offers is red teaming assessments where a team focuses on compromising an organisation by any means necessary – including electronically, over the phone, through social media and physically.
The physical aspect of penetration testing is a weakness Gatford sees in most organisations.
“We seem to have this ridiculous reliance on proximity cards these days,” he says. “We take a lot of these things that people seem to think are fictional and we demonstrate in our workshop case studies where we show real world tools in action that enable us to do what we do.”
Call centres are another frequent target and a favourite of social engineers. “Help desks by their very nature are designed to help people. Two or three calls to a help centre can build up enough information about an organisation to be able to pose as an insider.”
Ultimately much of securing an organisation’s data is about what Gatford calls the human firewall.
“It is never a bad investment investing in a human firewall.”
“One of the things we really encourage is to test the organisation and share those results. Use the results of what we were able to achieve because someone gave up their user names and passwords or some people leaving their workstations unlocked to start a security awareness program. After kicking off a security awareness program measure the increase in awareness.”
That awareness is critical for creating a culture of security in an organisation. To encourage it, Hacklabs rewards clients’ staff who challenge their operators by entering them into gift voucher draws.
A scheme like that can save thousands. “You find organisations spending a lot of money on log monitoring, for example, yet the physical security is poor and you can extract information from any employee you walk up to. Yet they have spent two hundred thousand dollars on monitoring systems that no one ever looks at.”
“These things aren’t hard; the controls to fix them aren’t necessarily too difficult. It is about educating your workforce.” Gatford says. “It’s about frequent testing and then rewarding your employees when they spot the testing occurring and hopefully they’ll spot real world social engineering.”