Moving on with his RSA Conference talk on human hacking, Chris Hadnagy provides several more tips pertaining to importance of software and security updates, implementation of scripts for specific situations, and usefulness of social engineering audits.4 Tip number four is one of the hard ones: software updates and security updates. It’s time consuming and it’s expensive, especially for large organizations. I stand up here and I say this very easily, but I understand the pain that it takes to update thousands of clients and their security software or their user software that they have, like browsers and PDF software, and things like that. It can be time consuming and costly to do that.
But there was a company that I worked with, a printing company that when we scanned their servers we found that on their public web server they had a couple of PDFs. Looking at the first file gave us info on type of PDF software they used, the version, and because it was comparatively the recent one, we figured that it is probably still the one they use now.
The second file was from a local cancer drive, a charity drive for cancer for children. I know it sounds horrible to do this, but we used that in the social engineering test because that’s what a malicious person would do. We called the company playing that we were from a local cancer drive, we wanted to send them a PDF that would outline the benefits of going with us as opposed to other cancer drives. Of course the CEO accepted the PDF because it was something very personal for him; and while on the phone, we were able to cause the breach due to outdated software.
Vulnerable software is the key way that attackers find their way inside your network. If they can scan and they can see an old FTP server, old browsers, old PDF reading software, any kind of software that is old and has public exploits – then you are definitely vulnerable. And that’s just the public exploits, there are also exploits that are not public – zero days that may be just coming out. So this is a very big preventative tip – it’s important, even though we know it is difficult and it can be expensive.5 When I talk about the fifth one – developing scripts, some people look at me a little crazy, because if you ever heard me talk about anything on the podcast, you know I hate scripts, like when you call your cell phone company when they messed up your bill, they charged you for something you didn’t do, and you call them, and you are upset; and they say they are sorry but they cannot help you, but before they hang up they always say: “Thank you for calling, have a nice day”. That’s a script, and that’s not the kind of script that I’m actually talking about.
I am talking about thinking ahead critically about things that will happen and how you will handle them when they happen. I worked for the company that had no policies and procedures on how they would handle things: something very simple, like when you have to fire an employee, it’s an unfortunate event but it happens. Well, this company had an employee that was moonlighting, and it was something that broke company policy, and they decided that they had to let him go.
They called him in the office, and they sat him down, and he was agreeable, he actually understood. He was so friendly, he said: “I know what I was doing was wrong and I knew that if I got caught I would have to leave. So I am with you guys, thanks for being cool about it”. Meeting was about 4:30, the end of the day. He said: “Is it okay if I just take 30 minutes and clean up my office, take my pictures home and head out?” All the managers and CEO patted him on the back, and they let him do it. Well, before he left he erased 13 servers and all of their backups. 13 servers – I don’t know if you can afford that, this company could not.
Why did that happen? Because there were not scripts in place. There were no policies in place to say: “Here is the way we should handle it when this threat presents itself”. Let’s bring this down to a personal level. In your company, do you have a script in place on what to do if you’ve been social-engineered or if you suspect you’ve been social-engineered? You got an email, you didn’t think, you clicked the link, something came up that wasn’t what you were expecting. What do you do with that email? If you are not thinking of the answer right now, you don’t have a script in place.
These are the kind of scripts I am talking about. Having things in place that when you click the link, when you get that phone call, when someone approaches you, when you see someone shoulder surfing over when you are at the ATM – what are the next steps, what do you do to protect yourself from becoming a victim of social engineering? These are the kind of scripts that are necessary, and critical thinking is key in this preventative tip.6 And our final one – have and learn from audits. This is a hard one too. Working with companies, I’ve heard everything from: “I don’t want to have an audit because I know it’s gonna work, I know my people will fall for that too” and such: “My employees will never fall for social engineering, so we don’t need it”. And everything in between. But having social engineering audits is important, because what happens if you do is you may see that even if you say you are not susceptible to phishing and your guys can handle this, but while on the phone your guys really give out too much information. Knowing that info can help you develop the scripts, develop security awareness, to really work backwards in security.
Audit is key thing that I always like to promote, just because you get a 300 page report doesn’t mean that the guy did a great job, quantity does not always measure quality. So social engineering audit should be something that is purposeful, that is directed towards your company, and the audit report should show you exactly what you need to do in order to fix the problems.
That brings us to tying it all together. When you want to tie something together, I would just work backwards in these 6 tips. The first step is having the audit. Once you have the audit – you see where you are weak, you see where you are strong. You will know what scripts to develop. You will know where to train your people. You will know what the security awareness should be about. Again if your employees are great about phishing, they don’t click on suspicious links in emails, they don’t fall for those kind of attacks – so giving them a 60 minute DVD to watch about phishing may very well be a waste of their time. But if they are weak on the phone, then that’s where you need to spend you time educating your employees. So having a clear action plan to put it all together is very important. Knowing what needs to happen, and when it needs to happen, and how it needs to happen is really what every company should strive to do.
Working backwards towards success means taking each one of these 6 steps and making a clear written plan – I like written plans, that’s an important piece for me: once you write something down it seems to be committed to memory and you’ll follow through. Once you do that, I can’t guarantee, again, that you will never fall victim to social engineering. But there is an old comic that kind of makes my laugh. There was a guy who was going to run from a hungry bear, and he had 2 choices, who was going to run next to him: one was a marathon runner, and one was a big guy like me. Who do you want running next to you when you are running from a hungry bear? Me, right? Because I’m gonna run slow. The comic makes sense because this is what’s happening today in the hacking world. When you are running your business, when you are running from the hackers, what you want to happen is you want to not be the low hanging fruit. You want to be as secure as possible so that when they are looking for the target; their eyes are not set upon you. These 6 tips can help you do that.