The Best Defense Against Social Engineering

By Richard Stiennon

(Back to article)

When discussing IT security it is very common to pair up defenses with attacks. Firewalls counter network attacks, anti-virus for viruses, anti-spyware for spyware and so forth. So what is paired up with social engineering? What is the best way to defend against the attacker using deception, lying, and pretexting?

If you read just about any column or article on the topic the universal answer appears to be training. I beg to differ. Are quarterly, half-day training sessions really the best way to get employees to use screen savers and passwords? Is customer education the way to counter phishing attacks? Should you invest in security awareness training?

Other Articles by Richard Stiennon
Network Admission Control is a Blind Alley

Spyware: 2004 Was Only the Beginning

The Economics of Cybercrime

Do You Need a CSO?

Take for example the concept of pretexting. This has gotten a lot of press recently because top executives of HP hired private investigators to obtain phone records of board members and journalists in an over zealous attempt to determine who was leaking information about board discussions.

The PI’s would masquerade as these individuals and call the telephone companies requesting their phone records. I am at a loss for how you could train a CSR to recognize a pretexting attack. Rather the phone companies should take two steps. One is policy: No customer information given out over the phone, phone records only mailed to the address of record, etc. Second, technology can be deployed to identify and alert when these types of attacks are underway.

In the just published Enemy at the Water Cooler, Matt Contos relates an incident where call center operators at a phone company were actually in league with the PI’s who were going beyond pretexting to outright bribery. Activity monitoring alerted management that operators were getting direct calls to their stations instead of being routed through the call dispatching system.

They were then accessing multiple accounts during a single call. Definitely suspicious behavior. In this way the phone company was able to track down the dishonest operators and fire them.

I must say, a great form of employee education is to fire violators of a privacy policy. That lesson sinks in.

Screen Savers and Passwords

What about screen savers and passwords? In years past, employees had to endure quarterly training sessions where they were berated for not using screen savers and “strong” passwords. They were taught how to pick passwords at least eight characters long and with special characters.

They would go back to their desks, set their screen savers to pop up every five minutes, and change their passwords from “Yankees” to f%^7!38o. And after about two days they would turn off their screen saver and revert to “abc123” for their password. Today, screen saver and password quality are set in policy and enforced with technology. No need to train anyone, just enforce policy.

The same goes for other forms of security awareness training. If you determine a need for awareness training you probably have a hole in your defenses that needs to be addressed.

There is one form of security training that I advocate: Send your developers and system administrators to hacking school. Teach them how easy it is to bypass most security settings and defenses. By doing so you will induce a healthy paranoia that will counteract the typical attitude of “security slows me down."

But for executives, call center personnel, plant labor, shipping and receiving personnel, and non-IT staff you can find much better ways to invest your IT security budget than in security awareness training.

Protect them against executables in emails. Install anti-spyware and anti-phishing defenses. Make it impossible for someone to give out credentials over the phone by deploying token authentication devices. Use proximity ID’s, biometrics and cameras for building access if you perceive a risk of unauthorized personnel wandering around your facilities. Don’t rely on your people to stop suspicious characters.

For every attack there is a defense. For every gambit in chess there is a response. But social engineering is too broad in application to be countered with just security awareness training.

In most cases you are better off investing in new controls and technology than throwing away resources on ineffective training programs. When confronted with an argument in favor of training ask yourself: “How can I address this risk by changing my policies and engaging technology solutions?” before you authorize spending on something that will do nothing to increase your overall defense posture or reduce your risk.

Richard Stiennon is the former vice president of Threat Research at Webroot Software and now the founder of IT Harvest, an IT security research firm. He is a holder of Gartner's Thought Leadership award for 2003 and was named "One of the 50 Most Powerful People in Networking" by Network World Magazine.