Businesses spend a significant portion of their annual information technology budgets on high-tech computer security. But the firewalls, vaults, bunkers, locks and biometrics those dollars buy can be pierced by attackers targeting untrained, uninformed or unmonitored users.
Few companies properly address the human element of information security. "There are times when the human element is the leaky faucet" that spills sensitive information, says Debra Murphy, a consultant who is vice president of marketing for Rapid7, a Boston-based security software company that performs vulnerability assessment, network penetration and social engineering testing. One cause for the information trickle linked to employees is the pressure many are under to constantly improve customer service. "People are being measured on helping customers and providing a great customer experience," Murphy says. Social engineering scam artists, who use deceptive and manipulative tactics on individuals to gain unauthorized access to information, pounce on that customer-focused mandate.
Some of the best tools for lighting social engineering attacks are security awareness training and social engineering testing. The effectiveness of these controls will vary based on the quality of their implementation, including follow-up and retraining.
Social engineering testing, by its very nature, can be difficult to conduct without third-party assistance. One option is to engage an information security organization to conduct testing. The testing can uncover areas in which an organization is most vulnerable so that risk can be assessed and mitigation strategies can be formulated and implemented.
While prices vary, hiring an outside firm to conduct social engineering testing typically costs between $10,000 and $15,000. Rolling social engineering testing into a larger security penetration engagement can reduce the cost of the social engineering component, says Jim Patterson, director of consulting for Rapid7.
A meaningful social engineering audit must involve people who are knowledgeable about social engineering techniques and are creative enough to mimic the methods of real attackers. Rapid7 typically tests in a double-blind engagement, coordinating primarily with internal audit groups in large companies or the head of IT in smaller businesses. The testers set out knowing little about the client company, Patterson says. The IT staff and other employees of the target firm are not alerted to the possible attack.
The following example is based on an actual social engineering test. For privacy, some information has been altered or omitted; however, the techniques and results are accurately portrayed.
A common way to prevent unauthorized access to secure information is to require proof of identification. The goal of this test was to manipulate a bank employee into...