It is logical that with all the information we release on prevention of social engineering attacks, employee deception, fraud and identity theft we would receive questions on how to choose a good auditor. Requests have been coming in to have us perform social engineering audits and how to choose a good auditor.
I think what we need to discuss first is the different types of social engineering audits and then from there you will clearly see how to choose a good auditor.
We can break social engineering audits into two main categories, Internal and External, then from there break them down into smaller sub-categories.
Internal Audits are just what they sound like, the auditor may simulate the attacks from the position of a very low level employee. They are given the rights, permissions and access as a new employee. From there the social engineer will attempt certain attacks and see how successful the attempts are and how devastating they could potentially be for the company. This is not to be confused with “Internal Audit” that exists in many companies, which primarily deals with financial and technical auditing, normally in support of a compliance effort.
In one company we worked with they had horrible policies for when they had to lay someone off. We told them numerous times when we would consult that their written policies needed to change. When they would terminate employment they would let them go back to their office unsupervised and pack up their office, download personal files from the computers then leave.
One day they had to fire one of the Chief Financial Officers in the company as he was moonlighting and he chose to do it with a competitor. The meeting went great, “John” understood their position and with a smile on his face made the firing very easy. He then shook their hands and said he would clean out his office, hand in his key card and then leave.
The management all patted themselves on the back for a job well done. The next morning when they came into the office it was chaos. It appears that someone decided to schedule a job on the 13 servers that would shut down all back ups, then format all servers. 13 servers and about 11 million USD in damage, why? Because they allowed a disgruntled and now, fired employee to have full access to the network after they fired him.
This is not a lone story or something new. Unfortunately these things occur all too often. Auditing the internal policies for needed change is a very important aspect of an audit.
• How easy is it for an employee to copy sensitive information and take it “home”?
• Can an employee bring in personal media and use it to take files home?
• Do they have the ability and permissions to set up file sharing or access from outside?
• What software do the employees run on their computer that can make them vulnerable?
• Do the employees use their corporate emails for personal things?
All of these and more questions need to be discussed and answered during a social engineer audit.
This type of audit has many angles, but it is really where the heart of the social engineering audits exists. Lets discuss this in the three levels of external audits.
These type of audits focus on email, web cloning and phishing scams. The auditor will do heavy amounts of information gathering and decide what avenue might have the biggest effect. Whether it is a charity, fantasy sports league, club, or just social sites – the auditor will work on perfecting a message that will have the maximum effect.
It may include cloning a website and then sending an email from that website to try and trick the employees to visit. In one such audit we found that 20 employees where all part of a fantasy basketball league, lets just say the site was www.basketballleague.com we cloned that site and registered the domain www.basketballlleague.com almost indiscernible from the real one. We found out that the domain manager was Mike and he regularly sent emails with specials to the members. We sent a mail from [email protected] to all members in that company stating that by just visiting a new site and testing it out we would give them a free month.
Every single one clicked and went. The site presented them with the same logos and headers and look and feel as the real site (as it was cloned) and they were presented with a user id and password box. They were asked to log in and check it out then give us feedback. Almost all people will use the same password for their mail and websites and bank accounts. We also embedded a malicious iframe on the page that would feed us reverse meterpreter shells. In the end we harvested 20 passwords, of which 11 where the same as their mail passwords and gained access on 7 different computers.
All of this was done via email without having to pick up the phone or visit the site once.
Remote with Phone:
Basically this type of audit will be all of the above type of services but we will mix in some phone social engineering. One account we captured shows how 60% of IRS agents fell for a simple scam when audited.
“Hi this is Larry from IT we are running a password security program and going to be resetting everyone’s passwords to something a lot more secure. Do you have a pen handy?”
“Ok write this down [email protected]%. That is your new password, I will need your present password so I can log and replace.”
“Ok it is fluffy123”
“Great, give us 30 mins then log out and log in with your new password. Thanks”
60% fell for that, and I can tell you that much more fall for that in our audits also.
The telephone is a devastating tool when used by social engineers. With a lot of information gathering and a little bit of work a very successful telephone SE Program can be generated.
The goal with mixing the phone in the audit is to see if the target will give out information over the phone that can facilitate a social engineering attack. Many times this part of the audit is very successful.
Onsite Audit/Red Team:
This type of audit will mix all of the above aspects of other audit types but with a special mix of onsite work too. Onsite work can be as simplistic as a fake pizza delivery guy or the UPS man that is dropping off a box and leaves a few carefully placed CD’s or USB keys. Or it may be a sales guy who is having a meeting with the boss and needs a print out of his ruined resume or sales proposal. Or it can be an after hours red team break in where we infiltrate the perimeter and steal company secrets.
An audit that includes onsite work will truly show the security holes clearly. The reason onsite work is becoming more accepted in social engineering audits is the way it shows the ability for a real hacker to gain access. Companies generally will spend hundreds of thousands on firewalls, IDS, anti virus systems and the like, but then protect those investments with a $20 lock.
Policies on how media is handled, cameras, visitors and other such matters are all tested and exploited to see where an attacker could potentially gain access. While some may argue that actual red team testing is not realistic we argue that point by asking how much your intellectual property is worth?
If your company contains secrets, files or data that could ruin your business to land in a competitors hands then nothing is too far fetched. It costs companies over $25 billion per year in loss, so it is a serious threat.
With that in mind auditing is essential for many companies especially if they want to ensure their clients they are doing all they can to be secure.
This is a very short overview of a very serious topic. The question that might come up is how to use this information?
Audits and penetration tests are becoming more common parts of everyday business life. Sit down and decide what it would cost to be down for 1 day, 1 week, 1 month? Is it worth the time, effort and money to not only audit your company and people, but then to make the changes needed really be secure.
Each year social engineering becomes a bigger and bigger threat with the average costs of a data breach coming in at over $3.43 million USD.
The only real way to be sure something is secure is to test it. And don’t fool yourself into thinking it won’t be tested in some manner. By a controlled test such as described here, or by a real attacker that has malicious intent.
Every day we are bombarded with news of controls that failed and the unexpected and often catastrophic results that occur when they do. A social engineering penetration test can identify these situations before then occur in an uncontrolled environment. However, the results are only as good as auditor you pick to conduct the work.
When you are picking the auditor for this sort of work, be sure to consider the reputation of those that are conducting the work as well as their experience and knowledge. Consider the types of services you need in order to truly test your company and feel out the auditor. Don’t be afraid to ask a lot of questions.
Get a clear picture of the methodology and practices of the company you are considering. What information, research or tools have they contributed about social engineering? Can they truly simulate a viable and realistic attack that will identify the areas that need to be secured?
Some companies run a few automated tools and track how many clicks targets make on phishing emails or malicious websites and claim that is a social engineering audit. Keep in mind to be a real audit they must simulate the actions of a malicious social engineer.
It is not an easy job but it is imperative to make sure you choose the best social engineering company to fit your needs. Think of it this way, if you were sick and needed to see a doctor would you want to choose just any doctor? If you had a serious illness and wanted needed to route out the problem you would want the best. A doctor with a world renowned reputation, a doctor that has a track record of being the best and a doctor that has demonstrated real actual expertise in their field, not one that just wrote papers and talked to other doctors.
That is not too different when it comes to a social engineer auditor. It is important to remember that the objective of the audit is to evaluate the security of the people in your company. Getting the best possible evaluation is your goal.
How to Find a Good Auditor
Sometimes companies feel like they must go with a large company for these assessments. They assume a larger company size and well-known reputation means a better job. That is not always true.
Here is a list of questions you may want to ask:
• How long have the auditors been performing social engineering security audits?
Often time’s larger organizations will sell off the reputation of the organization but then staff with junior level employees that do not have field experience. Not to say that if someone has been doing it for years they are automatically good, but someone who demonstrates a few years in the field probably has skills that kept him in the field for so long.
• Can you explain your methodology?
Many outfits will not give out a detailed methodology right off the bat, but by at least getting an outline you can understand what will and will not be tested. This can also give you a clear picture of what to expect.
• Can you give me some realistic scenarios for a company like mine?
Like the above point, the auditor might not want to give away all his secrets before the audit, but can you get a clear picture of what he is and is not willing to do? Some past scenarios will help you to also see what type of audits they have performed in the past.
• What reporting method do you use? Do you have a sample report?
At the end of the assessment, the report is your only hard deliverable. It needs to be quality. Seeing a sample report can also help you determine if they take pride in their work and if you will be happy with the end product. The reality is that you can have the best social engineer on earth but if his reporting techniques are terrible then you have gotten nothing from all that work and expense.
• Can you provide any testimonials or references?
Due to the secure nature of the work many companies do not want to be put on a contact list for other customers, but many times you can see some testimonials from past clients that will help you see what others had to say about their work.
This is just a short list of questions that will give you a better idea on what you are looking for. Anytime we have been asked questions like this it helped us to see that the company was serious about their request. Choosing the right auditor is important, not just because of the cost, but because you are putting the testing of the security of your company in their hands.
Conversely, a quality auditor will always be pleased to be asked these types of questions. Quality assessors want to do work that matters, and an organization that cares enough to screen their service providers demonstrates to the social engineer that this will be a serious assessment, not just going through the motions to meet a requirement.
Results matter. Choose wisely and if you need help, have questions or comments I encourage you to write in.