A common saying is ” Amateurs Hack Systems, Professionals Hack People”. Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.
Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.
Explain Why Policies Exist
It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.
Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.
Provide Examples Beyond The Intranet
Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading →
Many corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.
Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.
Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.
The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.
(Cisco’s Web-Security Portfolio)
A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office.
Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.
Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.
Many network administrators do not have a method to know what is on their network. Devices may be very basic yet use IP for updates or heartbeat purposes (examples are printers, card readers, even some refrigerators). Other issues could be users not having administrator privileges to their systems or recently the demand to bring personal mobile devices onto the network. For these and other reasons, the visibility on what is on the network is becoming blurred.
Cisco released its flagship access control solution Cisco Identity Services Engine ISE last year with the goal of using identity as a means to provision network access. Many people evaluating Network Admission Control solutions get caught up with the concept of denying rather than understanding a core purpose of these solutions is identification. Cisco ISE is able to profile devices using a number of network probes that analyze the behavior of devices on the network to determine what they are. Probes are optional yet best practice is to enable as much as possible to gain the best network visibility. Some options for probes are Netflow, DHCP, DHCP SPAN, HTTP, Radius, NMAP, DNS, SNMP Query and SNMP Traps. Ports used are configurable as well as device profiles. For example, if a Avaya phone requires DHCP as a requirement for identification, that requirement can be adjusted if DHCP is not available.
To prove the ISE network monitoring concept, I stood up a ISE system on a small server, enabled all profiling probes and let it sit on my network overnight. ISE did not have AAA setup, user information, 802.1x or device management enabled. Consider this ISE system a server / laptop plugging into a DHCP port and sniffing the wire using profiling probes.
My network is very basic. I have a small Cisco Firewall providing LAN access with a ROKU Netflixs player, Blue Ray device (off during test) and Cisco Access Point powered from the firewall. ISE was able to identify my laptop as a Apple Workstation running Lion, my printer as a Canon device (I turned it on for 5 minutes to scan a document and powered it down), MACMINI as a apple device hosting VMWare, Apple iPad connecting to the Access Point and iPhone connected but not surfing the internet (seen as Apple iDevice since it generated little network traffic). This was done without using the new NMAP feature.
I verified findings by launching a NMAP scan and found a consolidated list of active devices. (Note this is the MR1.1 release however 1.1 includes NMAP as well)
Cisco Identity Services Engine ISE is a very powerful access control tool yet many forget the simple things in life. Consider ISE for identifying what is on your network using profiling as a network monitoring tool. Its a great first step to establish your network policy.