A common saying is ” Amateurs Hack Systems, Professionals Hack People”. Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.
Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.
Explain Why Policies Exist
It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.
Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.
Provide Examples Beyond The Intranet
Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading →
Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics (http://www.cloudcentrics.com/). Really good post on NetWitness.
RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.
RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.
Why is it important?
NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product. NetWitness will truly allow you to investigate what happened on the network.
More importantly, since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring. This gives administrators an opportunity to stop attacks before they cause damage on the network.
Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. How did the system originally get compromised and what measures should be used to prevent it from happening again? In addition, if one machine is compromised, chances are high that others will be as well.
Why are these attacks difficult to detect? The answer is that these threats originate from the inside, or trusted areas of the network. The most common network threats involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.
Security fails and systems get breached because many people do not take the threat seriously or make an effort to learn about it. It takes a proactive approach to be secure and protected against threats.
Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly to do with people and attitude, but also partly to do with outdated ways of thinking about security mixed with inadequate technologies.
Anatomy of an attack
Here is an example: Zeus was a popular attack last year that stole and spread through internal networks. Zeus is a Trojan horse that steals banking information by Man-in-the-browser, keystroke logging and Form Grabbing. Zeus spread mainly through drive-by downloads and phishing schemes.
Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked interesting to them. They were instructed to download a report from what appeared to be a legitimate website. In reality, the report was a Trojan horse that allowed attackers to control the victim’s system. The hosting website was in China.
A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.
Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireiting anti-virus updates to a 127.0.0.1 IP address.
Since NetWitness recorded all network traffic, it recorded what systems were compromised, communications with systems in China, and what was being transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.
NetWitness is the only security tool that provides complete visibility on a network. It shows when attacks are occurring in real-time and gives an organization the ability to detect and stop those attacks.
Many corporations fail to establish and enforce a network policy. A network policy is a set of conditions, limitations, and customized settings designed to control how authorized subjects use network resources. Common examples of a network policy are controlling access to adult, gambling, hacking, blacklisted and other website categories that violate human resource (HR) and security standards. Network Policy requirements can change based on device type, time of day and user role. Its key that network policy is automatically enforced rather than something end-users choose to abide by or most likely will fail when most needed.
Users are the weakest link in any network. Hackers know this and target the majority of attacks at this vulnerability. I constantly hear customers complain about phishing attacks (users clicking a link in a email) or users bringing devices infected with malware most likely obtained while surfing websites that violate network policy. Its also common to see users violate security controls if it impacts their work flow. I had one audit identify internal users VPNing from their workstations to bypass internal network policy due to lack of controls for remote users. Poorly enforced policies will impact your security, reduce workflow and become very costly as a result of failed audits and compromised systems.
Common solutions for enforcing network policy are layer 7 / application layer firewalls, content filters and bolt-on technology such as cloud applications or agent technology that control network traffic from end-points. I wrote a post about the concepts behind web-gateway solutions HERE. The standard offering provides content categories (Gambling, Social Networks, Hate, Sex, etc.) that can be denied, limited or monitored. The more advanced solutions include security components such as anti-virus / anti-malware, layer-4 monitoring, website reputation scoring and other features.
The problem with these solutions is scalability. Most content filers require either user devices to be configured inline (hardcoding proxy settings) or routing traffic to the device (example WCCP). These solutions become difficult to enforce outside of the internal network as well as on devices that are not cooperate assets such as mobile devices.
(Cisco’s Web-Security Portfolio)
A common solution that addresses external devices is VPNs routing traffic through network policy enforcement solutions (example Cisco AnyConnect with Ironport or ScanSafe). An alternative is using sandbox-based methods such as remotely controlling internal machines (example Citrix). Sandboxes work well however may encourage the wrong user behavior such as emailing information to a g-mail account to bypass the sandbox. One solution I like is Cisco’s OEAP which extends the internal network (including corporate SSIDs) to my home office.
Agent and cloud based technology can enforce network policy for laptops and desktops however fail for most mobile device types such as androids and apple devices. The reason is most mobile device manufactures give power to the end-user meaning users can opt out of security (more on this HERE). Some MDM vendors such as Zenprise offer the ability to force network traffic through a VPN tunnel, which is great when devices are managed by a MDM provider but fail when the MDM agent is not present. The only protection that can be applied for mobile devices not using MDM is controlling access to sensitive data through data loss prevention, sandbox sessions or encryption technology. I personally like the MDM enforced by Access Control technology approach.
Network policy can be enforced many ways but must meet your overall business goals and extend to all devices regardless of location. The technology is available however requires investment from leadership to properly build a policy and purchase the necessary tools to enforce it. Most failures in network policy are caused by a lack of focus from leadership.
The web is a dangerous place so its extremely important to have web proxy / content filter technology protecting users that access it. I had a roommate years ago who purchased a computer and within hours had every virus, malware and what not clogging his new machine. I’m sure he didn’t have the best surfing habits however that doesn’t mean the average user is less likely to be infected. What most people don’t realize about websites is they are like a Paint By Numbers canvas leveraging other websites to fill in the colors. For example, if you see a RealAudio video on a website, guess what … you have surfed both that embedded video’s website and the host website. The same goes when there are hidden links that download malicious malware on what you believe is a safe website.
The standard defense for Internet based threats is a web proxy / content filter solution or similar features imbedded in a firewall, IDS/IPS or SAS offering. The baseline solutions offer Content Filtering meaning the ability to monitor or block web content that violates specified policy. The major players do this well (Bluecoat, Websense, McAfee, Iron Port, etc.) by grouping web content into categories. For example, an administrator can deny all adult websites by blocking the adult category, which is an up-to-date list of the known adult sites. Smaller players work like an access-list manually blacklisting websites, which is a nightmare to manage. In the end, this is a commodity feature for the real players and should come standard for web proxy / content filter solutions with little management to maintain content categories.
Besides denying policy, web security / content filter solutions should have a method to check web traffic for threats. Many vendors offer anti-virus, anti-malware and content scanners that look for malicious traffic inline by redirecting network traffic through a web security / content filter or by endpoint proxy settings forcing endpoint web traffic to the security solution. Some verify content for hidden attack vectors in a closed environment prior to permitting access to the website (also known as sand-boxing). The best web security / content filter solutions offer a mix of signature and behavior sources since no single source can cover the entire gamut of web attacks properly. It’s also important that the web proxy / content filter solution is capable of viewing https IE secure channels or you will miss end user traffic that is encrypted.
Reputation or website “credit scores” is becoming a popular factor utilized by web security / content filter solutions. My blog on this subject explains this HERE. Reputation is key for speeding up the security process since many harmful websites can be denied based on reputation rather than scanning and identifying threat signatures or malicious behavior. I’ve used solutions such as IronPort Web Security Appliance (WSA) and usually 90-95% of the websites denied are identified as malicious based on reputation rather than passing the reputation check and caught by other security defenses.
The final point about securing access to the Internet is to consider email and web as equal targets since they are the most common cyber attack vectors. Web proxy / content filters need the same investment as Email Security and must be designed as a unified solution. I’ve had customers say “we get phishing attacks that send clean emails with links to malicious websites”, which users clicking the links is a Web Security vulnerability … not email. Other investments should be made in post compromised technology such as botnet / malware detection technology (Netwitness, Wireshark, Ironprot WSA botnet scanner, FireEye sandbox technology, etc.), Data Loss Prevention and host based security. No solution is a silver bullet so a layered defense will dramatically reduce risk if the overall design compliments each solution rather than operates individually.