Studies in the past have already shown SMBs to be lacking when it comes to security training. Should this be translated into a deficit in general security awareness, however, the situation becomes exploitable by social engineering to carve holes in even the most robust IT defenses like a hot knife through butter.
In fact, social engineering was actually used as part of Operation Aurora (aka The Google Hack) to determine working relationships between company staffers. This allowed the hackers to craft spoof e-mails with a much higher chance of tricking users into visiting a malware site. When you get down to it, the perpetuators could have learned of Google's use of Internet Explorer 6 through social engineering, too.
The thought that tens of thousands of dollars of anti-malware defenses, hardware firewalls and appliances such as IDS and IPS could at least be nullified via social engineering is a somber one, and one put to the test at the recent DEF CON 18 Hacking Conference. The idea behind the contest was simple: Get a mix of people where the majority were not professional security auditors, define some ground rules and see how real-life companies fare against them.
Chris Hadnagy, co-founder of Social-Engineer.org, who organized the event at DEF CON's request, has this to say about social engineering:
We define social engineering as understanding what makes a person think, tick, and react and then using those emotional responses to manipulate a person into taking an action that you want them to take.
Contestants were given the name of a real company two weeks in advance, and were allowed to compile a dossier through "non-invasive" techniques. This basically meant no e-mails or phone calls, only publicly accessible information obtained from the company's website or on the Internet. The assembled information was then used to plan an attack to be carried out that day before a live audience.
Questions that could be asked were limited to those that were deemed to be non-damaging; asking for passwords and IP addresses were not allowed. Contestants were instead directed to determine information such as the version of Web browser or PDF readers used, or whether there is a cafeteria and who runs it.
Speaking to eSecurity Planet, Hadnagy elaborated on some of the approaches used:
We saw a very wide range of techniques, from people calling as a very technical person looking for information from a sales department to people playing really dumb, pretending they didn't know anything at all about computers.
Every single company that had an available human failed. Five people out of 140 calls shut us down. But then we would call that same company back, get a different employee, and then we would own that company.
In a nutshell: Employees at every single company in the contest gave away information that they shouldn't have. In fact, a contestant even managed to get a (well-meaning) employee to visit a specific URL, which would have contained a malware in a genuine attack. And mind you, the contestants were asked to call some of the largest companies in the world.
By now, I hope it is clear that an increased budget should not be limited to buying more appliances or anti-malware software. Instead, resources also should be devoted to educating employees to defend against social engineering.
In a subsequent blog, I will make some recommendations on how SMBs can create heightened security awareness among their employees.