Archive | September 2012

Calling All Social Engineers

A friend of GreyCastle Security stopped by this morning to discuss social engineering and how it can be used to improve audit programs.

This friend is an Auditor for a large state-run entity, and a wannabe pentester (tough to blame him).

Now I know what you’re thinking – why is an Auditor interested in social engineering?

I’m glad you asked.

First, we’ve seen many audits totally miss the mark by not including the people aspects of information security. In their defense, audits are typically based on compliance regulations or organizational policies, which miss the same mark.

But if you were an Auditor, where would you focus?

On the countless firewalls out there that are summarily bypassed by attackers, both expert and newb? Or the hordes of susceptible bank tellers, healthcare executives, students, IT administrators and other personnel targeted each and every day by cybercriminals all over the globe.

The answer is clear. Auditors need to be social engineers.

But that’s not as easy as it sounds. In our conversation today we talked about what makes a good social engineer. And the reality is, the best social engineers are born, not made.

That being said, social engineering skills can be taught and improved, even if your name doesn’t end in “Mitnick”.

So what are these skills?

The ability to improvise is critical. So is the ability to collect and leverage information about assets (people) to your advantage. And last but not least, the ability to maintain cool under pressure, especially when being challenged.

A good social engineer is generally good at getting out of tickets, into the VIP and around the rules. If you panic when trying to get away with a duplicate grocery store coupon, it might not be for you.

So if you’re comfortable impersonating someone you’ve never met, that may not even exist, to gain confidential intel or compromise an asset for the betterment of the greater good – all while smiling – we may be looking for you.

After all, the human side of information security is quite possibly the most important, and most misunderstood, of all.

Next month is National Cyber Security Awareness Month. Stay tuned for a whole month of interesting thoughts, trends and tips for securing human beings.

Remembering 9/11

For most, if not all Americans, today is a special day.

Eleven years ago we were all changed, some of us irrevocably. The images of that day are still burned into our memories.

Images of Osama bin Laden or the collapsing Twin Towers still generate feelings of angst, powerlessness and fear.

And yet, that’s all they are.

In a world of risks separating feelings from reality is difficult, but necessary. In many cases, they are not only different, but contrary.

Ask someone if they would rather text while driving or face a terrorist.

Yet texting while driving has killed twice as many people this year than terrorists.

So why aren’t we afraid of texting in a moving car?

The answer is related to the way human beings make decisions. It’s related to way the human brain works, and to the way fear, ego and survival instinct cause us to feel and react.

It makes us really bad at judging risk sometimes.

Eleven years ago, the USA, including the intelligence community, Government and Military, didn’t keep feelings and reality in check. We didn’t understand our risks.

We didn’t think terrorists would fly planes into buildings.

Let’s take a moment today to remember those lost in the tragedy on September 11. Let’s remember all of those affected. Let’s remember those who have paid the ultimate price fighting to make things right.

Let’s also remember that the next tragedy can be averted if we remember that you can feel secure and not be.

Security is “No Easy Day”

The recently published book containing the details of the raid on and killing of Osama bin Laden has caused a firestorm in military and security circles.

In “No Easy Day”, Mark Owen (a pseudonym, his real name is Matt Bissonnette) provides a first-hand account of the planning and execution of the operation to kill the world’s most wanted terrorist.

The ex-Navy Seal gives a blow-by-blow in what is described as a vivid, and sometimes gruesome documentary.

The Pentagon claims that it contains “sensitive and classified” material. You may argue that the very honor, ethics and cultural values of America’s elite fighting force has also been compromised.

But this debate goes beyond disclosure of classified information, which is a crime.

These types of disclosures have very real parallels in information security, as well.

Some security experts argue that disclosure of security operations, particular during databreaches and other incidents, is critical to the successful handling and prevention of future incidents.

The concept is that the more that is published about how particular vulnerabilities were exploited, the better prepared other organizations can be to defend them.

Some claim that the disclosure of databreaches and their related vulnerabilities only invites copycats. After all, how many organizations will take action on advice, once given?

Still another argument suggests that disclosures weaken the defenders themselves, rather than the vulnerabilities. The more an attacker knows about our Tactics, Techniques and Procedures (TTPs), the better they can work around them.

Sharing information is critical, whether it’s done at the department, industry or nation level. The question then becomes, how can we share intelligence without compromising our own mission?

The concept of Operational Security (OPSEC) has existed for millennia. During times of war, mission plans are the most sought after of all artifacts.

During times of peace, they are surpassed only by the plans for war.

Many argue that Mark Owen has now put the lives of many Navy Seals in jeopardy. At a minimum it’s going to make their jobs a little harder for a while.

And if nothing else, it has brought visibility to the importance of Operational Security.

Irrespective of which side of the fence you sit, you need to know where the fence is. And you can be pretty damn sure that there’s somebody on the other side.

Now we know that they’ve got 23 other guys, dropped out of a stealth chopper and are carrying M4s.

%d bloggers like this: