Internal Social Engineering Assessments
Andrew Mason, Technical Director, RandomStorm Limited
This chapter looks at the role of an internal social engineering assessment as a defensive strategy. An internal social engineering assessment is one which is run against your own staff as a way to highlight security weaknesses and to improve security awareness internally within a business. This chapter looks at why you would run such a test and also recommends some frameworks for carrying out such an assessment.
Keywords
Internal testing; Hacktober; vulnerability scanning; password auditing
Information in this chapter
Introduction
Chapter 15 discussed the benefits and challenges surrounding security awareness and training programs.
This chapter looks at the role of an internal social engineering assessment as a defensive strategy. An internal social engineering assessment is one that is run against an organization’s personnel, as a way to highlight security weaknesses and to improve security awareness internally within a business. This chapter looks at why such a test should be carried out and also recommends some frameworks for carrying out such an assessment.
The need for internal testing
Peter Drucker, the prominent American management consultant, once quoted that one cannot manage what is not measured. This statement makes a lot of sense when thinking about measuring the effectiveness of the policies and procedures within an organization with regards to its information security.
Chapters 14 and 15 covered defensive strategies of hardened policies and procedures as well as staff awareness training. The creation of hardened policies and procedures with security in mind helps to create the building blocks of secure practices that provide the framework of secure business processes. These processes, no matter how strong and well designed, are only as good as the people who implement them. Staff awareness training tries to educate the employees into understanding the risks and adjusting their behaviors accordingly through training. The employees have to be engaged with the need for secure working practices in order for any staff awareness training program to be considered a success.
For sizeable organizations, this work can be substantial and will require a large investment both in financial aspects and time aspects for senior management within the organization in order for it to be implemented in a correct manner.
Presuming an organization has undertaken an exercise to investigate existing policies and procedures with a view to creating more secure policies and procedures, and also undertaken a full staff awareness training program, the question is as to how the implementation of these policies is measured in order to be managed? Without adequate measurement of such an intervention, the stakeholders of the business would not really know if the implementation of the change has been successful.
The creation of, and the performance of, an internal social engineering assessment is one way to measure the effectiveness of the policies and procedures within an organization as well as how the staff implement and follow such procedures.
A frequently asked question is what is the need for performing an internal test, especially if both infrastructure penetration testing and social engineering assessments by engaging an external professional testing company are already being carried out. The point could be argued that if an external company performed very regular testing than it would negate the need to run regular internal assessments utilizing internal staff. However, it is normally found that external companies are usually contracted to perform annual tests, especially where there is a compliance requirement to be tested on an annual basis. External assessments can be very expensive as they are labor intensive using highly skilled consultants and usually look at the whole infrastructure that is either in scope through need or a compliance requirement.
An internal assessment would be performed by internal resources and usually can be more targeted than what an external company would be able to provide due to time and budget constraints. It is not unusual to run a lengthy internal assessment, which would prove to be expensive, and not the most efficient use of the external consultants chargeable time. The creation and execution of an internal assessment perform three roles:
1. The main role is to measure the security posture of the organization and how easy it is to gain unauthorized access to the corporate resources through traditional network-based means or by social engineering the users.
2. The second role is to measure the effectiveness of any recently delivered employee security awareness training or other interventions designed to improve security.
3. The third role is to improve the technical skills of the IT staff internally who would be designing and performing the assessment.
The security posture of a company is only assumed unless it is regularly tested. It is quite common to hear an IT manager to claim that they have anti-virus and they regularly patch so they have a secure network. This is a common statement from customer before a professional services engagement only to prove during the assessment that the network has many security vulnerabilities that the companies veiled security processes and procedures did not address. This can shock the client into how easy it is to go after a single entry point and then take complete ownership of the infrastructure from this single point once on the inside. Internal testing provides a means and way of testing this on a regular basis and can be very targeted. Try picking one area, e.g., user passwords and then design and perform an assessment of the user passwords which is covered later in this chapter. This constant measurement provides feedback to the business about the true security posture and can be used to leverage budgeting resource to contract an external company to provide either further security awareness training or more in-depth security testing to fully investigate the problems within the business.
If security awareness training has already been provided or some other intervention aimed at improving the security posture of the business, then running an internal test is a great tool to benchmark the progress. Obviously, the first time any internal assessments are performed the baseline is set and then future assessments can provide a way of measuring the improvement or regression in the security posture. These assessments have to be carefully designed to take account of new employees within roles or new policies and procedures that could skew the results of the assessment. Again, this is a great way to hopefully justify that the investment into improving the security posture of the business has had a positive effect.
It is quite common for internal IT employees to wear multiple hats and in the current financial economy it appears that cutbacks have affected the staffing levels of various IT departments leaving employees performing multiple roles within the IT department. I hope we can agree that the security of the infrastructure is a key role and one that cannot just be outsourced to an external consultancy. In light of this, it is important to invest in the skills of the internal IT team with regard to security. It is not assumed that the internal team would gain the specialist knowledge or experience to become fully fledged penetration testers, able to perform assessments on third-party networks but it is hoped that the level of investment into training the team would be adequate to allow them to understand the concepts and to design and implement effective internal assessments against their own network and users in order to highlight required improvements to their internal security posture. As well as providing valuable skills to the employees that can be leveraged by the business, this form of up-to-date training also helps with employee engagement as they will feel more current and there are many positive links between engaged employees and company productivity.
There is also the psychological effect on the employees when they know that they are being tested. People tend to display different behaviors when they know that they may be found out and made an example of in front of their peers. It is plausible to hypothesize that employees who are aware that internal tests are carried out are less likely to undergo unsafe activities and to generally work in a more secure manner. One simple behavior of asking users to lock their workstation, when leaving their workspace, can be enforced by catching people out who have left their workstations unlocked and, therefore, generating a sense of security paranoia where an employee will leave their workplace and then return as they recognized that they had not locked their workstations.
One example of this could be the personal bag spot checks that are employed in many retail environments. The employees in retail environments are less likely to steal merchandise if there is a random spot check policy in place where somebody’s personal bags are always checked every day.
One example of a well-known company that performs internal testing is Facebook with their Hacktober event.
Facebook Hacktober
As previously mentioned, one very well-known company that performs such internal security testing is Facebook. Every October since 2011 Facebook run what they call Hacktober. This is a month long event which features a series of simulated security threats attacking Facebook staff computers to see who would fall for them and who would report the issues. This event is a special event that compliments an on-going program of constant internal security testing to heighten the awareness of the employees within Facebook (Figure 16.1).
Various attacks are attempted against Facebook employees with the intention of tricking the employees along the lines of social engineering to succumb to the attacks. The attacks are very devious and normally in line with the employees job role so as to not arouse too much suspicion. If employees recognize and report an attempted phishing scam or security threat they receive a prize and kudos from their peers. If they succumb to the attack they are provided with further security awareness training and educated into what happened, where they went wrong, and how to spot and report potential issues in the future.
The approach taken by Facebook is conducive to the culture within the business. It was reported by one a director on the security team within Facebook that “Webinars don’t exactly fit in well here, so we wanted to do something unique in line with our hacking culture to teach employees about cybersecurity so we took the theme of October, fear and pranks and created something that is both fun and educational.”
Facebook have found this approach to be very engaging for the employees and the inbuilt competition between peers really makes the staff aware of what is going on. This is like performing a social engineering assessment when the client is aware that the consultants are coming, they just don’t know who they are, when they are coming, or what they are going to do. It places the whole business on a heightened awareness, which makes employees more questioning of activities.
As well as raising the awareness of employees and improving the changes of catching a social engineering attack, this type of exercise also provides a great benchmark for measuring the success of any improved policies or procedures as well as measuring the effectiveness of any recently implemented security awareness training. With this being run annually, it provides the ability to measure hopeful improvement against this recorded benchmark.
At the end of the month, in line with Halloween, Facebook treats workers to a Hacktober themed Happy Hour and a pumpkin carving.
Designing the internal test
Now that the need for internal testing has been looked at along with the reasons and benefits from doing so. The next thing on the agenda is how you can plan and design the internal test? Every business is different and each will have its own needs linked to the business processes it performs, therefore every design will be different but here are a few suggestions for areas that can be looked at with an internal test.
There are two aspects of the internal test. The first is testing the infrastructure and the second is testing the people and processes they follow. The infrastructure testing is more in line with traditional penetration testing and the testing of the people and processes is more in line with that of social engineering testing. A summary of both is provided along with some suggestions of actions to take.
Testing the infrastructure
This book covers social engineering without covering the area of infrastructure testing. This type of testing is what the majority of people think of when they talk about penetration testing and covers the testing of the client’s infrastructure. This infrastructure consists of items with a reachable IP address (or other network layer protocol where appropriate) and is usually made up of network devices, such as routers, switches, and firewalls as well as user workstations and servers. The infrastructure is not limited to these devices and the authors of this book have run infrastructure tests against anything from network-attached fridges to network-based shutter door controllers.
Two tests that can be run against the infrastructure that can provide valid results for an internal assessment are vulnerability scanning and password auditing.
Vulnerability scanning
Vulnerability scanning is one of the initial steps of most penetration tests where a scope of multiple hosts is included as it is a fast way to check multiple hosts and to provide an initial list of vulnerabilities that can be further tested by the consultant. In order to perform vulnerability scanning, a vulnerability scanning tool is required. Luckily, there are many commercial and open-source scanners available for most platforms and a Google search will return many results. There is a list of available scanner on the SecTools.org website at http://sectools.org/tag/vuln-scanners/.
One free open-source scanner that can be used is OpenVAS that is available from http://www.openvas.org.
Vulnerability scanners are provided with a list of IP address or resolvable hostnames and they perform the process of scanning by first ascertaining the availability of the host before performing a service discovery via various port scanning techniques. Once the hosts and services are confirmed the scanner then moves onto performing an analysis of the hosts, looking for software vulnerabilities and configuration vulnerabilities. Most vulnerability scanners allow what is termed as a credential scans to be carried out. This is a vulnerability scan where the scanner can be given administrative rights so that it can map drives to the target hosts and also interrogate items such as the hosts registry in order to provide a much more detailed level of assessment.
A software vulnerability is an identified bug in an installed piece of software, either commercial or open source. One example of a software vulnerability may be the existing of the Conficker vulnerability that Microsoft announced in their security bulletin MS08-067. This is a well-known Windows Server vulnerability (that amazingly the authors still find in commercial networks) and Microsoft fixed it in a security patch. The vulnerability scanner knows how to identify this vulnerability from its plugin database and it will report it along with the corresponding risk details in the scanning management interface. There are literally thousands of these identified every year across all vendors and the majority of these are recorded by NIST at their National Vulnerability Database—http://nvd.nist.gov. These are all allocated what is referred to as a CVE reference. The example software vulnerability above was issues CVE number CVE-2008-4250 and can be found at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4250. This number refers to the year it was identified and the chronological order starting at 0001. Therefore, the first vulnerability to be issued a CVE in 2014 would be CVE-2014-0001.
A configuration vulnerability is related to the way a piece of software is configured, or more appropriately, misconfigured. Various software applications require configuration. It is hoped that software vendors today issue software with a default secure configuration but this has not always been the case with many historical providers releasing software that is insecure, relying on the user to secure it. This can be referred to an open or closed configuration. It is preferred to start with a closed configuration and open that parts needed. However, the easiest solution is to start with an open configuration and close the parts that are not needed but far too often these parts never get closed and this then leads to a configuration vulnerability which will always be exploited by a serious penetration tester or worse, a potential attacker. An example of a configuration vulnerability may be a network device, such as router or switch, with the insecure connection method of Telnet enabled rather than the secure method of SSH. This may also be further compounded if no password is required in order to gain access to the device. Both of these are configuration vulnerabilities that can be remedied through correct configuration of the device.
Vulnerability scanning can be used in an internal test to check for both software and configuration vulnerabilities. This can be beneficial to confirm the patch levels of the servers, which are very useful in Windows environments to ensure that all of the critical security patches have been applied. This type of scanning can also be useful to look for any configuration errors that may exist on devices within your organization. Keeping up with the results found on a vulnerability scan and ensuring that any hosts have no high-level vulnerabilities is a great way to increase the security posture and greatly reduce the ability for a potential attacker to gain access to any corporate resources.
Password auditing
Various passwords are used for authentication to numerous services in the modern digital life both at work and at home. One very good test to perform internally is the strength of users password for core services within the organization. The authors of this book regularly perform infrastructure assessments where the network and servers yield no exploitable vulnerabilities but then a weak user or administrative password allows them to access the network where they can then escalate their privileges leading to an eventual takeover of the infrastructure. Passwords still appear to be the weak link in the security posture of most organizations with the age long problem of either having a password that is so complex that it is difficult to remember or a password that is memorable but that is far too weak.
It is assumed that as part of the policy strengthening, a policy of secure passwords has been implemented and the associated controls are in place to ensure that strong passwords of adequate length and complexity are enforced by all core services within the infrastructure, along with two factor authentication where a higher level of authentication is required. This has to also be enforced for service and administrative accounts for all hosts on the network. The authors have seen very complex password policies enforced in organizations for their users only to find very weak passwords on service accounts and network devices that are not linked to the password policy. It is almost like some IT teams having a rule for the users and a separate rule for themselves, and it is rather embarrassing when it is identified that the weak password exploited on a test belonged to a service account or the member of the IT team.
There are numerous tools available to check the passwords of users against various services. The windows logon passwords are a good place to start with the list of users. Password auditing tools use what are called wordlists. These wordlists are text files of user passwords. There are numerous publicly available wordlists, some of them with a very large number of generated passwords. It is also to create your own passwords with tools such as RSMangler available from http://www.randomstorm.com/rsmangler-security-tool.php. RSMangler takes a small wordlist of words generic to the customer and then mangles them into what can be thousands of mutations per word providing a sizeable wordlist that is specific to an organization.
One recommended password tool is Hydra available from http://www.thc.org/thc-hydra/. Hydra is available as both a command line tool and a GUI tool that performs password auditing against the following services:
• Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC, and XMPP.
Password auditing can be used in an internal test to check the strength of the users passwords and also to ensure that service accounts and network devices also have strong passwords applied. Performing an internal password audit can outline any issues that can be remediated before being highlighted by an external company testing or as before by a potential attacker.
Testing the people and processes they follow
Testing the people and processes is the main focus of this book. This is the social engineering engagement where the people and processes are put through their paces in order to try to gain access to a privileged resource. Performing internal social engineering style engagements goes one step further than the testing of the infrastructure and also requires more planning as these are bespoke scenarios to each organization.
This presents the opportunity to utilize some of the items explained in various chapters of this book in order to design, stage, and perform a social engineering assessment within the internal organization.
Chapter 8 covered the reconnaissance and building the foundations of the assessment. This chapter demonstrates how to find and manipulate the data that is available. This includes harvesting email addresses, document metadata, corporate websites, and social media. The following two chapters go through the act of threat modeling in order to create effective scenarios. Three attack vectors are provided as examples and these make up the backbone of the work of a social engineer. These are:
Chapter 9 covers the email attack vector and covers the very effective methods of phishing and spear phishing. This provided a walk-through the process and tools involved in creating a successful phishing attack to use as a part of an internal social engineering assessment, with a view to improving defenses against such an attack.
Chapter 10 covers the telephone attack vector. The telephone is a great remote tool used for social engineering and can be used to gather information about the target company or to trick users into performing actions that lead to a full breach of the internal security. With the remote nature of the telephone and also numerous services to allow anonymity, it is clear that this is a good choice for the remote engineer as it is a pretty safe method of gaining information about the organization.
Chapter 11 covered the physical attack vector and this is where specific skills can be employed onsite to infiltrate the organization. This may prove hard if the consultant is physically known throughout the organization, although if there are remote offices where the identity is unknown. This can still be an effective attack vector and the chapter explains how to develop the physical side of the assessment.
Utilizing the information in these chapters will aid the development of an internal assessment that can be used to ascertain the security posture of an internal organization.
Summary
This chapter has explained the need for running an internal assessment against an organization. The chapter started with an explanation of the need for such an assessment before showing the example of Facebook and how they use their Hacktober initiative to drive security awareness to their employees. Next came a look at how the assessment can be developed and covered the testing of the internal infrastructure, as well as the people and processes within the organization. Vulnerability scanning and password auditing were identified and outlined as two methods that could be used before looking at the people and processes and covering the three attack vectors covered by the majority of this book: the email attack vector, the telephone attack vector, and the physical attack vector.
Returning to one of the opening statements, it is impossible to manage what is not measured and running an internal test, as already mentioned, is a great way to establish an initial benchmark before further testing is utilized to demonstrate what will hopefully be an improvement in the security awareness of the employees within an organization.
The next chapter is the closing chapter in this book and will provide a social engineer cheat sheet. The chapter will bring together the entire book into a simple to use cheat sheet and flowchart that helps a security engineer plan and perform a social engineering assessment. The flowchart will refer chapters of the book where the reader can gain further insight into the tools and techniques required and the aim is to provide an easy to use system based upon the methodology presented throughout the book.