Social engineering is often overlooked

Many organizations simply overlook the importance of social engineering.

To Social or Not to Social?

For a number of years now, social engineering testing of an organization’s defenses has been an integral part of most security management programs – you have an outside party conduct vulnerability assessments, penetration tests and audits, and just for good measure you throw in a social engineering engagement.  These engagements can be relatively simple or very complex; ranging from sophisticated costuming and props to simple pretexting calls.  Many organizations choose to conduct both onsite and remote social engineering testing, which test their employees’ ability to recognize and defend against a range of social engineering attacks.  With so many possibilities for how testing can be conducted and how imaginative you and the tester can get, it’s surprising how frequently this component of security testing lacks the same amount of attention that pure network and technical-based types of testing receive.

In most cases, testing is typically designed to answer questions about whether employees can recognize a social engineering attack in the making:  will an employee provide technical information on their workstations to someone over the phone without first authenticating the legitimacy of the caller?  Will a receptionist actually verify that there is an air conditioning leak on the roof before allowing the repairman in?  Will customer service representatives follow links in emails or open unexpected attachments?  While those questions are important, social engineering testing can answer other, often unasked questions:  are access controls and badge systems appropriately restricting access?  Are motion-sensing detective controls functioning properly?  Do our third-party security personnel stop people carrying suspicious packages?

Planning is Overlooked

While working on some social engineering attacks recently, I found myself asking why many organizations don’t plan for social engineering engagements the same way they plan for other types of security testing?  Having performed dozens of social engineering engagements, I can safely say that parameters around this type of testing are largely overlooked.  After all, by this point in the game, the need for security is recognized widely enough that most organizations have already conducted or are planning to conduct social engineering engagements in the near future.  So why doesn’t understanding how social engineering affects an organization receive the same attention that other projects might?

For one, social engineering attacks seem unlikely for most organizations.  Security can already be seen as a nebulous area to spend budgetary resources  on, and social engineering often takes a back seat to projects that are seen as more valuable; projects like penetration testing and vulnerability assessments.  While there is certainly a recognizable value associated with those types of testing, performing social engineering testing is as much about your policies and procedures as it is about physical security.  In other words, having social engineering conducted against the organization can effectively validate the money the organization has spent on physical security controls; which most organizations do see as a necessity.

Fits Like a Glove – Or Does It?

These days, it’s especially important to get the most ‘bang for your buck,’ and social engineering is no exception.  Far too often, organizations contract with a vendor to perform social engineering, leaving the planning to someone outside the organization.  I’ve often been asked for a “menu” of social engineering options, and while it makes a lot of sense to have some prearranged selections to choose from, getting real insight into how your employees and countermeasures will respond to a social engineering attack will take additional preparation beyond simply selecting an item from a menu.  Like all aspects of security testing, each organization is different (geographically, culturally and physically) so there’s no real one-size-fits-all for social engineering.

Nobody knows your organization better than you – both its strengths and weaknesses, and while it’s not necessary to disclose all of the details to the consultant conducting testing (you don’t want to show your hand too early), it is important to consider which parameters, policies and countermeasures are most important to test, based on your organization’s risk analysis.  You did perform a risk assessment, right?

For example, your policies and procedures may include requirements for escorting vendors in specific areas of the facility.  Having someone show up at your reception area as an air conditioning repairman and allowing security or reception to simply turn them away really doesn’t tell you much about your escort procedures, does it?  On the other hand, if you first allow your reception or security to contact a specific individual within the organization and get approval, you can now reliably test how visitors will be treated once they pass the initial step.  This is the level at which being able to test your organization’s escort procedures, access controls and other physical countermeasures become possible.  Your organization might also consider setting “capture the flag” areas, where testers are encouraged to reach certain goals or obtain unrestricted access to a specific area or item.

Getting the Best Results

Sometimes, due to limitations in costs, time and travel, it’s not always possible for your organization to contract for additional days of the engagement to cover reconnaissance and probing of the facility or campus.  This restriction in time (which an actual criminal would have ample amounts of) makes it necessary to share some information about the inner-workings of your organization with the contractor performing testing.  For instance, the contractor performing testing may inquire about highly-trafficked exits or entrances, or some of the physical security controls in use.  It may feel like cheating, but it’s sometimes necessary to reveal at least a card or two.  This also allows the contractor more time to hone in on the specific risks identified by your risk assessment.

In any event, make sure that your testing answers the questions you need answering.  Regardless of the level of planning that goes into any social engineering engagement you may opt to have, if performed properly it will always provide at least some insight into how your countermeasures are working, allowing you to form some reliable conclusions about the level of risk affecting your organization.  But by collecting and analyzing data about the suspected weaknesses or unknowns in your environment and working with your contractor to understand recommended best practices for this type of testing, you’ll receive better insight into your organization’s strengths and its ability to fend off social engineering attacks.