The document provides information about a social engineering audit and security awareness presentation. It includes details about the presenters from CBIZ MHM, an accounting firm, learning objectives around social engineering and security awareness, and descriptions of different types of social engineering like phishing and pretexting. It also discusses what makes security awareness programs successful or fail, and how social engineering could be used internally by an audit department to test security controls.
Social Engineering Audit & Security Awareness Program
1. Social Engineering Audit &
Security Awareness
Hacking the Human
Kyle Konopasek, CIA
CBIZ MHM, LLC – Kansas City
2. Tony Coble, CPA
Managing Director – CBIZ MHM and
Shareholder, MHM
11440 Tomahawk Creek Parkway
Leawood, KS 66211
Direct: (913) 234-1031
Email: acoble@cbiz.com
Presenters
Kyle Konopasek, CIA, CICA
Manager – CBIZ MHM, LLC
11440 Tomahawk Creek Parkway
Leawood, KS 66211
Direct: (913) 234-1020
Email: kkonopasek@cbiz.com
3. About CBIZ and Mayer Hoffman McCann P.C.
With offices in major cities throughout the United States, CBIZ is one of
the nations leading providers of outsourced business services, including
accounting and tax, internal audit, risk management, and a wide range
of consulting services. CBIZ is strategically associated with Mayer
Hoffman McCann P.C. (MHM). MHM is an independent public
accounting firm with more than 280 shareholders in more than 35
offices. MHM specializes in attest services for mid-market and growing
businesses, with a specialty practice devoted to financial institutions.
Together, CBIZ and Mayer Hoffman McCann P.C. are one of the top
accounting providers in the country.
4. Learning Objectives
• Understand regulatory compliance issues
• Learn exactly what social engineering is and the various
types used.
• Understand how to identify a social engineering attack.
• Gain insight on methods to deter or mitigate social
engineering risk.
6. • Security awareness reflects an organization’s mindset or
attitude toward protecting the physical and intellectual
assets of an organization. This attitude guides the
approach used to protect those assets. In general, the
approach is referred to as a security awareness program.
What is security awareness?
7. • What elements reflect the overall strength of an
organization’s security culture?
– What causes a security awareness program to fail?
– What comprises a successful security awareness program?
• Even the best technical security efforts will fail if the organization has
a weak security culture.
Security awareness success
8. 1) Not understanding what security awareness really is.
– Major difference between security awareness and security
training.
• Watching an online video about security awareness is training.
– The primary goal of security awareness is to change behavior.
2) Reliance on checking the box.
– Satisfying compliance standards equate to strong security
awareness or even that security exists.
• Merely prove the minimum standards have been met.
• Standards are vague and difficult to measure.
– EXAMPLE: “A security awareness program must be in place.”
Why do security awareness programs fail?
9. 3) Failing to acknowledge that security awareness is a
unique discipline.
– Who is responsible for the function?
– Does the person have the knowledge, skills, and abilities?
– Does the person have soft skills such as strong communication
and marketing ability?
• Initial efforts to implement security awareness and to affect change
over time require such skills.
Why do security awareness programs fail?
10. 4) Lack of engaging and appropriate materials.
– Annual computer-based training is not enough.
– It is critical that multiple versions or styles of security awareness
materials be implemented.
• Ensure the materials are appropriate to the organization based on
industry and employee demographics.
• Younger employees respond better to blogs and twitter feeds while
older employees prefer traditional materials like posters and
newsletters.
Why do security awareness programs fail?
11. 5) Not collecting metrics.
– Without metrics, there is no way to determine if security
awareness goals are being met.
• Are we wasting money or providing value?
• What is working and what is not?
• Are our losses decreasing?
– Collecting metrics on a regular basis allows for adjustments.
– Measure the impact to the organization.
Why do security awareness programs fail?
12. 5) Not collecting metrics (continued).
– Example metrics include:
• Number of people who fall victim to a phishing attack.
• Number of employees who follow security policies.
• Number of employees securing desk environment at end of day.
• Number of employees using strong passwords.
• Number of employees who follow and enforce policies for restricted
access to facilities.
• Who has or has not completed annual security awareness training.
• Types of reinforcement training, who is it communicated to, and how
often.
Why do security awareness programs fail?
13. 6) Unreasonable expectations.
– No security counter-measure will ever be successful at mitigating
all incidents.
7) Relying upon a single training exercise.
– Focusing on a single security weakness or threat approach when
there are dozens leaves an organization open to attack to ignored
approaches.
Why do security awareness programs fail?
14. 1) C-suite support.
– Awareness program support from executive management leads to
more freedom, increased budgets, and support from other
departments.
– Obtaining strong support from top level management is first
priority.
• Consider materials designed specifically for executives—newsletters
and brief articles that highlight relevant news and information.
Keys to security awareness success
15. 2) Partnering with key departments.
– Get other departments involved in the program that might provide
additional resources toward program success.
• Human resources, legal, compliance, marketing, etc.
• Consider the needs of these other departments and incorporate into
the overall security awareness approach.
3) Creativity
– Small budgets for security awareness are common, however,
creativity and enthusiasm can bridge the gap created by a small
budget.
Keys to security awareness success
16. 4) Metrics.
– Prove the security awareness program effort is successful—utilize
metrics.
5) Explanation and transparency.
– Focus and how to accomplish specific actions through clear
explanation.
– Instead of telling people to not do certain things, explain how they
can do certain things safely.
Keys to security awareness success
17. 6) 90-day plans.
– Many programs follow a one-year plan with one topic covered
monthly.
• Does not reinforce knowledge and does not permit feedback or
consider ongoing events.
– A 90-day plan is most effective as it permits re-evaluation of the
program and its goals more regularly.
• Focus on 3 topics simultaneously and reinforce during the 90 days.
• Can be easily adjusted to address current and key issues.
Keys to security awareness success
18. 7) Multimodal awareness materials
– Utilize multiple forms of security awareness materials.
• Newsletters
• Blogs
• Newsfeeds
• Phishing simulation
• Games
– Participative approaches have the most long-term success.
Keys to security awareness success
19. 8) Incentivized security awareness programs.
– Develop “Incentivized Awareness Programs”.
– Focus on creating a reward structure to incentivize people for
exercising desired behaviors.
– This technique switches the entire awareness paradigm by
encouraging employees to elicit a natural and desired behavior
rather than forcing them.
Keys to security awareness success
22. • Attacker uses human interaction to obtain or compromise
information.
• Attacker may appear unassuming or respectable.
– Pretend to be a new employee, repair man, utility provider, etc.
– May even offer credentials.
What is social engineering?
23. • By asking questions, the attacker may piece
enough information together to infiltrate an
organization’s network.
– May attempt to get information from many sources.
What is social engineering?
24. • Quid Pro Quo
– Something for something.
• Phishing
– Fraudulently obtaining private information.
• Baiting
– Real world Trojan horse.
• Pretexting
– Invented scenario.
• Diversion Theft
– Lying and convincing others of a false truth—a con.
Types of social engineering
25. • Something for something
– Call random phone numbers at an organization claiming to be
from technical support.
– Eventually you will reach someone with a legitimate problem.
– Grateful you called them, they will follow your instructions.
– The attacker will “help” the user, but will really have the victim type
commands that will allow the attacker to install malware.
Quid Pro Quo
26. • Fraudulently obtaining private information
– Send an email that looks like it came from a legitimate business.
– Request verification of information and warn of some
consequence if not provided.
– Usually contains a link to a fraudulent web page that looks
legitimate.
• Example: Update login information to new HR portal.
– User gives information to the social engineer/attacker.
Phishing
27. • Spear phishing
– Specific phishing that include your name or demographic info.
• Vishing
– Phone phishing—may be a voice system asking for call back.
Phishing - continued
28. • Real example
– Obtain email address of many employees in target organization
including key individual targets like Controller, Staff Accountant,
Executive Assistant, etc.
– Develop website to “change password” or “setup new account” for
a human resources vacation request system.
• Actual organization website is “Western States Credit Union”
• Link to attacker’s website is “Western States Credlt Union”
– Email website link to obtained email addresses.
Phishing - continued
29. • Real world Trojan horse
– Uses physical media.
– Relies on greed and/or the curiosity of the target/victim.
– Attacker leaves a malware infected CD or USB thumb drive in an
obvious location so that it is easily found.
– Attacker uses an intriguing or curious label to gain interest.
• Example: “Employee Salaries and Bonuses 2014”
– Curious employee uses the media and unknowingly installs
malware.
Baiting
30. • Invented scenario
– Involves prior research and a setup used to establish legitimacy.
• Give information that a user would normally not divulge.
– This technique is used to impersonate and imitate authority.
• Uses prepared answers to a target’s questions.
• Other useful information is gathered for future attacks.
• Example: “VP of Facilities” visiting a branch.
Pretexting
31. • Real example – Telecom provider
Pretexting - continued
32. • Real example
– Pose as a major telecom provider.
– Props:
• rented white van with magnetic logo
• logo polo shirts and hats
• business cards
• work order
• ID badge.
– Enter credit union branch and ask to inspect the “roving telecom
adapter” because they have been recalled.
Pretexting - continued
33. – Illegal examples from an auditing perspective
• Law enforcement
• Fire
• Military/government official
Pretexting - continued
34. • Con
– Persuade deliver person that delivery has been requested
elsewhere.
• When delivery is redirected, attacker persuades delivery driver to
unload near a desired address.
• Example: Attacker parks a “security vehicle” in bank parking lot.
Target attempts to deposit money in night drop or ATM but is told by
attacker that it is out of order. Target then gives money to attacker for
deposit and safekeeping.
Diversion Theft
35. • Scavenging key bits of information from many documents
put out in the trash.
– Literally involves getting in a dumpster during off-peak hours and
looking for information.
– Janitorial crews could be involved. Are they bonded?
• Document shredders are not always the answer
– Vertical cut, cross cut, micro cut, and security cut.
Dumpster diving
36. • Training
– User awareness
• User knows that giving out certain information is bad.
• Policies
– Employees are not allowed to divulge information.
• Every organization must decide what information is sensitive and
should not be shared.
– Prevents employees from being socially pressured or tricked.
– Polices MUST be enforced to be effective.
How to prevent social engineering?
37. • Password management
• Physical security
• Network defenses may only repel attacks
– Virus protection
– Email attachment scanning
– Firewalls, etc.
• Security must be tested periodically.
How to prevent social engineering?
38. • Third-party testing
– Hire a third-party to attempt to attack targeted areas of the
organization.
– Have the third-party attempt to acquire information from
employees using social engineering techniques.
– Learning tool for the organization—not a punishment for
employees.
How to prevent social engineering?
39. • What is the overall risk appetite and risk tolerance levels
of the audit/supervisory committee?
– Board of Directors?
– Executive management?
• Do those charged with governance value testing the
security of information through social engineering?
– Are they afraid of what the results might reflect?
• Social engineering testing may need to be “sold” for
testing to have any value.
– Consider elements of a security awareness program.
Social engineering as an internal audit unit
40. • Risk assessment
– Identify types of social engineering that may be most applicable to
the organization. What are the weaknesses?
– What types of attacks is management most concerned about?
• Pretexting planning
– What is the goal?
– Identify the roles to be used and draft the pretexting script.
• Who are we going to be?
• What are we going to say?
– Signed letter from executive management the social engineering
testing.
• “Get out of jail free” card.
Social engineering as an internal audit unit
41. • Example authorization letter
January 31, 2014
To whom it may concern,
The internal audit department of XYZ Credit Union has authorization to perform a physical security assessment. As part of this
security review the internal audit department may perform any of the following procedures during the following time period:
February 16, 2014 through February 28, 2014.
1) Patrol the perimeter of any XYZ Credit Union (“XYZ”) branch during and after normal business hours.
2) Inspect the content of interior trash receptacles during business hours and exterior trash receptacles during or after
business hours at any XYZ location. The content of any trash receptacle may be confiscated by internal audit personnel as
testing evidence.
3) Attempt to gain access to restricted areas within XYZ headquarters or its branches during business hours by means of
social engineering which may include:
Internal audit personnel disguise themselves as employees of XYZ and/or vendors.
Internal audit personnel may attempt to deceive XYZ employees in any manner which is legal and does not otherwise
harm XYZ, its employees, or its members to adequately test the physical security access controls of branches and the
willingness of XYZ employees to disseminate confidential information about the credit union.
4) Temporarily remove a sample of readily accessible material(s) which will be returned to the designated bank contact
immediately after the testing for XYZ has concluded.
If there are any questions about this assessment or how internal audit personnel should be dealt with, please contact one of the
following individuals immediately.
All authority granted by this letter expires promptly at 11:59PM on February 28, 2014.
Social engineering as an internal audit unit
42. • Phishing planning
– What is the goal?
– What is the setup?
• Document:
– Test scenario (e.g. spear phishing to install malware)
– Inherent risks to the scenario (e.g. embedded links in emails)
– Character (e.g. Human Resources department of XYZ Credit Union)
Social engineering as an internal audit unit
43. • Example phishing email
Subject: Vacation Policy
Attention,
An important change has been made to our vacation policy; we have made the changes available for you to view on our new HR
portal. Please let us know if you have any questions with the changes made to the vacation policy.
www.xyzcu.com/HR
Regards,
XYZ Credit Union HR
HR@xyzcucom
Social engineering as an internal audit unit
44. • Reporting on social engineering test results
– Be as detailed as possible when describing the scenarios/scripts
and the results.
– Do not implicate a single person—social engineering testing is a
learning tool, not a punishment.
• How this is handled may cause internal audit to be viewed poorly
within the organization.
– Consider a grading scale.
• Many audit reports report findings as pass/fail. Social engineering
results may be partly pass and partly fail.
– Example: Allowed into telecom closet, but not behind the teller line.
• Use a letter grading system for social engineering.
– Clearly define what each aspect of the grading scale means.
Social engineering as an internal audit unit
45. • Real example of a pretexting report finding.
Condition
On Monday, February 24, 2014, Internal Audit attempted to gain access to secured areas of five branches using social
engineering physical penetration techniques while posing as employees of the XYZ Credit Union “Asset Management Division”
who were onsite to inspect for asset management controls. At the Main and First and Second Street branches, credit union
personnel gave disguised Internal Audit personnel access to all secured areas of the branch. During this visit, branch personnel
never attempted to validate our identities by looking at driver’s licenses or whether or not we were supposed to be at the branch by
calling responsible management to confirm the visit. At all times during the visit, branch personnel always displayed behavior that
was consistent with “buying in” to the XZY Credit Union “Asset Management Division” script.
At the Main Street branch, Internal Audit personnel witnessed a drawer at a teller station slightly open and containing what
appeared to be a large sum of cash. The Internal Audit employee who witnessed the open drawer was directly behind the teller
counter and in the exact position where a teller would stand while providing service to a customer. Finally, when requesting
access to the telecom closet, branch personnel opened the fire extinguisher bay door located next to the telecom closet door to
retrieve the key. The key was not there at the time; however, the action was an indication that the key may be stored in that
location at times.
At the Second Street branch, a teller was prepared to grant us access to secured areas of the bank because two key contacts in
the branch were on the phone at the time. Just as we were about to get access, one of those persons got off the phone and that
person followed procedure and ultimately ended our test and did not grant us access.
Social engineering as an internal audit unit
46. • No matter how robust an organization’s:
– Firewalls
– Intrusion detection systems
– Anti-virus/malware software
– Other technological and physical safeguards
• The human is always the weakest link when dealing with
security and protecting valuable information.
• Knowledge is power.
– People sometimes want others to “know what they know” to
demonstrate importance.
Weakest Link?
47. • Good habits drive security culture and there are no
technologies that will ever make up for poor security
culture.
• Social engineering audit is one method commonly used
to assess the condition of the overall security culture.
Key take away