Thursday, October 23, 2014

Hacking the Human Firewall -- Social Engineering

"There wouldn't be any carnies if there weren't any rubes." I love that quote.

Mangled english aside, it's an incredible astute insight.  It's attributed to P.T. Barnum but I've had trouble sourcing it.

 As technical security and controls have become more advanced, the "traditional" technical exploitation is no longer the preferred vector of attack. Technology has caught up significantly in regards to external network defense.

Unfortunately, much of this is reactionary. The educational, budgetary and management threshold for many of these solutions is very high, forcing many technology staffers to dedicate their time and resources to maintaining those controls.

 The problem is simple: threats evolve.

While you are making sure that the ingress firewall rules as correct, the logs are recording external attempts at exploitation and you've tested the latest patches, the external attacker is far ahead of you.

I'm always amused watching depictions of "hackers" on television and in film. Buzzwords are thrown out, the hacker has 17 terminal windows with green text flying by, and amazingly the hacker does something in 15 seconds that sends the entire system crashing upon itself. Those cases are exceedingly rare. For every Heartbleed, Stuxnet and Remote File Inclusion discovery, there are thousands of attacks that are simple, low-tech and depend on the user to do the hard work for me.

Ingress firewall rules are extremely important. Patching the system should occur regularly. You should have an IDS implemented. Those are all technical controls that need to be implemented.

I often say, "You can't use a technical control to fix an administrative problem."

You users are your human firewall. The drawbacks to that are clear:

1. Many times, they're the only line of defense.
2. ....and they're on the front lnes
3.  They have discretionary access over data and assets.

It's a recipe for disaster. Every major InfoSec incident you can point to with retailers over the past few years were driven by Social Engineering and client side exploitation at some point, if not entirely.

There are a lot of techniques for performing these actions. Phishing emails, phone calls, physical breaches, out-of-band attacks, public information farming are all used to great effect with these breaches.

There are a few simple rules you can start following to minimize these:

1. Don't post information publicly
2. Carefully curate and guard your online presence
3. Remove discretionary risk management and security from staff members.
4. Scrub metadata in all materials.

Pretty easy list of things to do. be continued...

No comments:

Post a Comment