Security professionals have long been running penetration tests against their firewalls and other security systems to find weaknesses that need to be addressed.
The Common Vulnerability Scoring System is an industry standard, but has been around for a while.
The bad guys, however, aren't limiting themselves to the traditional perimeter attacks anymore. They're using spear phishing, phone calls and on-site visits and other techniques to get at corporate data.
“As cyber criminals evolve, we must, as well,” said Demetrios Lazarikos, security strategist and former chief information security officer for Sears Online.
Everyone already knows not to click on misspelled, unsolicited emails from foreign royalty. Today's adversaries are smarter. Their emails use proper English and are indistinguishable from the emails from the real companies.
“Let's say that there is a press release that goes public that says that company XYZ has just switched health provider to Blue Cross Blue Shield,” said Bob Walder, founder and chief research officer at Austin-based NSS Labs. “The bad guys are going to look at that and say, all right, company XYZ, I'm going to send an email and spoof it so that it looks like it came from Blue Cross Blue Shield, and says something like 'Do you need help with your enrollment?' It will be relevant to your employees.”
Defending against this kind of attack is more a matter of user education and less one of technology, he added.
After the initial education campaign, he recommended a non-threatening testing strategy, such as league tables showcasing the employees who were impervious to the scams.
“You don't want to set yourself up as an adversary,” he said. “You can make it lighthearted, give out prizes. So people doing the dumb stuff don't get called out, but they think if they make an effort they might win next time.”
Another benefit of putting a positive spin on penetration testing is to ensure that top management isn't caught up in the next and publicly embarrassed.
“It's ironic, but most of the time it's the senior execs and the CIOs who don't have time to read email and they scan something and click without thinking,” he said.
One of the companies using targeted emails in its penetration testing is Medford, MA-based Century Bank.
"We attempt to phish and social engineer our users several times a year," said Adam Glick, the bank's information security officer. "The assessment includes setting up a fake internal web server, adjusting internal DNS, and sending out a spoofed email luring users to change their expiring password or claim their free millions of dollars."
Century Bank doesn't stop at the emails.
Penetration testers will call employees pretending to be from IT and ask for their passwords, or try to enter secure areas dressed as employees or external maintenance workers.
"These tests are becoming paramount as phishing and social engineering are becoming ever increasing avenues for malicious players," Glick said. "Proactively training your users and empowering them to recognize these scams is decidedly your best defensive weapon."
Glick said that his bank uses an outside service, Framingham, MA -based Towerwall, to do the testing.
Minnesota-based OneBeacon Insurance Group also uses a third-party testing service, NTT Com Security, based in Ismaning, Germany.
“Typically, we think of testing attacks directly at computer systems, but for a while, we have known that it is much easier to at least start the attack vector by focusing on the social engineering aspects,” said OneBeacon's chief information security officer Joseph Topale. “Several years ago, our penetration test was expanded and continues to expand to cover the emerging social engineering pieces.”
These days, that includes not only phishing emails, but also phone calls and custom-built spoof websites, he said.
And it can get ever more creative than that.
Chris Camejo, director of assessment services at NTT Com Security, recalled one client with a particular focus on physical security in sensitive areas of their facility.
“What they’ve done is have a program set up where they'll give someone a $100 bill and have them go into a secure area without a badge on,” he said. “The first person who says, 'Where’s the badge?' they get the $100 bill.”
This is an important part of security testing that is easy to overlook because it can sometimes be very easy to get into secure areas, he said.
“If you have a cup of Starbucks in one hand and a Blackberry in your ear and you just waggle your elbows at the door and look pathetic, they’ll let you in because it’s obvious a really important phone call,” he said.
Even companies that don't have critical systems on-site may not understand how much important data can be accessible to someone who just walks in, he said.
“Companies don’t realize how much information they leave lying around the office,” he said. “Backup tapes. laptops. authentication tokens. keys. There’s so much stuff that people leave sitting around – I’ve seen boxes of microfiche documents with reams of Social Security numbers on them just sitting on people’s desks.”
Some companies have other avenues of access, as well, which a determined hacker can track down.
“We've been called in on forensic engagements on financial institutions that preformed wire transfers initiated by faxes sent in by the appropriate individuals, signed by apparently the right person,” said Mike Weber, vice president of Coalfire Labs, a Louisville, CO-based security vendor.
When one approach doesn't work by itself, and a target is particularly attractive, hackers will layer on their attacks.
To guard against them, penetration testers must, as well.
Take, for example, Core Security Consulting Services, a penetration testing vendor hired to break into a credit card payment processing company. The team was able to get as far as the database files, but only had a day to figure out where the credit card numbers were stored – and there were too many files to go through them all.
“We needed a hook,” said Digeo Manuel Sor, manager at Core Security. “ So one of us went to a restaurant to buy some sandwiches and sodas, and the other one ran a text search looking for our credit card number in the files – we didn't have to check all the files, just the last kilobytes.”
A penetration test can also have several layers right from the start.
“A lot of companies request a specific type of social engineering test, such as phishing or pretext calling, or physical social engineering, where we talk our way into a secure area,” said Coalfire's Weber. “We find is that those threats by themselves are easy to identify and question. But when we blend them, we get a whole lot better success.”
For example, a physical infiltration of a company might be preceded by an official-looking email announcing the visit.
“A blended social engineering attack tends to be a weak spot in many organizations,” said Travis Howe, director of security and compliance at Conga, a document management company based in Broomfield, Colorado, and a Coalfire customer. “Unfortunately, if someone wants to compromise the organization, as a security professional inside an organization, I don’t have the purview of choosing how I’m going to be attacked.”