One of my friends used to boast about how long his passwords are. One day, I decided to play a prank and social-engineered it out of him. I was pretty surprised as to how effortless the entire procedure was, and how oblivious others can be.
Many of my acquaintances don't seem to understand the dangers of social engineering and focus more on cryptographic security.
How do I teach others about social engineering: both as to what it is, and how to avoid being tricked?
When I've been asked to setup some presentations about security awareness, I've always used something that is familiar to the user base to demonstrate weaknesses that can be exploited.
Let's take a simple organization, Acme. Acme has about 200 employees, a robust IT infrastructure, top-of-the-line firewalls, secure applications, a smart CISO, etc. Their wireless is WPA2 with RADIUS Auth which uses the user's AD credentials. They also use Outlook Web Applications (OWA) a lot.
If this was an organization I was demonstrating an attack to, I would first set up a phishing site that looked just like the OWA installation. It's ridiculously simple to do with something as accessible as wget, or you could use Trusted Sec's Social Engineering Toolkit to set it up. Once you do that, change the login form so that the username and password entered goes to your own database/file store—or, you can once again use SET's credential harvester. Optional: Buy a domain, such as acme-corpwebmail.com or something like that.
The next thing to do is send a sample email to yourself. It can be something along the lines of how there's an IT upgrade and people need to validate their accounts—focus on the email being believable, with good English, something that can be trusted, even. Log in with the credentials, and show that they get captured.
Use the same credentials to log in to the corporate network (since it is AD credentials after all). Now an attacker has access to everything an ACME employee has access to, and he hasn't even broken an application or entered the building. He can be sitting outside the parking lot the whole time.
Want the extra effect? Make this whole thing a really cool video. It's not hard to do, even if it takes a little extra time.
Once you show how an attacker can get in, focus on what the employees need to do to protect themselves—i.e., make sure that the email is from who it claims to be from. If in doubt, ask the person if they sent an email—it's okay to waste the person's time if it means being safe. If the link is external to the organization, ask the person/the security team before clicking on it. If it is external and asks credentials, assume it is malicious unless told otherwise.
From personal experience, I can tell you that this has been very effective—it makes an impression on people, even if it builds paranoia in some—and a certain level of paranoia is always good. :)
If you want to take it to the next level, I really do recommend checking out what SET has to offer. Dave Kennedy and all the others who have worked on it have done an absolutely amazing job on the tool, and it provides all the tools necessary to teach people about social engineering.
I'd say the best way to educate others about social engineering attacks is to demonstrate it to them. Explaining the concepts in theory is all well and good, but most people won't actually absorb the lesson until they actually experience the impact it could have on them.
There's this funny scene in the movie Now You See Me where several magicians tricked their boss into revealing the answers to his bank account's secret questions through what seemed like a normal conversation and stole $140 million from him.
While you most probably don't have friends with a net worth of $140 million or more (if this isn't true, lucky you!), it does serve to illustrate how the most innocuous conversations can be revealing more information about you than you would be comfortable with.
So, try out some social engineering tricks on your friends. Sit them down and log into their accounts in front of them and explain how you did it. You can't really ask permission beforehand (or it won't be effective anymore) so make sure they are really good friends. :P
Social engineering revolves around psychology. It tries to influence human behavior to reach a goal, and unfortunately it often works quite well. In my opinion the best way to educate people is by example. An interesting video is the Social Engineering LIVE demonstration from Defcon.
Most of the time a social engineer will be required to take the initiative, either by sending an email, making a phone call, or even transmitting a fax (as was first presumed in the Rapid 7 DNS hijack). Here are a few questions you should ask yourself:
A good approach is to use two seperate communication channels which have been established up front. For instance if you get a phone call from a certain person who's requesting that you perform some action, put down the phone and call that person back using credentials from a trusted source. For instance if someone is calling from the helpdesk, check their extension number and name. Then look it up in your companies internal phonebook and see whether it's the same. You might want to call them back yourself and see whether it's still the same person. NEVER EVER use phone numbers provided by the person itself (for this example anyway).
An example for this is the recent Microsoft support scam where attackers pretended to be Microsoft technicians. Victims were instructed to open cmd and execute a command, and then the attackers stated "hey, I'm Microsoft because I can do this". They followed this by requesting that victims shut down their anti-virus and any other security mechanisms. In cases where victims grew suspicious, the attackers would apply pressure in other ways.
In the case of a company, especially when there are procedures in place for authentication and verification, it must be ensured that there are no loop holes where protocol can be bypassed. I recently heard a story of a person trying to increase his credit card limit (often used by scammers to increase their spending ability after stealing a credit card). The person did not get his increase because he couldn't be authenticated. Which is good! But then he called customer support, got really angry and threatened to change banks. Customer support responded by increasing his credit limit without even attempting to authenticate him. This is just one example of pressuring people for nefarious purposes.
Non-IT minded people might get tricked by this so to educate them give them several examples of social engineering attacks. A good piece of advice by David Schwartzberg:
Whenever an unauthenticated person on the telephone suggests surfing to an unfamiliar website, the best thing to do is nothing. Whenever an unverified person on the telephone asks for personally identifiable information or financial information, the best thing to do is hang up. Don't even say goodbye.
If you need to know more, have a look here at social-engineering.org
US-CERT has some guidelines against social engineering as well:
What should you do if you are a victim?
If you believe you might have revealed sensitive information about your organization, report it to the appropriate people within the organization, including network administrators. They can be alert for any suspicious or unusual activity.
If you believe your financial accounts may be compromised, contact your financial institution immediately and close any accounts that may have been compromised. Watch for any unexplainable charges to your account.
Immediately change any passwords you might have revealed. If you used the same password for multiple resources, make sure to change it for each account, and do not use that password in the future.
Watch for other signs of identity theft (see Preventing and Responding to Identity Theft for more information).
Consider reporting the attack to the police, and file a report with the Federal Trade Commission (http://www.ftc.gov/).
In a growing move, get your audience to social engineer each other. Get THEM to devise ways to extract information from each other, and share what ideas they had and what worked. The sooner you get the process as close to home as possible, the easier it will be for them to actively use it as a model in their daily lives.
A study done in the USA in the 1940's looked at how to get homemakers to use more organ meats in their menus when high quality meat was unavailable. Educational initiatives failed miserably, even one-on-one, until one researcher had the idea of stopping lectures altogether. Instead of doing any education at all, he gathered homemakers together to 'brainstorm' how to devise an educational initiative to get other homemakers to use more organ meats. Those who participated in the 'brainstorming' sessions had a markedly higher rates of consistantly using organ meats after the sessions. The point, of course, was not the things the people came up with, but to get the people to come up with their own reasons. Once the 'tables were turned', the behavioral change became natural and was incoprorated long-term.
As others have said, demos. What you might not realise is how much easier social engineering can be in a demo situation.
I have, in the past, set up 'demos' with no real preparation, and then just gathered a group around a terminal, told them we were going to show how people can obtain access to their email. I then sit at the terminal, go to the login screen, then say
Ok, so I need a volunteer. You. No one knows your password do they? Awesome. So, between us, just write it down here.
And they do. Seriously. Thinking it's a demo, and we're going to show how to protect that password from the others, they trust me and give me the password. It's only failed once, and that person got a Mars bar for being on the ball.
Movies are good for such education. See this answer, in the context of email phishing (to a large extent, this is the same situation), where I recommend a few of them. Friends will probably agree to watching a couple of movies, and that's painless learning.
In a business context, you can use a similar method, in which a speaker shows excerpts of one of the abovementioned movies, and explains what they mean when seen from an "information security" point of view. E.g. have a look at this one which I saw a few months ago, and found both entertaining and instructing. A key to pedagogy is to convince students that they are not actually doing some work (otherwise they stop listening properly).
Unfortunately, you don't. Nobody seemed to mentioned this, and it's kind of important. In this day and age, where Kevin Mitnick is but a poster figure, some of his methods still work. In the day and age where, say, Activion Blizzard, worth millions of dollars, still lets you get away with it. Sure, one can argue that snatching someone's game account is harmless, but nevertheless it's a vulnerability.
Core problem is, the exploit lies within human nature, thus, there is no universal "patch" for it. You can't write a book to educate the entire planet on how to be resistant to such attack. However, what you can do, is focus on the specific company. Only one at a time. Let's take the same ACME mentioned above. What you wanna do is:
Literally, that simple. Not the methods, but the goals. You wanna figure out what the possible social engineer will go after, and find a way to protect it. Either by limiting employee access, or by enforcing a simple "never reveal this" rule. But you need to be very very narrow, as employees might have a hard time remembering if they're suppose to reveal something to a customer partially, not at all, never to anyone etc if there's 30 thing they have to keep in mind. So go specific, as much as you can. Besides that, you have to provide some basic version of general anti-social engineering training, such as "Hey, you know when you talk to someone and he gives you this warm feeling even though he's a stranger? And you feel compelled to go out of line and help them? Hang up". Stuff like that. Setting up 2-step authentication is also great in some cases, but in a different manner where you need two people to access sensitive stuff. That way, even if one of them gets rolled by an engineer, the other person might catch it.
Unfortunately, that's about it. I wrote a lot about this and I engineered people WITHIN the guide "how to not fall for it" and they still fell for it. Showing a demon is a good way to demonstrate, but it won't always get you the desired effect. You'll get a "haha that's cool" instead of "damn, I need to pay attention to stuff like this"! So if you really wanna un-hack the planet, start a consulting business and go on a job-by-job basis, modifying your approach and techniques. Peace!
