The Cyber Risk Report for November 7 through 13 covered the second consecutive Social Engineering Capture the Flag event that was organized by Defcon 19 (a prominent industry “underground” security conference). The event proposes a challenge to competitors with the focus of leveraging social engineering tactics to successfully obtain key company information from a list of prospective companies, with the ultimate goal (based on the past two years) of raising awareness of the threat impact social engineering has on organizations. Furthermore, the competition highlights the common tactics and aspects that social engineers employ. As this year’s competition drew to a close, the Social Engineering CTF Results Report (which provides a debrief of the event, outcomes, and lessons learned) puts an emphasis on the techniques utilized, and the reasons why the respective techniques ultimately succeeded or failed.
The details of the competition, as stated in the results report, are as follows:
“Each contestant took part in a wide array of research, which included initial info gathering, attack vector development, and a twenty-five minute social engineering phone call placed to his or her assigned target.” The social engineer has two weeks to probe and attempt to procure “flags” which are “the pieces of information based on non-sensitive data pertaining to the inner workings of a company.” Fourteen companies were targeted for this year’s competition, which included the following industries: retail, airlines, food service, technology, and mobile services. While the competition’s rules and procedures are straight forward, there are many details to be considered; including the target company’s target ranking, which is based on a defined criteria (see the results report for details) with the highest score that a company can attain being 50, indicating proven resistance to social engineering and a healthy online presence (for example, not leaking information via the web). In addition, the competition takes into consideration the point sources per company, which looks at the online leakage of information, amount of flags, resistance the organization exerted on the attacker during the call phase, site visits (the ability of the attacker to get an employee to visit a URL provided by the attacker), and observation.
The Social Engineering CTF Results Report provides a detailed output of lessons learned and feedback (mitigation) tactics to resolve the most commonly successfully attacks that occurred during the competition. Highlights of mitigation solutions based on successful social engineering efforts include leaked information on corporate websites, wide spread company search options (detailing employee details -- phone numbers, email, and even ftp server details), vast arrays of social media freedom, vendor information leakage, badge confidentiality breaches (posting badge details on the Internet), no strict document control to include vast amounts of uncontrolled documents. The report breaks down the organization’s targeted, highlights their strengths, challenges, and provides feedback regarding some amicable solutions to fill the gaps that were exploited.
Reports are often target at a specific audience and based on the topical area have a self-imposed bias. However, with bias also comes an aspect of validity, hence this report is no different. This report stands out in a prominent manner due to its depth of detailed feedback, concise format, and viable information -- specifically the highlighted findings in the output format of “information, vector, mitigation.” Furthermore, while one can argue details such as the definition of the “flags,” what really constitutes the “flag” or “non-sensitive data pertaining to the inner workings of a company,” and the details of the “site visits URL,” (for example, is it an offending or malicious site, or a well-known site like Microsoft.com) it is clear that data/information can and will be extracted based on common factors/tactics.
From a security standpoint there are many aspects of the report findings that catch the proverbial eye. For example, “another preliminary finding was that in all cases where the caller asked the target to visit a URL, even in the cases where there was some reluctance, the target ended up visiting the URL.” The true benefit of this document is not the finding, but the feedback and solutions to aid those who face the challenges presented. The fact that the report noted that all the companies involved would have received a failing mark in a real social engineering penetration test should no doubt be an eye opener, not just for these organizations, but the many others that face the same challenges. As any security practitioner knows, there is no utopia for security; however, there are many solutions and mitigations that every organization can institute to vastly limit the potential damage of social engineering attacks, the first of which must always be awareness. Educate the organization as to what social engineering is, how to identify it, and what options to employ or how to combat it. Moreover, note that this (education) should be a continuous process, revisited multiple times throughout the year and constantly updated in policies, procedures, and amongst any other organizational criteria. A key point as directly extrapolated from the report is as follows, “the content a company chooses to put on its website proves to be critical to overall security.” Furthermore, the challenges of controlling content with the advent of social media outlets continue to be troublesome. This includes Facebook, Twitter tweets, and more and more personal blogs, which in this case found an employee of one company who blogged about specific IT procedures including what social media sites were allowed and which ones were not, and most notably, what options exist to circumvent these measures…
The plethora of successful social engineering tactics highlights many avenues for data loss, hence data loss prevention (DLP) needs to remain at the forefront of an organization’s security policy and maintain a high level of attention with regard to risk assessments and analysis. Organizations should take a few moments to review the common tactics and successful solutions, note the vectors and most importantly the mitigation options that exist and work to incorporate them into their policies and security awareness activities. In conclusion, the results are a reminder that while we as a society have come a long way, we still have a ways to go!