Here at Nettitude, we have been delivering penetration tests for clients for more than a decade. Over the last 10 years, we have seen the industry mature. Many organisations understand what penetration testing is, and as a consequence, it has become an integral part of many organisations' information security programs. However, more often than not, organisations ask us to focus on the technical aspects of a penetration test and ignore the social aspects. In many instances, we are told that ‘management’ doesn’t want to look at social engineering, and as a consequence, can we provide services that focus on the technology only?
I understand this approach, but I don’t agree with it. Penetration testing is a service designed to help an organisation identify their risk. When we are conducting internet-based Infrastructure or Web Application tests, we are focused on helping the organisation understand the risk associated with a Hacker, terrorist, or some other form of external threat actor. Organisations recognise that there is a threat. However, all too frequently, they constrain the testing engagement so that it can only focus on the technical threat, as opposed to considering the human element alongside.
Internet Hackers don’t limit themselves to “only playing fair” and focusing on the technology. They try to hack corporate and government networks through any mechanism that they can find. If they can find an employee who looks vulnerable through information harvested through Facebook or LinkedIn, they will absolutely target their efforts against them. As more and more information about us, our friends and family, our education, our employment and our leisure habits finds its way into the cloud, so this information arms an attacker in their pursuit of compromising the corporate environment.
I genuinely believe that the vulnerability landscape is comprised as follows:
Risk = Technical Vulnerabilities and Human Element
To focus on the technical issues alone only provides half of the information needed to perform a complete risk assessment.
At Nettitude we are proactively trying to encourage our clients to look at the bigger risk picture and consider social engineering tests as part of their testing program. There are lots of different types of social engineering tests that can be conducted to meet this objective. In my opinion, one of the most successful and meaningful types of test is a spear phishing test. In this type of scenario, the penetration tester targets individual employees who work within the organization. The spear phish intends to get them to click on a link or open up a document. This act in itself can then provide the Penetration Tester with a mechanism to gain access to their machine and pivot onto other internal devices that would otherwise be firewalled from the Internet.
Most employees are wise enough to spot one of the rogue emails that start: “I'm a long lost relative from Nigeria and I've tracked you down as the beneficiary to $1,000,000.."
These types of emails rarely solicit any form of response, and more frequently than not are deleted with immediate effect.
However, consider the following scenario.
You are on Linkedin, and list yourself as a network analyst at ABC Group.
You are also on Facebook and have poor Facebook security settings. (As is commonly the case) You are a Soccer or Football fan, and you uploaded photos from the latest match to Facebook. You comment on Facebook that you enjoyed the game and that you look forward to the next match.
If an attacker wants to compromise an organisation, the information above provides a fantastic route for infiltration. If the attacker now goes on to craft a highly tailored e-mail to the employee that says…
Dear Fred, thank you for attending the opening season match for <insert football team name> last week. As a thank you to our supporters here is one of 1,000 free passes to our next game <insert bogus link>. Yours The Football Team
An attacker could likely entice at least one user to click on the link.
By clicking on the link, (or responding to the phish) the employee opens up the organization to attack. Surely to omit this type of test means that the organisation never gets visibility of this type of vulnerability. Instead, they have a false sense of security that they cannot be breached, and their environment is secure.
The intent behind these types of attacks is not to find susceptible employees and then name and shame them. With a carefully crafted e-mail almost anyone can be phished, (I confess even I have been phished by some of my pen-testing colleagues!). The intent is to try and raise awareness that these types of vulnerabilities exist.
By identifying the human element as a vulnerability, and making it appear on a CSO’s radar, there is a chance that it will be factored into to organisation's risk register. If the risk is identified, then the organisation can start to build a remediation plan to try to mitigate against this exposure. Although training on its own won’t fix the problem 100%, it does provide a good starting point. By training employees on what they should do with e-mail links and unsolicited e-mails, they have ½ a chance against an attacker. Surely educating even ½ of your workforce and getting their buy-in is better than ignoring the problem and simply putting your head in the sand?
At Nettitude, we actively advocate that organisations undertake social engineering tests, similar to the spear phishing attack highlighted above. We have a raft of different approaches that can be tailored to an organisation’s needs. In 2013, we changed our standard penetration testing scoping forms to reflect this need. Instead of asking clients if they want to have social engineering tests, it will be assumed that some variants of these tests will be needed. Our new forms will require that clients need to opt out of Spear Phishing tests, and unless they do so, these types of tests will be conducted.
We are focused on helping our clients manage their risk. By including spear phishing in all of our tests, we believe we can deliver better value to our clients, and provide a better indicator of risks and vulnerabilities that are present.
To contact Nettitude's editor, please contact media@nettitude.com.