We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they’d had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees.
The client also indicated that USB drives were a concern, since they were an easy way for employees to steal information, as well as bring in potential vulnerabilities such as viruses and Trojans.
We gathered all the worthless vendor giveaway thumb drives collected over the years and imprinted them with our own special piece of software. I had one of my guys write a Trojan that, when run, would collect passwords, logins and machine-specific information from the user’s computer, and then email the findings back to us.
The next hurdle we had was getting the USB drives in the hands of the credit union’s internal users. I made my way to the credit union at about 6 a.m. to make sure no employees saw us. I then proceeded to scatter the drives in the parking lot, smoking areas, and other areas employees frequented.
After about three days, we figured we had collected enough data. When I started to review our findings, I was amazed at the results. Of the 20 USB drives we planted, 15 were found by employees, and all had been plugged into company computers. The data we obtained helped us to compromise additional systems, and the best part of the whole scheme was its convenience.
You’ve probably seen the experiments where users can be conned into giving up their passwords for a chocolate bar or a $1 bill. But this little giveaway took those a step further, working off humans’ innate curiosity. Emailed virus writers exploit this same vulnerability, as do phishers and their clever faux Websites. Our credit union client wasn’t unique or special. All the technology and filtering and scanning in the world won’t address human nature. But it remains the single biggest open door to any company’s secrets.
Disagree? Sprinkle your receptionist’s candy dish with USB drives and see for yourself how long it takes for human nature to manifest itself.
The reason I post this particular article is that I was chatting recently with JP Rangaswami, the CIO of DrKW (aka: Dresdner Kleinwort Wasserstein) about the very same human nature which is cited in this article.
As written, the article will probably cause more of the reflex I have seen in some City institutions which try to ban iPods, USB sticks and the like, from trading floors and other sensitive environments.
That won’t work – as JP approximately put it, if you want [me] to do that, you’ll need to give me the privileges to stop-search the employees and go through their briefcases, pockets, and check what their phone can do; the result will be oppressive chaos.
The proper response is one of embrace and control, that if employees are going to make use of whatever technology [USB, iPod, WWW, Instant Messenger, 802.11, …], some facility needs to be made to filter and sanitycheck the means to which it can be put, and that you make the means and constraint transparent and well-advertised to your employees.
In short: be fair, and be wise. It might cost a little more in the short term, but will retain respect, employees and be more effective than the “ban everything” approach.