Software, Social Engineering, and Security

You have to hand it to Jim Stickley... Actually, if you don't hand it to him, Jim will probably end up taking it anyway. Jim, you see, just made away with his 1000th successful heist, perhaps making him one of the most successful bank robber of all time.

But Jim isn't after just the cash. What he wants is personal information -- names, addresses, Social Security numbers, credit card numbers, passwords and the like. In the long run, this kind of stuff is way more valuable than a pocket full of change. Jim, you see, is CTO and co-founder of TraceSecurity, a security compliance software firm. And Jim doesn't refer to himself as a "criminal" or "crook" (or even programmer, for that matter). No, Jim is a "social engineer" who financial institutions hire to perform vulnerability audits.

Social engineering has been around the computer security industry for years. Social engineers use guise and subterfuge to prey upon weaknesses in human nature. Social engineers recognize that most people have similar desires, such as the desire to be loved, appreciated or recognized; and similar fears, such as the fear of getting in trouble or the fear of looking stupid. Social engineers prey on these human weaknesses to gain the trust of their victims, then trick their victims into unknowingly becoming the co-conspirators in the social engineer's grand plan, which usually involves stealing something.

"Most banks are surprisingly vulnerable to identity theft," says Stickley. "They spend millions of dollars a year on high tech computer security defenses, but often fail to address the simplest, most critical aspect of information security: the human element. A bank can have the most high tech security, but if they invite me in and allow me to wander their office, I can steal much more than their money."

Stickley and his crew start by impersonating someone of trust or authority, such as an air conditioning technician, pest exterminator, or fire inspector, often by mailing a letter to a bank branch on forged stationary, informing them of a planned "inspection." By the time they show up in their fake uniforms with fake badges and fake identification cards, the front receptionist often welcomes them with coffee. Within minutes, they have free range of the bank as they crawl under desks, steal backup tapes, and install spyware on the computers. In the evening, they return to dumpster dive, an activity that often yields a surprising amount of sensitive customer account information. (And oh yes, they do give it back to the bank.)

"The secret to an effective information security strategy," says Stickley, "is to balance security technology investments with comprehensive employee training, and better policy and procedure enforcement."

Stickley recommends that if banks adhere to the following simple best practices, they can reduce identity theft risk by up to 80 percent:

• Shred bins should be conveniently located near all bank employees
• Logged in computers should not be left logged in and unattended under any circumstances
• Sensitive data, including computer backup tapes, should be encrypted
• To prevent phishing, emails sent from upper management should be verified for authenticity
• All bank employees must be trained on proper policies and procedures and never leave visitors unattended in non general public areas.

The company's TraceSecurity Compliance Manager software automates vulnerability testing and policy management, and is backed by a full range of services such as our social engineering audits.

Posted by Jon Erickson at 04:48 PM  Permalink