Awareness lessons from Wal Mart

This year's social engineering 'capture the flag' competition at the DefCon hackers' conference was won by a contestant who socially engineers his clients' employees for a living.  In the course of a 20 minute phone call, he successfully fooled an unsuspecting Wal Mart employee into revealing potentially sensitive and valuable information, even persuading him to visit a (potentially infectious) website to 'complete a survey'.  Read more about the con here.

The con was cool in the sense that, live on stage, the contestant collected all the flags on his task list, but uncool in the sense that the attack was relatively straightforward and entirely benign, within the strict rules of the competition.  I've read about many similar attacks in books such as The Art of Deception, The Art of Intrusion and Ghost in the Wires by Kevin Mitnick, and Spies Among Us by Ira Winkler.  In No Tech Hacking, Johnny Long writes at length about the ability to research potential targets and identify vulnerabilities, while David Lacey discusses the psychological flaws that open up vulnerabilities in his Human Factor book.  This is not rocket surgery :-)

The troubling part is that actual real-world social engineers are far from benign, and don't follow the rules - in fact, they consciously eschew the rules and take advantage of not always making the anticipated approaches, gaining a significant advantage from being innovative as well as ballsy.  Social engineering is merely one tool in their toolboxes.

As to what Wal Mart might actually do to mitigate the risk of its customer services and other employees being socially engineered for real, reading Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program would be a great start - but don't get me wrong, a 'training session' for employees is certainly not going to make them immune to such attacks, while even a rolling/continuous security awareness program is not the Ultimate Solution either.

To claim otherwise is as ridiculous as a technical security consultant recently claiming that security awareness is a waste of money since incidents such as this still occur, and hence we must put all our faith - and $$$$ - into technical security controls.  As we say in NZ, "Yeh, right".  Of course you can throw big money down the drain by doing awareness incompetently and badly, in exactly  the same way as you can chuck money at unsuitable technical security controls, or neglect to train people in how to install, use, manage and maintain them properly (which, by the way, is itself a form of security awareness).

Social engineering is one of our most popular and important awareness topics, one that we revise, update and reissue annually.  You can be sure that the Wal Mart incident will be mentioned in the security awareness materials this December, delivering the module in good time for the Thanksgiving/Christmas/New Year holiday season when social engineering attacks are rife.  You can be sure because earlier DefCon Capture The Flag social engineering competition were featured along with various other social engineering incidents in previous modules.  The competition remains a golden opportunity in awareness terms, for those organizations that are far-sighted enough to appreciate its significance to them.

What's more, social engineering is just one of the 40+ awareness topics we cover, and in fact it gets a mention in some form in almost every other module, a practice known professionally as "reinforcement".  The idea is to remind people about various threats throughout the year rather than relying solely on a single awareness/training event.  The same thing applies to other commonplace security issues such as malware: a once-a-year malware focus is woefully inadequate to maintain a sufficient level of awareness.  I completely understand that those organizations who are still stuck in the Dark Ages, believing that an annual lecture to the troops on (usually just IT) security is sufficient, are less than impressed at security awareness.  That may be enough to comply with various badly-written laws and regulations, but it's way  short of good practice in this area.

And, by the way, compliance is another of those 40+ topics we cover!

That said, although we know how to do security awareness well, we also know it's never a perfect control.  We also emphasize the value of other forms of control therefore, ranging from security governance, risk management, policy,  business continuity and other strategic security stuff for management to technical security stuff for the IT professionals.  Managers and teccies also benefit from security awareness, whereas only addressing "end users" (which is itself a demeaning or belittling term for PEOPLE) is definitely missing a trick.  No wonder those old-fashioned "annual security training sessions" give awareness a bad name: they are almost guaranteed to fail.

If, at the end of the day, year-round information security awareness programs are sufficient to make the hackers, crackers, social engineers, industrial spies, identity thieves, organized criminals and security services go elsewhere for easier/softer targets, our customers are happy and our job is done - although naturally we're always hopeful of signing up the likes of Wal Mart and other victims who - finally - appreciate that they could do with some professional help.