C
learly, many people and things are out to get you. But if you think about the discussion of risk in Chapter 2, you’ll under-stand that even if everyone in the world wants to steal your information, they can do it only through your vulnerabilities. It doesn’t matter whether the bad people are foreign intelligence agencies or seven-year-old kids looking for candy money; they will all attack you through the vulnerabilities you leave open. Who the spies are is irrele-vant. It is your vulnerabilities that matter.As you go through this chapter, the vulnerabilities described may seem too basic to allow for significant or even noticeable losses.You probably see these things in your own home or office every day, yet you haven’t seen any losses worth noting. As I emphasized in Chapter 2, by overlooking the smaller losses that occur daily, you can suffer
“death by 1,000 cuts.” The case studies in Part II demonstrate how lit-tle things add up to billions of dollars of losses.
The best way to prevent attacks is to familiarize yourself with your organization’s weaknesses. Some security-minded people recommend focusing on the attacks themselves, emphasizing a strategy of second-guessing the attackers. Prevent the potential attack, the thinking goes, and you have no problems. However, this approach cures the symptoms
09_584685 ch05.qxd 2/17/05 8:35 PM Page 106
while ignoring the disease. For example, there was a World Trade Center attack in 1993 that used a car bomb. Security people strength-ened the access controls to the World Trade Center garage; however, they did nothing to strengthen airline security, which was the source of the 2001 World Trade Center attack.
Another example is that many individuals try to protect their credit cards by tearing up their card receipts because they have heard stories about criminals going through garbage. However, thousands of people readily go to fake web sites to supposedly confirm their credit card numbers and give out even more comprehensive information.
You must acknowledge vulnerabilities holistically and account for all of them.The bad guys will eventually find a way.
Of course, some vulnerabilities are simply unavoidable. Businesses must exchange information with other businesses. Companies must bring new people into the corporate fold. Organizations of all kinds are using the Internet in myriad ways. Individuals must use their credit card and give out their account number over the telephone or Inter-net. As I explained in Chapter 2, there is no such thing as perfect security.
Your goal should be to understand the vulnerabilities in your orga-nization and take reasonable steps to optimize your risk.The counter-measures for these vulnerabilities are the subject of Part III of this book.
A word about technology in this context:When most people con-sider information security, they think about technical issues.They believe that protecting information is all about protecting computers.
Please remember that information is information. This phrase should be your mantra. Information on a computer can be quite valuable, but the same piece of information written on a crumbled-up cocktail napkin is worth just as much. It is just as important to protect that napkin as it is to protect the computer. Focusing on computer-based data can leave an organization extremely vulnerable to tried-and-true espionage techniques.
I think it’s useful to look at vulnerabilities in four broad categories:
operational, physical, personnel, and technical. Some vulnerabilities don’t fit perfectly into any single category, but for clarity’s sake, I’ve grouped the examples in this chapter into the most appropriate of these subdivisions.
How the Spies Really Get You 107
09_584685 ch05.qxd 2/17/05 8:35 PM Page 107
O p e r a t i o n a l V u l n e r a b i l i t i e s
Larry Hale was formerly responsible for the Department of Homeland Security’s computer-incident response program. For many years before being appointed to that position, he ran the U.S. Federal Computer Incident Response Center, and he has probably dealt with more computer-hacking incidents than anyone else alive.When I interviewed him about the vulnerabilities that create the most serious losses, he said that operational problems were undoubtedly the underlying cause of just about all successful attacks.This is despite the fact that he focuses on technology-based attacks.The technology is not usually the problem. It is the use of the technology that causes most of the problems.
Operational vulnerabilities refer to weaknesses that result from the way organizations and people do daily business.When a company or person becomes a target, attackers look first to how the target performs its daily activities for vulnerabilities. How does this target go about giv-ing out information? What do this target’s actions reveal about its future plans?
This security concern is actually a military concept but is appropri-ate in the commercial and personal environments. In a military cam-paign, you might want to surprise an enemy with a sneak attack at an unexpected location, and you need to get your army over there with-out giving away your plans. Spies notice when you’re gassing up the tanks.They notice when you put refueling stations on the way to bor-ders.They can observe service personnel calling their families and can-celing appointments. Remember the example of questioning the pizza-delivery person about deliveries to a military base (see Chapter 1)?
Similarly, when military strategists work late in Washington, D.C., they call out for food, and spies take notice. Many of your operational activ-ities telegraph your secrets.
Companies also just give their secrets away. I can call the mail-rooms of hundreds of companies and ask them to send me the com-pany business plan. And with a little creative lying on my part, they’ll do it.
Operational security vulnerabilities are the most threatening and ominous weaknesses in any organization.They are also the most plenti-ful, because they result primarily from human error and weakness. By taking the time to learn about these weaknesses in your organization, you can prevent or minimize their exploitation.
108 C H A P T E R F I V E
09_584685 ch05.qxd 2/17/05 8:35 PM Page 108
Poor Awareness
In my experience performing penetration tests and investigating infor-mation-related crimes, poor awareness of security issues stands out as the most common operational vulnerability. Moderately skilled crimi-nals can get well-meaning employees to hand over just about any piece of information they want.The damage from this lack of awareness of general security issues is compounded by a lack of understanding of the value of your company’s information.This lack of understanding underlies the success of the attackers in most of the case studies pre-sented in Part II of this book.
Most people find it hard to believe that I can walk up to people and ask for their company’s most sensitive secrets and they will give them to me. However, if I ask for information in the right way, those skeptics would probably give me the same sensitive data. I can ask for people’s personal information, and they will give it to me just as readily.
When people do acknowledge that there is a potential problem, most think it will never happen to them.This attitude is a spy’s best weapon.Victims who feel this way ignore basic security considerations and allow unusual incidents and requests to go unnoticed.They hand over information to anyone who asks for it in the right way.They leave valuable information out in the open, vulnerable to theft and compro-mise. Usually, they don’t even notice that they’ve been attacked.
How the Spies Really Get You 109
ACCOUNTING FOR OPERATIONALVULNERABILITIES
When President Bush made a surprise visit to Iraq for Thanksgiving 2003, he did not use a presidential motorcade to get to Air Force One, but a single, unmarked SUV. Air Force One was scheduled for a maintenance flight, and Bush was supposed to stay at his Texas ranch. Reporters accompanying the president were required to give up their cell phones. President Bush changed airplanes inside a closed hangar. Air Force One had all its lights turned off as it landed in Iraq, and it descended at the last minute. Nobody was allowed to transmit news stories or otherwise let anyone know the president was in Iraq until after he was off the ground.The Secret Service accounted for every operational vulnerability they could think of to ensure that the likelihood of a terrorist attack was kept to a minimum.
09_584685 ch05.qxd 2/17/05 8:35 PM Page 109
You might be surprised to know how frequently classified materi-als are lost when military and government personnel make a quick stop at a store.They leave their laptop or briefcase in their car, and it is stolen.
Theft of computers out of government buildings is also common.
Although theft of classified information is common, it is relatively rare compared to commercial and private theft. Documents detailing valuable pharmaceutical formulas are stolen regularly. Laptop computers are stolen from cars and at airport security screenings. Most automobile thefts occur when the owners leave their car doors open, frequently with the keys in the car. Some of these thefts result from a complete ignorance that the information is highly targeted. However, the major-ity is clearly the result of the “It won’t happen to me” syndrome.
Poor awareness also means that employees don’t know the proper way to react to potentially compromising situations.They don’t know how to deliver quality customer service while maintaining security.
Security and customer service are not mutually exclusive. In most cases, they can even enhance each other.
Many people believe that strong security is the same as martial law, and they end up avoiding the issue altogether.They dismiss company protocol. Security warnings go in one ear and out the other. It isn’t mali-ciousness that moves people to believe that company security measures are just procedural and unnecessarily restrictive, it is poor awareness.
Common Sense and Common Knowledge
Security professionals often complain that people lack common sense when it comes to information security.What the professionals forget is that there is no common sense without common knowledge. The general pub-lic is not aware of the security imppub-lications of the everyday items, such as passwords, secured telephone lines, and cleaned and locked desks.
People don’t realize the value of the documents they toss on the seat next to them.The fact that someone might want the information never occurs to them, nor do they realize the ultimate threat to the com-pany’s security that such behavior invites.
Even technical vulnerabilities, which are covered later in this chap-ter, exist primarily because of the administrators’ and users’ poor aware-ness of computer security. If they knew about the vulnerabilities, they would usually do something about it. Unfortunately, few administrators and even fewer users are given the common knowledge to exercise common sense. Consider that all security professionals need more knowledge as well.
110 C H A P T E R F I V E
09_584685 ch05.qxd 2/17/05 8:35 PM Page 110
Perhaps the most glaring example of lack of security common sense was perpetrated by John Deutch, the former director of the CIA.
He was investigated, and it was proven that he allowed a classified com-puter to be used by his family.This dereliction of security included let-ting his children use the computer to browse the Internet.
I firmly believe that most people actually want to help protect their company’s information, or they would if they understood the serious-ness of the problem.Your employees do care, and they will cooperate if you let them know what’s at stake with an appropriate employee awareness program.
Most of the operational vulnerabilities discussed in this chapter stem from poor awareness. In other words, people would not do these things if they were aware of the problem.That’s why I’ve listed this vulnerability first, and why I believe it is so important.
Social Engineering
In a broad sense, social engineering can refer to any situation in which people are interacting with others to manipulate them.The Nazis orig-inally coined the phrase to mean the manipulation of the general pop-ulation; the Soviet Union adopted the term as well (the term remains offensive to many people because of its sinister roots). In the 1980s, hackers started to use this term to describe strategies for getting infor-mation from people through nontechnical means.The term can also refer to basic criminal confidence scams.
In fact, social engineering has also been used by law-enforcement agencies to capture criminals.To entice Alexei Ivanov, the perpetrator described in Chapter 10, to leave Russia, the FBI created a fictional security company and invited Ivanov for a job interview in the United States. As Ivanov traveled to the United States, the FBI hacked into his computer to gather evidence and arrested him shortly after his arrival.
Social engineering is a type of attack that exploits operational security vulnerabilities, specifically poor awareness. For example, a hacker might call a company randomly and ask people for their user IDs and passwords.To get people to give her this information, she might imitate technical support personnel. Hackers also use social engineering—or pretext phone calls, as the police refer to this method—
to get people to give them computer access points and other informa-tion about their computers and software. Chapter 6 presents a very successful use of this attack method to compromise a very large com-pany firm.
How the Spies Really Get You 111
09_584685 ch05.qxd 2/17/05 8:35 PM Page 111
Social-engineering tactics have also become the basis for most crimes against individuals on the Internet. Consider the infamous
“I Love You” virus, which was an e-mail virus that required users to open an attachment for an attack to be executed.To entice people to do this, the virus-writing scum used “I Love You” as the subject of the message, which appeared to come from someone the victim knew.
Another example is the PayPal scam, which tricks people into going to a fake web site and disclosing their credit card information. Many peo-ple have PayPal accounts, and the message looks real.
Although hackers have a reputation for being expert social engi-neers, they are insignificant amateurs in the subject matter.The better salespeople are professional social engineers. However, the best by far are spies, or, specifically, human intelligence operatives. If you think of social engineering as the manipulation of people, then people who get people to betray their country under penalty of death are clearly at a level beyond what hackers can dream of. Spies receive years of training in the understanding of people and know how to detect and
exploit the victim’s need for MICE, as Chapter 1 describes. Operatives combine a natural ability with extensive psychological training and practice.
Reverse social engineering refers to an interesting variant on this attack method, in which the victim comes to the attacker instead of the attacker approaching the victim. For example, during one of my penetration tests, I took a job as a temporary employee and let other workers know that I knew a lot about computers.While I sat there supposedly doing my job and ignoring other people, they would inter-rupt me to ask questions about a new computer program the company just started using. All the workers let me sit down at their computer. I would show them a few things while I surreptitiously installed back-door software on their system as they watched. I could then log in to their computers at will from my own desk.
In a more traditional case of reverse social engineering, a hacker entered a company and posted flyers saying that the company’s Help Desk telephone number changed. Of course, the flyers gave a new tele-phone number, which was controlled by the hacker. Employees of the company called the number regularly, and the hacker secured passwords and just about anything else he wanted to know from employees want-ing help.
Social engineering is a very powerful tool. It can bypass millions of dollars’ worth of security mechanisms, it’s very cheap to perform, and it
112 C H A P T E R F I V E
09_584685 ch05.qxd 2/17/05 8:35 PM Page 112
doesn’t take much technical expertise. Although real spies are by far the best at social-engineering activities, all that’s needed for someone to be apparently successful is to be a good liar.The supposedly superior social-engineering skills of a hacker are actually more a demonstration of his victims’ poor awareness than a result of any real expertise.
Accidents and Carelessness
Accidents and carelessness, referred to by lawyers as “errors and omis-sions,” take on many forms and are an unavoidable fact of life. People accidentally leave documents in the wrong places at the wrong times.
Classified material is left on computers that are resold to the general public. In negotiations, an innocent slip of the tongue can cost you big time. People leave their wallets on store counters. Car keys are lost.Vir-tually everyone has caused the compromise of sensitive information at some time or other and will cause it in the future. Much of this is due to poor awareness, but just as frequently, an aware person slips up for a moment.
Just because accidents happen doesn’t mean you should stop trying to prevent them. However, organizations typically deal with accidents after the fact. One problem is that people often fail to report accidents.
Covering up a mistake is a natural reaction, but you can’t stop what you don’t know about.
Policies and Procedures
Policies and procedures are the foundation of a corporation. Some-times the policies and procedures of your organization actually create security vulnerabilities.
Although good policies can go far in reducing risk, many policies and procedures are developed without any consideration for security issues. Mandatory internal reporting of sensitive issues, for example, can generate sources of revealing information. Some policies simply require too much documentation and allow for distribution that is too wide-spread. Policies that require people to give their names and depart-ments when they answer the telephone give unknown callers essential information that social engineers can use.
Take a look at your policies and procedures, and ask yourself which policies force people to give out information that might be useful to an attacker. Is it necessary to divulge that information to do business? If
How the Spies Really Get You 113
09_584685 ch05.qxd 2/17/05 8:35 PM Page 113
security were a consideration, would you still give out that information?
Is it necessary for Toys “ ” Us or Circuit City to ask for your telephone number when you buy something from them? For situations in which employees are required to reveal that information, do they give out just the required data, or do they go further than necessary? Obviously, some information must be given out from a business perspective, but
Is it necessary for Toys “ ” Us or Circuit City to ask for your telephone number when you buy something from them? For situations in which employees are required to reveal that information, do they give out just the required data, or do they go further than necessary? Obviously, some information must be given out from a business perspective, but