Jim Stickley of TraceSecurity makes his living by performing 'social engineering' security audits on bank premises, bypassing security to steal confidential customer datafiles or install keyloggers on unattended PCs. "We usually walk in the door during business hours," he says.
As each week brings a new report of yet another financial institution that has leaked customer private information, you have to stop and wonder what is going wrong. Security technology has advanced by leaps and bounds over the last few years, while during that same time, strict new regulations targeting information security have been published. Yet, in just the past month alone, over a million people in the United States have been put at risk of identity theft and the numbers continue to grow.
Unlike the Bank of America snafu, which involved the loss of unencrypted backup tapes containing credit card account data and social security numbers for 1.2 million federal employees including senators and congressmen, most security breaches relating to the exposure of confidential information go unnoticed and unreported. At the end of 2004, I received a letter from my personal credit union explaining that my confidential information, including my social security number, 'may' have been stolen from one of their third-party vendors. Yet, when I do a search on Google, I find nothing about this incident. And therein lies the problem. Unless a congressman happens to be one of the victims, it is pased off as just another case of mismanaged data.
In a widely reported recent incident, UK police foiled attempts by a cyber crime gang to steal £220m from the London offices of the Japanese banking group Sumitomo Mitsui. The gang used keylogging software to steal passwords and access the network. Details of how the keylogging program was installed at the bank's London office have not been disclosed.
As part of my position at TraceSecurity (www.tracesecurity.com
), banks and credit unions hire us to perform social engineering audits on their premises. Unlike unsophisticated phone attacks, our job is to physically gain access to the facility and target confidential customer information. We usually walk in the front door during normal business hours. When most people think of bank security they think of the armed guard standing just inside the entrance. The idea that someone could simply walk past the guard, enter into the server room and walk out with backup tapes of the entire database seems almost absurd. To those disbelievers I would counter that our success rate is over 80%.
Why can we so easily break into virtually any bank? It turns out that during these past few years there has been a huge shift in the way financial institutions as well as businesses in general approach security. In the past, physical security and user awareness was understood to be the key to success. Today however, the focus is on network security technology. Firewalls, anti-virus, anti-spyware, storage encryption, IDS, VPN’s and network scanning utilities now receive well-deserved budgeting dollars. These tools all play a major role in maintaining the confidentiality of the information they protect. Unfortunately, strong security technology is only half the battle. Most companies today fail to address the human and physical aspects of security. The secret to security is to balance technology with proper policies, procedures and education.
For example, firewalls and IDS can block the majority of attacks to an internal network, so there is a misconception that patches are not as high a priority. The truth is that most systems compromised are located on the internal network. Weaknesses in Internet Explorer are a prime example. A user browses out to a malicious web site. While they watch a dancing squirrel on the screen, another program begins running in the background. This program in turn makes a connection back out to a malicious server where a hacker is waiting. At that point, the hacker is given a console where they can execute commands on that user’s desktop. Immediately the hacker begins to monitor traffic on the network and within minutes is able to find a database server. Now, through exploiting an unpatched vulnerability on the database server, they transfer back thousands of customer accounts.
Though this is a simplistic view, it is exactly how we have compromised several organisations throughout the United States. If you are wondering how we convince the user to visit the malicious Web site to begin with, my personal favourite is to send a fake e-card, preying upon a person’s desire to be loved and appreciated.
As for walking past the guard and carrying out the backup tapes, this is simply a matter of poor policy design and or enforcement. Most offices have areas where the public should and should not be. However, visitors who have a legitimate reason to be lurking in the non-public areas are often ignored.
On a number of occasions, we have visited financial institutions posing under a disguise, such as air conditioning repairmen or pest control technicians. Of course, an appointment was setup ahead of time, and by the time we arrive on site, half the battle has already been won. Upon entering the facility, we are often greeted and even asked to sign in. Once signed in, we start walking around the facility, black bag in one hand and air-flow-measuring device in the other. Often an employee will escort me to my destination, which is good standard policy.
Unfortunately, within minutes they usually grow bored or uncomfortable of the silence between us and head back to their desk. Once unaccompanied, it’s just a matter of walking from desk to desk filling my black bag with customer files and placing trojaned CDs into logged in computers that have been left unattended. I find passwords on Post-It notes pasted to the monitors, unsecured and unencrypted backup tapes in the server room, and unlocked personnel folders in the human resources department.
Even though social engineering is not always easy, and hacking into a network can be difficult, the simple fact remains that organisations are not taking these risks seriously enough. Appropriate policies and procedures must be implemented and enforced. Applications should be regularly patched to defend against the lasted vulnerabilities. Frequent, automated vulnerability scanning should be incorporated into the security strategy. And if every organisation would require visitors to be accompanied by an employee at all times, our days of an 80% success rate would be over.Jim Stickley is CTO of TraceSecurity of Baton Rouge, Louisiana, a provider of security compliance management software and services for financial institutions.