After studying this section you should be able to do the following:
- Recognize the potential entry points for security compromise.
- Understand infiltration techniques such as social engineering, phishing, malware, Web site compromises (such as SQL injection), and more.
- Identify various methods and techniques to thwart infiltration.
Modern information systems have lots of interrelated components and if one of these components fails, there might be a way in to the goodies. This creates a large attack surface for potential infiltration and compromise, as well as one that is simply vulnerable to unintentional damage and disruption.
User and Administrator Threats
While some of the more sensational exploits involve criminal gangs, research firm Gartner estimates that 70 percent of loss-causing security incidents involve insiders (Mardesich, 2009). Rogue employees can steal secrets, install malware, or hold a firm hostage. Check processing firm Fidelity National Information Services was betrayed when one of its database administrators lifted personal records on 2.3 million of the firm’s customers and illegally sold them to direct marketers.
And it’s not just firm employees. Many firms hire temporary staffers, contract employees, or outsource key components of their infrastructure. Other firms have been compromised by members of their cleaning or security staff. A contract employee working at Sentry Insurance stole information on 110,000 of the firm’s clients (Vijayan, 2007).
As P. T. Barnum is reported to have said, “There’s a sucker born every minute.” Con games that trick employees into revealing information or performing other tasks that compromise a firm are known as social engineering in security circles. In some ways, crooks have never had easier access to background information that might be used to craft a scam. It’s likely that a directory of a firm’s employees, their titles, and other personal details is online right now via social networks like LinkedIn and Facebook. With just a few moments of searching, a skilled con artist can piece together a convincing and compelling story.
A Sampling of Methods Employed in Social Engineering
- Impersonating senior management, a current or new end user needing help with access to systems, investigators, or staff (fake uniforms, badges)
- Identifying a key individual by name or title as a supposed friend or acquaintance
- Making claims with confidence and authority (“Of course I belong at this White House dinner.”)
- Baiting someone to add, deny, or clarify information that can help an attacker
- Using harassment, guilt, or intimidation
- Using an attractive individual to charm others into gaining information, favors, or access
- Setting off a series of false alarms that cause the victim to disable alarm systems
- Answering bogus surveys (e.g., “Win a free trip to Hawaii—just answer three questions about your network.”)
Data aggregator ChoicePoint sold private information to criminals who posed as legitimate clients, compromising the names, addresses, and Social Security numbers of some 145,000 individuals. In this breach, not a single computer was compromised. Employees were simply duped into turning data over to crooks. Gaffes like that can be painful. ChoicePoint paid $15 million in a settlement with the Federal Trade Commission, suffered customer loss, and ended up abandoning once lucrative businesses (Anthes, 2008).
Phishing refers to cons executed through technology. The goal of phishing is to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information. The cons are crafty. Many have masqueraded as a security alert from a bank or e-commerce site (“Our Web site has been compromised, click to log in and reset your password.”), a message from an employer, or even a notice from the government (“Click here to update needed information to receive your tax refund transfer.”). Sophisticated con artists will lift logos, mimic standard layouts, and copy official language from legitimate Web sites or prior e-mails. Gartner estimates that these sorts phishing attacks cost consumers $3.2 billion in 2007 (Avivah, 2007).
Other phishing attempts might dupe a user into unwittingly downloading dangerous software (malware) that can do things like record passwords and keystrokes, provide hackers with deeper access to your corporate network, or enlist your PC as part of a botnet. One attempt masqueraded as a message from a Facebook friend, inviting the recipient to view a video. Victims clicking the link were then told they need to install an updated version of the Adobe Flash plug-in to view the clip. The plug in was really a malware program that gave phishers control of the infected user’s computer (Krebs, 2009). Other attempts have populated P2P networks (peer-to-peer file distribution systems such as BitTorrent) with malware-installing files masquerading as video games or other software, movies, songs, and pornography.
So-called spear phishing attacks specifically target a given organization or group of users. In one incident, employees of a medical center received e-mails purportedly from the center itself, indicating that the recipient was being laid off and offering a link to job counseling resources. The link really offered a software payload that recorded and forwarded any keystrokes on the victim’s PC (Garretson, 2006). And with this type of phishing, the more you know about a user, the more convincing it is to con them. Phishers using pilfered résumé information from Monster.com crafted targeted and personalized e-mails. The request, seemingly from the job site, advised users to download the “Monster Job Seeker Tool”; this “tool” installed malware that encrypted files on the victim’s PC, leaving a ransom note demanding payment to liberate a victim’s hard disk (Wilson, 2007).
Don’t Take the Bait: Recognizing the “Phish Hooks”
Web browser developers, e-mail providers, search engines, and other firms are actively working to curtail phishing attempts. Many firms create blacklists that block access to harmful Web sites and increasingly robust tools screen for common phishing tactics. But it’s still important to have your guard up. Some exploits may be so new that they haven’t made it into screening systems (so-called zero-day exploits).
Never click on a link or download a suspicious, unexpected enclosure without verifying the authenticity of the sender. If something looks suspicious, don’t implicitly trust the “from” link in an e-mail. It’s possible that the e-mail address has been spoofed (faked) or that it was sent via a colleague’s compromised account. If unsure, contact the sender or your security staff.
Also know how to read the complete URL to look for tricks. Some firms misspell Web address names (http://wwwyourbank.com—note the missing period), set up subdomains to trick the eye (http://yourbank.com.sneakysite.com—which is hosted at sneakysite.com even though a quick glance looks like yourbank.com), or hijack brands by registering a legitimate firm’s name via foreign top-level domains (http://yourbank.cn).
A legitimate URL might also appear in a phishing message, but an HTML coding trick might make something that looks like http://yourbank.com/login actually link to http://sneakysite.com. Hovering your cursor over the URL or an image connected to a link should reveal the actual URL as a tool tip (just don’t click it, or you’ll go to that site).
Web 2.0: The Rising Security Threat
Social networks and other Web 2.0 tools are a potential gold mine for crooks seeking to pull off phishing scams. Malware can send messages that seem to come from trusted “friends.” Messages such as status updates and tweets are short, and with limited background information, there are fewer contexts to question a post’s validity. Many users leverage bit.ly or other URL-shortening services that don’t reveal the Web site they link to in their URL, making it easier to hide a malicious link. While the most popular URL-shortening services maintain a blacklist, early victims are threatened by zero-day exploits. Criminals have also been using a variety of techniques to spread malware across sites or otherwise make them difficult to track and catch.
Some botnets have even used Twitter to communicate by sending out coded tweets to instruct compromised machines1. Social media can also be a megaphone for loose lips, enabling a careless user to broadcast proprietary information to the public domain. A 2009 Congressional delegation to Iraq led by House Minority Leader John Boehner was supposed to have been secret. But Rep. Peter Hoekstra tweeted his final arrival into Baghdad for all to see, apparently unable to contain his excitement at receiving BlackBerry service in Iraq. Hoekstra tweeted, “Just landed in Baghdad. I believe it may be first time I’ve had bb service in Iraq. 11th trip here.” You’d think he would have known better. At the time, Hoekstra was a ranking member of the House Intelligence Committee!