Auditing the Human Factor as a Part of Setting up an Information Security Management System

(1)

Degree project in

Auditing the Human Factor as a Part of

Setting up an Information Security

Management System

Gustav Svensson

(2)

Abstract

The human factor is the weakest link in all information systems regard-ing security but the users are not aware of the risks and the importance of following policies and routines to prevent a security breach. The most common attack vector starts by exploiting the human weakness and plant malware inside the organization. There is a need to find a good way to audit the human factor to address this issue. Different penetration tests will be evaluated in this study; two phishing attacks and one in the form of a survey under a false pretext. The respondents are tricked into thinking that they are answering questions about customer service efficiency while they are actually about information security and social engineering.

(3)

1 Introduction

Following the ongoing trend of storing more information on many different servers facing the Internet, the number of information leakages have grown dra-matically. The situation has become so critical that something drastic needs to be done to prevent a potential catastrophe.

Today people are constantly connected and are encouraged to quickly share in-formation with each other. Except for the direct consequences this could lead to regarding identity theft and someone unauthorized accessing your information, it also creates a culture of sharing information rather than protecting it. Some people even consider those who freely and without reflection clicks their way forward as computer savvy people.

Those with the intention of breaking into someone else’s IT-system have by now of course realized this and the most common attack vector starts by manipulat-ing a person inside the organization usmanipulat-ing social engineermanipulat-ing to install malware on their computer without them realizing it [verizon2012;websense2012; syman-tec2012]. This act of manipulating humans is denoted as Social engineering. It is defined in many ways but essentially considers ”the act of an outside hacker’s use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system”[granger2001a]. With an increasing amount of bugs and vulnerabilities it is usually enough to trick the person into visiting a website that is spreading malware. The malware will silently be planted without any effort from the user and no real sign that something bad just happened except that the browser might crash. At the present moment, for example, there are many vulnerabilities in out-dated Java-plugins that could be exploited using for example CVE-2012-49691_{. To make}

things even worse, the exploit code is publicly available in for example the Metasploit Exploit DB2_{that can easily be used in the Metasploit Framework to}

craft your own exploit code and encode it so it will not be recognized by anti-virus software [bagget2008]. This framework is a very useful tool for penetration testers but also puts pressure on software companies to write secure code and patch vulnerabilities quickly.

To make it meaningful to even begin working with information security in an or-ganization it is crucial that the employees are well informed about the situation, have good security awareness and a culture that conduces the implementation of a management system. An information security management system is a set of policies and procedures for systematically managing and protecting an organization’s information assets. The most common are described in the stan-dards ISO 27001, and COBIT3_{just recently added information security to their}

latest release COBIT 5. The human factor is the weakest link in business se-curity [ponemon2012] and there is a need to find good ways of measuring and evaluating just how vulnerable an organization is in this aspect.

This thesis will present different methods on conducting penetration tests to address this issue. It is sometimes considered unethical to perform real attacks

1_{http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681} 2_{http://www.metasploit.com/modules/}

(5)

on the organization, simulating the actions of a potential attacker, and it could sometimes be more convenient to use a more ”soft” penetration test that won’t be too offending to the employees. Marcus Nohlberg [nohlberg2005] suggests an experiment using anonymous surveys under a false pretext where the respon-dents are asked on the subject of micro efficiency and how hasty they would help someone by sharing information. Since they do not realize that the survey is about information security many of them answer that they are helpful and effective in the customer relations rather than careful and restrictive with the disclosing of information. Nohlberg argues that since it is shown that they can be fooled by a survey it is plausible that they would be fooled by a social engi-neer in a similar scenario since a skilled social engiengi-neer is far more persuasive than a survey.

This thesis includes both a ”soft” penetration test similar to Nohlberg’s and two real attacks in the form of an attempt to plant ”malware” in the organization using an untargeted email phishing attack and one more opportunistic [ dhan-jani2009, p.245] or ”semi-targeted attack”, spoofing the CEO as the sender4 _of

the email. An attempt to compare the different methods was made by analyz-ing the results. This was followed by a group discussion and semi-structured interviews.

1.1 Background

The author commenced a career as an IT-consultant while studying electrical engineering at the Royal Institute of Technology and in the autumn of 2011 he started a new company focused on information security. Subsequently he was contacted by Company X that needed his help with their information security management. It was decided that he would initiate the process of developing an Information Security Management System (ISMS) based upon the ISO/IEC 27001 standard [iso27001]. During the project it became clear that the human factor plays a major role in an organization’s information security and had to be investigated further.

1.2 Scope, objective and delimitations

The experiments where conducted at Company X in Stockholm. It is a small, fast growing, company with twelve full-time employees. It is a young and open-minded company where most of the employees are around the age of 30. The company’s main focus is in the human resources business performing em-ployee surveys followed by management coaching and quality improvement. Most of their clients are in the public sector and the company wants to deliver services of high quality while safe-guarding a high-level of security and integrity. Since they are working with change management themselves and conduct em-ployee surveys on a regular basis, the author’s experiments were perhaps more accepted than they would otherwise have been. The employees are still young and willing to learn and probably above average regarding their computer skills.

4_{Opportunistic attacks are when the attacker has a general idea of what or whom he wants}

(6)

Like most service oriented companies today, they spend most of their time using their computers.

The author had the privilege to work within the company for 4 months, while performing the experiments, which allowed him to study the social interactions and get to know the people quite well. They all knew that the author was there to help them improve their information security, but were not aware of the contents of the master thesis project.

When the author first came in contact with Company X there were no infor-mation security policies implemented and the divisions of responsibilities were somewhat unclear. Their previous system administrator had just left the com-pany and there was a gap to fill. With a great will for improvement it was decided that there would be some substantial changes regarding the IT-systems and information management. The author would play a major role in this pro-cess and along the technical changes the company would try to incorporate a new culture and learn about the ”security mindset” [schneier2008].

In the Code of practice for information security management [iso27002] they talk about critical success factors. One of the critical success factors is the implementation of a measurement system that can be used to evaluate the per-formance in information security management. The term ”social engineering” is not mentioned at all in the standard and there are no policies suggested as a countermeasure for these types of attacks.

The purpose of this thesis is to compare the method using a survey under a false pretext with two real phishing attacks, to see whether it can be used to measure an organization’s vulnerability to social engineering attacks. Since it is usu-ally considered unethical to perform real attacks on people in an organization, simulating the actions of a potential attacker, there is an urge to find a bet-ter method for conducting social engineering penetration tests. Because of the manageable size of the company it was possible to perform a good qualitative study including valuable feedback and comments from the involved.

1.3 Outline

The next chapter will give some knowledge about the theory behind social en-gineering and some understanding of research done within the field. Chapter 3 will describe the method used and the results will then be presented in chapter 4. This is followed by an analysis of the results and a discussion in chapter 5. Finally the thesis is concluded in the sixth chapter.

2 Theory

2.1 The psychological aspect of social engineering

(7)

can break into systems, not using advanced technology, but rather manipulating people to give him access or information [mitnick2002]. Mitnick learned at an early age how to exploit some basic human psychological principles, some of them described by the psychology professor Robert Cialdini in his book Influence from 1998 [cialdini2009]. Cialdini talks about 6 key principles of persuasion. Reciprocation refers to the need to return a gift. After receiving even a small

gift a person is more likely to return the favor giving back more than they would otherwise have done.

Commitment and consistency refers to the fact that people are more likely to stick to a cause or idea after making a commitment.

Social proof means that people tend to follow what the others are doing. Liking means that humans are more easily persuaded by people they like. Authority refers to the tendency for people to obey authority figures. Scarcity means that people get more interested if the demanded thing is

lim-ited.

Another good paper on the subject is ”A multi-level defense against social engi-neering” by David Gragg [gragg2003], which describes some psychological trig-gers behind social engineering. They are similar to those presented by Cialdini but are described in the context of social engineering rather than marketing and ethology. The triggers he talks about are:

Strong affect is used to trigger strong emotions to distract the victim from thinking logically.5

Overloading - If someone overloads a person with information the person sometimes becomes mentally passive and stops processing the informa-tion and gets more willing to accept arguments that would otherwise have been challenged.

Reciprocation is similar to the principle by Cialdini about returning a favor. This is true even if the original favor was not asked for.

Deceptive relationships - By building up a relationship with the target, the attacker will easier achieve his goals. A quick way to do this could be to refer to the same interests or birth town etc.

Diffusion of Responsibility and Moral Duty - The target could be scared into thinking his decision will affect the company very badly if they do not comply and since they do not want to lose their jobs they will help out to avoid being held responsible.

Authority - This might be the most common exploited trigger since people will do a great deal for someone they think is an authority.

5_{While working with this project the author was a victim of an obvious scam utilizing this}

(8)

Integrity and Consistency describes the same principle as Cialdini writes about, but Gragg also explains that this tendency is so strong that people will carry out commitments they believe their absent colleague made. The similarities of Gragg’s psychological triggers and Cialdini’s principles of persuasion have been recognized by Scheeres and he has suggested how to map these properties to each other [scheeres2008].

Reading some example scenarios written by Mitnick and Cialdini it becomes ob-vious that it is very difficult to defend yourself against these types of attack. You almost need to be inconveniently paranoid to withstand a well executed targeted social engineering attack. It does not matter how intelligent you are according to the famous magician James Randi: ”Any magician worth his salt will tell you that the smarter an audience, the more easily fooled they are.[. . . ]Scientists aren’t trained to study something that’s deceptive.” [randi2012].

2.2 Targeted attacks and phishing attacks

A lot of research has been done on the subject of making people ”say yes” since this is of such great interest to advertisers and sales people. It would not be surprising if also the criminals use this knowledge to execute their attacks with success. Most targeted attacks are aimed at larger companies but there are studies suggesting that the problem is spreading to smaller companies as well [symantec2012; verizon2012]. With increased information available on social networks and people bringing their own devices (BYOD) as well as bringing their own behaviors (BYOB) into the company, this process can be automated which opens the door to very sophisticated attacks even on smaller companies. There are also tools available to quickly craft a social engineering experiment such as Social Engineering Toolkit [SET]. Among many other things this toolkit can be used to easily clone a website that will report the input data to the attacker. According to the Anti-Phishing Working Group there were more than 56 000 unique phishing sites present during February this year [apwg2012].

2.3 High success rate

Some studies show that the success rate is very high for many different types of social engineering. One experiment describes how a person pretended to be a security auditor and was performing a survey on network security. 60% filled out their user-name and password in the survey [orgill2004]. Another study claims that 50% of those, including system administrators, called by phone in their experiment gave away login information and passwords to the mail server [rossling2009].

In the book Low Tech Hacking, the author Jack Wiles claims that his tiger team6never got caught during his 20 year long career, while performing inside penetration tests gaining physical access to the building where he could have done a lot of damage [wiles2011;redteaming2010].

6_{The term ”tiger team” or ”red team” refers to a team whose purpose is to act as mock}

(9)

2.4 Countermeasures

When talking about countermeasures three key areas are frequently mentioned [granger2001b] [gragg2003]. These are the following:

2.4.1 Technical

The first level of defense is of course the technical. It is important with properly configured firewalls and antivirus programs. These should be able to stop most untargeted spam and fishing and most browsers have built-in phishing and mal-ware detection that will help to some extent. Another simple protection would be to blacklist senders with the organization’s domain when reaching the gate-way from outside to prevent someone from spoofing the address of someone from inside the organization. Another approach is to use digitally signed emails as suggested in [jagatic2007].

2.4.2 Policies

It is important to have policies addressing the different areas of risks [ thorn-burgh2004] [tims2001]. Not only is it important to have rules covering what to do and not to do, it can also be relieving for the personnel not having to judge what is right and wrong themselves but instead refer to the policy when being restrictive [granger2001b].

2.4.3 Training

The employees needs training on how to keep confidential data safe. This can be done in many different ways. One important factor is to have everyone understand what they are protecting and why and to include them in setting up the policies. [orgill2004] [tims2001]

2.5 Management commitment

(10)

3 Method

The experiments performed in this project were done as part of a case study and important observations were written down and analyzed.[merriam1994] The project can be broken down into the following phases:

• Information gathering, preparations and studying of the literature and research in the area of interest.

• A survey under a false intention called ”Process efficiency in a customer relationship”.

• One phishing attack from an unknown sender asking the respondent to click on a link.

• Another phishing attack where the fishing email would seem to be from the CEO asking everyone to install the critical update that could be retrieved from the attached URL.

• Semi-structured interviews.

These activities will be described in detail in the following subsections.

3.1 Soft penetration test

The first experiment was a so called ”soft penetration test” in the form of a survey with the title ”Process effectiveness in a customer relationship”. Prefer-ably the respondents would not realize that the survey was about information security and social engineering.

The reason why phishing attacks were chosen as the type of social engineering attack to be tested was because of the ethical considerations doing physical penetration tests where certain individuals would be targeted, as discussed in [finn2007] and [dimkov2009].

The survey was carried out in the afternoon on the 11th of April and the last respondent finished the 17th of April. In the introduction it was told that they were not allowed to speak to each other during or after the survey, which everyone seemed to observe.

As an introduction there were some questions regarding gender, age and length of employment. These were followed by 11 control questions to generate a picture of the respondents personality profiles.

(Translated from Swedish) 1. I like to help other people.

2. I like to discuss and challenge other people’s point of view. 3. It is easy for me to follow instructions from authorities. 4. Friendly people are often trust-worthy.

(11)

6. I have great confidence in successful people. 7. I like taking risks in hope of quick gain.

8. Computers and technology usually make me stressed out and irritated. 9. I prefer excitement before a calm and safe every-day.

10. I consider myself relatively experienced and skilled with computers. 11. I am afraid of doing something wrong.

The purpose of these questions was to get a picture of the respondents helpful-ness, their tendency to follow instructions from authorities, their appetite for risk and their experience with computers.

The survey consisted of 7 scenarios out of which 2 were general scenarios used as diversion from the covert subject. The 5 other questions had the real purpose of investigating the employees tendency to:

• Click on links from unverified senders [link]

• Install programs as requested by an unknown person [installation] • Give out the pre-shared key to the wireless network to some visitor [wifi] • Give away username and password over the phone [password]

• Plug in a USB-stick from an unknown sender [device]

The scenarios will be presented along with the results in chapter 4.

3.2 Phishing attack 1

To measure the accuracy of the survey as an instrument in the analysis of the information security in an organization, an unannounced phishing attack was performed on the 9th of May. The email was formulated as follows:

Hello Gustav,

I got your mail from a colleague who thought you would like this video. At least, I think it is one of the funniest videos I have seen in a long time. :)

http://www.krackelibrankelfnatt.se/?video=KwzWT&t=1 Regards

/Fredrik

In the email their is also a hidden image used for tracking. This is a common method used by newsletters and email marketing companies to track who are reading their email.

(12)

You need to install the latest version of Flash Player to see this video. Click here to download the update.

All activity was logged using Piwik7_{, which is an open-source project with}

similar features as Google Analytics. When a person clicks on the link the download of a file flashplayer.exe is started. This is not Flash Player but only a self-extracting archive created by 7zip8_{. When this file is executed a}

txt-file is extracted to the hard-drive. In this way it is possible to track if someone finished the ”installation” after downloading.

To be able to send out unique emails to each respondent a simple bash-script was used that retrieves the user information such as email address and tracking code from a csv-file. To have full control over the email headers and for greater understanding, telnet was used to connect to the recipients mail server over port 25 and send SMTP commands one at a time using the program expect9_.

To reduce the chance of getting caught in a spam filter [spykerman2003] and [rfc5322] were studied.

3.3 Phishing attack 2

In this experiment an email with the subject: ”Important: Error in the specifi-cations for salaries” with the CEO as the sender. Since the author has gotten to know the CEO very well, it would be more or less like an insider attack using this knowledge to impersonate the CEO. This type of attack is perhaps not that common towards smaller companies and outside of the scope of this project. Therefore it was decided that the author’s supervisor at KTH would help in constructing an email using publicly available information about the CEO. On Thursday the 24th of May at 14:57:39 an email, formulated as follows, is sent to the staff:

Hello Gustav

We have had some problems with our system because some program is missing an update. There is also a risk of sensitive

information such as passwords you have used on your laptops might be stolen. Can everyone please download and install the update from the link below so that we can work without any disruptions and you don’t have to lose your password.

http://www.dendritech.se/updates/critical/b/foretaget-v2-1-3.exe Anna

CEO

The email was sent in the same way as in phishing attack 1. The CEO was told not to answer her phone and to forward all email responses to the author.

7_{http://piwik.org/)} 8_{http://www.7-zip.org/}

(13)

3.4 Presentation

Meanwhile, and after the experiments, the collected data was studied. The results were presented to the staff followed by a group discussion about secu-rity and the upcoming implementation of information secusecu-rity policies. This was meant to be the start signal for the education part with the purpose of in-creasing people’s understanding of the importance of following the policies. At the presentation the newly written information security policy was handed out, describing the management’s intentions and ambitions. Following the presenta-tions some people from the staff were picked out to be interviewed for deeper understanding of the course of events during the experiments. This was done from semi-structured interviews and was an important part of the qualitative research [holme1997;merriam1994;alvesson1994].

4 Results

4.1 Social Engineering Audits Using Anonymous Surveys

While hoping that the respondents would not realize that the survey was about information security and social engineering one could assume that the author’s role at the company as an IT consultant perhaps made it a bit more difficult. Some saw through the con and wrote comments like ”In many cases it is not a matter of being helpful but rather to put the company to extreme security risks”.

Since Company X is engaged in managing employee surveys themselves they might have been more prone to answer the questions carefully and truthfully.

4.1.1 Control questions

(14)

1 I like to help other people.

2 I like to discuss and challenge other people’s point of view. 3 It is easy for me to follow instructions from authorities. 4 Friendly people are often trust-worthy.

5 People with high self esteem make good decisions. 6 I have great confidence in successful people. 7 I like taking risks in hope of quick gain.

8 Computers and technology usually make me stressed out and irritated. 9 I prefer excitement before a calm and safe every-day.

10 I consider myself relatively experienced and skilled with computers. 11 I am afraid of doing something wrong.

Table 1: Control questions.

Alias Gender 1 2 3 4 5 6 7 8 9 10 11 Mats M 6 6 5 5 4 4 5 4 6 6 3 Kalle M 6 6 4 3 2 4 4 6 5 3 5 Emma F 7 5 6 5 4 1 1 5 1 5 7 Lisa F 6 6 2 4 3 4 4 7 5 5 3 Magnus M 6 7 6 6 3 4 6 3 6 4 3 Maria F 7 7 4 4 5 4 5 3 5 3 1 Eva F 7 3 7 1 7 7 1 2 4 7 3 Helena F 7 6 6 3 3 6 4 3 4 3 4 Linda F 7 7 5 7 3 3 3 2 7 7 2 Karin F 6 5 7 5 4 6 3 5 2 4 6 Lotta F 7 5 6 6 3 4 3 4 5 6 7 MAX 7 7 7 7 7 7 6 7 7 7 7 MIN 6 3 2 1 2 1 1 2 1 3 1 AVG 6,5 5,7 5,3 4,5 3,7 4,3 3,5 4,0 4,5 4,8 4,0 STDEV 0,5 1,2 1,5 1,7 1,3 1,6 1,6 1,6 1,8 1,5 2,0 Table 2: Results from the control questions.

4.1.2 Scenario 1

The scenario regarding clicking a link in an email was phrased as follows (trans-lated):

(15)

this purpose to keep you updated, preferably right away, to make sure the tender is as customer oriented as possible.

What do you do in this scenario?

1 = I completely refrain from helping. 7 = I instantly help. Results: Quantity Percentage 7 7 64 % 6 1 9 % 5 1 9 % 4 1 9 % 3 1 9 % 2 0 0 % 1 0 0 % Tot: 11 100 %

If we assume answers from 5 and up as considered ”helpful”, it means that 82 % are prone to follow a potentially harmful link assuming they get the in-structions from someone they believe is their client.

4.1.3 Scenario 2

The next scenario was about installing software from an unknown source (trans-lated):

You have initiated a project with a client and everything is going smoothly and you expect to be in line with the time planning. The client wants you to use their software in your work with them. You don’t know very much about the system since you so far only have been participating in this project at a comprehensive level but you have been given access to the system and are aware that you will start using it in your upcoming project. At the moment you are finishing the final documentation for the past week so that you can enjoy the weekend. You get a call from someone at the client’s IT-department who informs you that you have been given an old version of the software that has a lot of bugs that can hurt the company. He asks you nicely to download and install updates to the program while he waits.

(16)

Quantity Percentage 7 6 55 % 6 2 18 % 5 0 0 % 4 4 27 % 3 0 0 % 2 0 0 % 1 0 0 % Tot: 11 100 %

Also in this scenario the majority says they would be helpful. In this case, we are talking about 73 %.

4.1.4 Scenario 3

The next scenario was about giving away the password to the wireless network and is translated to:

Someone rings the door-bell and ”Peter” presents himself and says he would like to discuss a potential cooperation with your company. He says that he is from Company Y who many consider being on their way up since they just re-cently gained a patent for a new technology which leads to higher expectations for the near future. He says he was given the task by his boss to evaluate how well the personnel feel and how one could increase the motivation in the company. You have nothing planned for the last hours this Friday but would rather not have a client meeting this particular afternoon, but you really want to get an order from this exciting client so you accept having the meeting right away. You sit down in a free office with a cup of coffee and ”Peter” starts to talk about the high employee turnover in their company and about the newly hired engi-neers who seem to consider their employment as a temporary job while waiting for another offer to show up and he would like to know what kind of strategy the company should use to keep the engineers in the company. Peter takes out his laptop and wants to show some figures and more information to illuminate the problems more. He has everything in a Power Point presentation but says he forgot to mail it to himself and asks if he could have access to the internal wireless network. You have a feeling his presentation will take longer than you expected. He hands over his laptop and wonders if you can help logging in to the network so that he can get access to his email and start his conversation of the company and their problems.

(17)

Also in this scenario the majority would give away the key.

4.1.5 Scenario 4

Scenario 4 was about giving away your login credentials to an unknown person over the phone. There shouldn’t be any doubt about the inadequacy of giving away such information (translated):

It is midsummer’s eve and your summer holiday has just started, and you are looking forward to being on vacation for 6 weeks. You have carefully made sure that your most important tasks are finished and you have informed your most important client’s about going on vacation. You have just placed yourself com-fortably in the sun-chair when the work phone is ringing. You damn yourself for leaving the phone on before answering. A very apologetic woman presents herself as a newly employed technician at one of your client’s. She says that she is very sorry to disturb you, but since she will be upgrading the client’s backup-system she needs to know where the files you have been working with are. She also wants to know which computer they are on, in which folder and what username you have, to make sure they will be backed up in the new system. You give her this information and she thanks you and wishes you a pleasant vacation. An hour later she calls again, almost ready to cry. Something went wrong with your backup, she suspects, that has locked the whole system, and she is the only one still in the office during the midsummer. It also seems like only your files are causing the problem. She wonders if you could come to the client’s office to have a look at this, something you refuse. She then gets very serious and says that the client’s data could be lost if the problem is not solved immediately which she will also point out to your boss. Then she says more calmly that she under-stands your situation and wonders if you could give her your login credentials so that she can control that all client information is still there so you can continue celebrating midsummer in peace.

(18)

In this case only 1 person would help almost immediately. However, it is worth mentioning that 3 persons answered with a 4 to this scenario which could mean they would give away their password if they were a little bit more convinced.

4.1.6 Scenario 5

The last scenario it is a about receiving a USB-stick in the mail asking you to install the software loaded on it.

You are working hard with a project and are having a hard time getting ev-erything done on time. It is not a big client, but the project has encountered a few problems that have prolonged. In the mail you get an envelope from a potential major customer regarding an upcoming procurement. In the envelope is a USB-stick and instructions how you install the software to be used to pro-duce the procurement. You realize this might take some time and perhaps you need to work over-time to get everything done including the other client’s project. What do you do in this scenario?

1 = I completely refrain from helping. 7 = I instantly help. Results: Quantity Percentage 7 1 9 % 6 3 27 % 5 4 36 % 4 1 9 % 3 1 9 % 2 0 0 % 1 1 9 % Tot: 11 100 %

(19)

alias link inst. device Linda 7 7 7 6 6 Mats 7 7 7 4 7 Lisa 7 7 7 4 5 Eva 7 7 7 2 5 5 6 6 2 6 Karin 6 7 6 3 5 7 4 2 4 6 3 6 2 2 5 Emma 7 7 1 2 3 Helena 7 4 4 1 1 Maria 4 4 1 1 4 wifi psw Kalle Lotta Magnus

Table 3: Each individual’s answers to the scenarios.

4.1.7 Answers by each individual

To be able to analyze each individual’s answers, everyone has been given a pseudonym that will be used to refer to them from here forward. Their answers are presented in figure 3.

By remapping the scores by setting every answer equal to 4 or less to 0, 5 to 1, 6 to 2 and 7 to 3 the total ”vulnerability score” can be calculated to give a hint on how easily they would fall victim of social engineering. The result of this summation yields:

alias tot Linda 13 Mats 12 Lisa 10 Eva 10 Karin 8 Kalle 7 Emma 6 Lotta 5 Magnus 3 Helena 3 Maria 0

(20)

client’s domain. For this to be a scam, it needs a lot of information gathering and timing and is probably unlikely to happen a small company. There are probably easier ways to perform a targeted attack like that.

In a similar fashion Question 2 could also be interpreted that it is known that the person is actually from the client’s IT department. We can only speculate how they perceive the question and read between the lines. To make the question more accurate it should at least say ”someone who claims to be from the client’s IT department”, but that would probably make it too obvious that something is not right.

Emma was the one who wrote: ”In many cases it is not a matter of helping, but rather putting the company at extreme risks. After interviewing her it became obvious that she is a careful and systematic girl with adequate security awareness.

Maria wrote (translated): ”Tricky questions. I got a feeling that what was really surveyed is how suspicious or naive/simple-minded you are towards possible IT threats. At the same time there was another dimension to the question, regarding the customer service perspective. I would like more adopted answering alternatives since some of them were somewhat blunt. Therefore I answered 4 on many questions because I would like to make sure the person on the phone is legitimate [. . . ]

4.2 Phishing attack 1

The email was sent out to all employees on Wednesday the 9th of May at 09:57:18 in the morning. At 09:57:54, Mats clicks the link, but did not download anything. At 10:08 Maria reads the email using her iPhone which by default has the setting to automatically load images from external sources enabled. Since the images are tagged with their unique id, it is possible to track this activity. At 11:37, Lisa also reads the email using her iPhone.

(21)

09:57:18 Email was sent.

09:57:54 Mats clicked the link but did not download. 10:08:19 Maria opens the email in her iPhone. 11:36:38 Lisa opens the email in her iPhone. 13:06:51 Emma opens the email in her iPhone. 13:07:46 Emma clicks the link and downloads the file.

With Emma and Magnus back at the office the discussion starts once more. They ask if anyone else got that email from Fredrik. After discussing with each other for a while they are all positive the spam was sent from the author and there is no point of denying it anymore. They laugh for a while and no one seems upset.

4.3 Phishing attack 2

The email was sent in the same way as before. The CEO was told not to answer her phone and to forward all email responses to the author.

At 14:58:42 Mats, once again is the first one to click the link. Since the link points directly to the exe a download will start and the browser will ask what you want to do with the file, open or save. Also this time it is only a self extracting archive.

At 14:59:04 Lisa clicks the link. After that, no more clicking.

At 15:03 Lotta calls the author leaving a message to his voice-mail. She says that everyone has gotten a strange email and wonders if the author is playing around again.

At 15:13 the author calls back telling them it was only a test. It is then ex-plained that they tried to reach the CEO without any luck and after that called the author. Before Lotta reacted, Lisa had already started the ”installation” and was desperately trying to ”cancel” after hearing others yelling. Since they are seated in a open office landscape all those who had not yet clicked the link were hindered from continuing. This makes it impossible to know how they would have reacted if they were in another situation. The table below summa-rizes shows the course of events:

14:57:39 Email was sent.

14:58:42 Mats once again is the first to click the link. 14:59:04 Lisa clicks the link.

15:03:00 Lotta calls to report something fishy is going on.

(22)

Note that Helena and Maria were those with the ”best” results in the survey but were both fooled by the spoofed email from the CEO. Maria did however ask for verification when presented with a warning from Internet Explorer. Emma, was on vacation when this experiment took place. When she got back to the office, still unaware of the test, she was going through her email from the week she was absent. Being alone, early in the morning, she stopped at the spoofed email and thought she needed to ask someone if it was really from the CEO, since it was not written in the way you would expect the CEO to write.

4.4 Interviews

After the tests and the debriefing, the personnel was interviewed. Most of them were interviewed in a semi-structured way for 15-30 minutes. Some of them only answered a few ad-hoc question during the course of the day. Everybody thought that, overall, the tests were good and important. Since the interviews did not follow a manuscript, those interviewed answered different questions. Here are some thoughts that should be brought to light:

• One thought the survey had too much text.

• One thought the questions should be more adopted to the organization. • One thought it would be better if a client was pretended to be the issuer

of the survey.

• Two of them thought there should be more real attacks in the future. • Five of them want more policies and regulations.

• Five of them realized the survey was about security. • One did not realize the survey was about security.

• Three of them had ideas on how to increase the information security in the organization.

• Two said there needs more discussion on WHY to protect WHAT. • Two people thought they would be more vulnerable to physical SE attacks. • Two said that stress was the reason they fell for the phishing attacks. The numbers given above specify how many that explicitly expresses each matter and everyone was not asked the same questions. It was very valuable to sit and listen to each person and interesting to hear their thoughts on information security.

5 Analysis and Discussion

(23)

receive the email first as well. The others received their emails in intervals of 5 seconds following him.

Emma and Maria wrote comments to the survey about the security aspect and scored among the best. Although Emma was persuaded by Magnus to click the link in the first phishing attack she did show some resistance and waited for validation of the legitimacy of the second email. Also Maria showed some caution by asking the CEO for verification before installing. Perhaps the survey could be used to distinguish people who are more resilient to social engineering rather than those who are vulnerable, by reading their comments at the end. It is a very difficult task to analyze the results from the survey. Most people ask themselves why a certain question in a survey is asked, and depending on how you interpret the question the answer could be the direct opposite making the answers very scattered. Another dilemma to consider is that some people might read between the lines, drawing the conclusion that the counterpart in the scenarios has been correctly identified to be legitimate.

According to [barrett2003] a penetration test used by UK’s Communications and Electronics Security Group needs to be reliable, repeatable and reportable. Since the survey does not produce results that are accurate and since it is not reproducible, the survey might not be a good measurement tool. However, since this method is much cheaper and more ethical to conduct the lower accuracy might be acceptable. Also, it was clear that the experiments together with the following discussion, increased user awareness in the organization. When presenting the results to the employees they were shocked to see their results compiled. The worst score from each scenario, given by an employee, was picked out, since the chain is not stronger than the weakest link. Plotting the result in a radar chart, it is very clear, their compiled result is not good.

link installation wifi password device 1 3 5 7 max avg

(24)

really fool them into being ”helpful”. During the presentation and interviews everyone showed commitment and had a positive approach to the upcoming work. Some of them also had relevant suggestions on how to strengthen the information security in the organization.

5.1 The importance of security policies

One problem is to know what exactly you are testing. If there are no rules or policies in place, the staff has to guess what is right and wrong. Perhaps it is not obvious that protecting the wireless network is important. Policies are important and there should at least be a policy for:

• Passwords • Wireless networks • External media

• Transferring sensitive information • Installation of applications • BYOD10

• Social Engineering

Having a well defined policy for social engineering also removes the responsibility of employees to make judgment calls regarding a hacker’s requests[granger2001a]. Despite all the policies mentioned in [iso27001] and [iso27002], the term ”social engineering” is never mentioned. They do however require adequate level of awareness, education, and training in security procedures, but that is not clear enough. Social Engineering should be one of the controls in [iso27002] or have its own layer on top of the security controls.

As well as end-user policies an adequate technical defense is of course essential and needs to be managed by people with good understanding of their functions and purpose.

All people can be victims of social engineering. The human has weaknesses that can be exploited and the only way to mitigate the risk is to be aware of the risks and have a healthy dose of paranoia. There is an obvious need for security awareness training for every employee. Gragg talks about a multi-level defense against social engineering [gragg2003] and lists 5 levels of defense to mitigate the risks of a social engineering attack to succeed:

• Security Policy addressing social engineering • Security Awareness Training for all users • Resistance Training for Key Personnel • Ongoing Reminders

• Social Engineering Land Mines (SELM)

(25)

SELM means that you could set up traps to prevent an attack. If someone calls asking for information, you have a company policy to kindly ask if you can call back or if the person can please hold for a while, giving you time to discuss with a colleague and most likely have an attacker hanging up to prevent being caught.

When auditing peoples ability to fall for social engineering it might be more interesting to audit the policy compliance instead of human qualities. Mikael Simovits says to IDG: ”The only thing you can test regarding protection against social engineering is whether people follow routines or not.”[idg2012]

Another very important question that people often forget is: ”What are we protecting?”. It is crucial to understand what the organization has to protect and why. Many companies are storing too much data, creating a problem they can not handle since it increases the bad guys’ interest of breaking in. Some cloud services do not realize that their large amount of information creates a much bigger risk.

Equally important as the user awareness in the company, the people working with IT and security need to have a good understanding on how the employees are using their computers and the information system to perform their work. Often the security people put policies in place not understanding that no one will accept and follow them. This was shown in a survey performed by Manpower Sweden, where 43 % of the 6362 respondents said they do not follow the IT-policy at their workplace, mostly since it is too out-of-date or they do not know what is in it. 26 % answered that they would not be able to perform their work if they followed the policy.[manpower2012]

The employees need constant reminders about the importance to follow the rules so that the company’s information assets are protected. Simultaneously, those making the rules need to be responsive to the employees’ feedback. The work never ends. As Microsoft puts it: ”security is a journey, not a destination - it isn’t a problem that can be solved once and for all”[10immutablelaws]

5.2 Future work

The survey approach as a social engineering tool is probably much more effective in a company with very clear rules on for example password management. If the rule says you do not share your password with anyone, every answer except ”I completely refrain from helping” would be wrong. With that in mind it would make more sense to use this tool in a company with clear rules and policies. The scenarios could be more adopted to the organization and said to be from a client. With well thought out reasonable scenarios those who do not get fooled will at least be reminded of the issue by reading examples of possible social engineering attacks. It would therefore be of interest to try the survey experiment in a larger company with security policies in place, to measure the policy compliance and/or the effect of the survey to policy compliance.

(26)

6 Conclusions

Both the ”soft” penetration test and the phishing attacks showed that the or-ganization was vulnerable to social engineering. It was however impossible to tell if some people are more vulnerable than others.

It is very difficult to measure people’s possibility to fall for social engineering and it is very challenging to try to understand the complex nature of the human factor in an information system. There is however an urge to find good methods how to audit the role of human factor in information security. It is probably a good idea to have policies and procedures in place before making an assesment. If people are not taught what not to do, there are no wrong answers to the scenarios in the penetration tests.

The penetration tests lead to increased security awareness and it is a good introduction to the information security management process. The results from the test will show how vulnerable the organization is and will help to make everyone committed to the task at hand.

Social engineering is a fast growing problem in information security, since people are usually not aware of anything else than the usual spam in their mailbox. It does not matter how expensive firewall you have if a bad guy can get to the person behind it with access to the information he wants. It has recently been written a lot in the media about information leaks and incidents caused from having bad routines and not being aware of social engineering.

Companies need to start taking this seriously and find ways how to incorpo-rate this in their policies and training. Gragg has some great ideas on how to protect oneself through multiple levels of defense with policies and training as the foundation. Since people will most likely always be the weakest link it is of great importance to have good access control to mitigate the damaged caused by an incident.

It is not a surprise that people fall for social engineering. Our whole civilization is built upon trust and nothing in society would work without trust. But, as Bruce Schneier puts it: ”Our global society has become so large and complex that our traditional trust mechanisms no longer work.”[schneier2012]

(27)

References

[10immutablelaws] _{Microsoft. 10 Immutable Laws of Security. url:}http:// technet.microsoft.com/library/cc722487.aspx (vis-ited on 03/20/2012).

[alvesson1994] Mats Alvesson and Kaj Sk¨oldberg. Tolkning och reflektion : vetenskapsfilosofi och kvalitativ metod. Lund: Studentlit-teratur, 1994. isbn: 9144381611 9789144381619.

[apwg2012] Anti-Phishing Working Group (APWG). Phishing Activity Trends Report 1 st Quarter 2012. July 2012. url:http:// www.antiphishing.org/reports/apwg_trends_report_ q1_2012.pdf(visited on 08/15/2012).

[archimate2011] Institute of Educational Cybernetics at the University of Bolton. Archi: Archimate Modelling. May 2011. url:http: //archi.cetis.ac.uk/(visited on 05/17/2011).

[bagget2008] Mark Bagget. Effectiveness of Antivirus in Detecting Metas-ploit Payloads. Mar. 2008. url:www.sans.org/reading_ room/whitepapers/casestudies/effectiveness-antivirus-detecting-metasploit-payloads_2134.

[barrett2003] Neil Barrett. “Penetration testing and social engineering”. In: Information Security Technical Report 8.4 (Apr. 2003), pp. 56–64. issn: 13634127. doi:10.1016/S1363-4127(03) 00007 - 4_{. url:} http : / / linkinghub . elsevier . com / retrieve/pii/S1363412703000074(visited on 10/14/2012). [berg2003] Sara Berg. Social Engineering: You CAN Always Get What

You Want. Feb. 2003. url:http://www.sparsa.org/res/ research/SEngineer.pdf.

[cialdini2009] Robert B Cialdini. Influence : science and practice. Harlow; London: Pearson Education, 2009. isbn: 9780205609994 0205609996 9780205663781 0205663788.

[dhanjani2009] Nitesh Dhanjani, Billy Rios, and Brett Hardin. Hacking the next generation. Sebastopol (CA): O’Reilly, 2009. isbn: 9780596154578 0596154577.

[dimkov2009] T. Dimkov, W. Pieters, and P. H. Hartel. Two methodolo-gies for physical penetration testing using social engineer-ing. Technical Report TR-CTIT-09-48. Enschede: Centre for Telematics and Information Technology University of Twente, Dec. 2009.

[finn2007] Peter Finn and Markus Jakobsson. “Designing and Con-ducting Phishing Experiments”. In: In IEEE Technology and Society Magazine, Special Issue on Usability and Se-curity. IEEE, 2007. url: http : / / markus - jakobsson . com/papers/jakobsson-ieeets07.pdf.

[gragg2003] D. Gragg. “A multi-level defense against social engineer-ing”. In: SANS Reading Room, March 13 (2003).

(28)

social engineering fundamentals part i hacker -tactics(visited on 10/14/2012).

[granger2001b] Sarah Granger. Social Engineering Fundamentals, Part II: Combat Strategies — Symantec Connect Community. Dec. 2001. url:http://www.symantec.com/connect/articles/ social- engineering- fundamentals- part- ii- combat-strategies(visited on 10/14/2012).

[hasle2005] H˚agen Hasle et al. “Measuring resistance to social engi-neering”. In: Proceedings of the First international con-ference on Information Security Practice and Experience. ISPEC’05. Singapore: Springer-Verlag, 2005, pp. 132–143. isbn: 3-540-25584-2, 978-3-540-25584-0. doi: 10 . 1007 / 978 - 3 - 540 - 31979 - 5 _ 12. url: http : / / dx . doi . org / 10.1007/978-3-540-31979-5_12.

[holme1997] Idar Magne Holme and Bernt Krohn Solvang. Forskningsme-todik : om kvalitativa och kvantitativa metoder. [Lund]: Stu-dentlitteratur, 1997. isbn: 9144002114 9789144002118. [idg2012] S˚_{a hackas du utan teknik - IDG.se. Apr. 2012. url:}https:

//www.idg.se/2.1085/1.440154/sa-hackas-du-utan-teknik(visited on 04/02/2012).

[iso27001] ISO/IEC. ISO/IEC 27001:2005 - Information technology - Security techniques - Information security management systems - Requirements. Oct. 2005.

[iso27002] ISO/IEC. ISO/IEC 27002:2005 - Information technology - Security techniques - Code of practice for information security management. Oct. 2005.

[jagatic2007] Tom N. Jagatic et al. “Social phishing”. In: Commun. ACM 50.10 (Oct. 2007), 94–100. issn: 0001-0782. doi:10.1145/ 1290958.1290968. url:http://doi.acm.org/10.1145/ 1290958.1290968(visited on 12/04/2012).

[lankhorst2005] Marc Lankhorst. Enterprise architecture at work : mod-elling, communication and analysis. Berlin: Springer, 2005. isbn: 9783540243717.

[mann2008] Ian Mann. Hacking the human social engineering techniques and security countermeasures. English. 2008. (Visited on 10/15/2012).

[manpower2012] Manpower Work Life. Fyra av tio bryter mot IT-policyn p˚_{a jobbet. Oct. 2012. url:} http : / / www . manpower . se / mpnet3/Content.asp?NodeID=59589&ref=SWEDEN_NORDIC. [merriam1994] Sharan B Merriam. Fallstudien som forskningsmetod. Lund:

Studentlitteratur, 1994. isbn: 9144390718 9789144390710. [mitnick2002] Kevin D Mitnick and William L Simon. The art of decep-tion : controlling the human element of security. Indianapo-lis, Ind.: Wiley Pub., 2002. isbn: 0471237124 9780471237129 076454280X 9780764542800.

(29)

University, Department of Computer and Systems Sciences, 2005.

[nohlberg2008] Marcus Nohlberg and Institutionen f¨or data- och systemveten-skap (Stockholm). “Securing information assets : under-standing, measuring and protecting against social engineer-ing attacks”. PhD thesis. Kista: Department of Computer and Systems Sciences (together with KTH), Stockholm Uni-versity, 2008. isbn: 978-91-7155-786-5.

[orgill2004] Gregory L. Orgill et al. “The urgency for effective user privacy-education to counter social engineering attacks on secure computer systems”. In: ACM Press, 2004, p. 177. isbn: 1581139365. doi:10.1145/1029533.1029577_{. url:} http://portal.acm.org/citation.cfm?doid=1029533. 1029577(visited on 03/13/2012).

[pattinson2012] Malcolm Pattinson et al. “Why do some people manage phishing e-mails better than others?” In: Information Man-agement & Computer Security 20.1 (2012), pp. 18–28. issn: 0968-5227. doi:10.1108/09685221211219173.

[ponemon2012] Ponemon Institute and Trend Micro. The Human Factor in Data Protection. Jan. 2012. url:http://www.ihrim.org/ Pubonline/Wire/April12/rpt_trend- micro_ponemon-survey-2012.pdf.

[randi2012] James Randi. Why Magicians Are a Scientist’s Best Friend - Wired Science - Wired.com. Mar. 2012. url: http : / / www.wired.com/wiredscience/2012/03/opinion-randi-magic-scientists/(visited on 04/06/2012).

[redteaming2010] Concepts United Kingdom Ministry of Defence - The De-velopment and Doctrine Centre (DCDC). A Guide To Red Teaming. May 2010. url: http : / / www . mod . uk / NR / rdonlyres/B0558FA0- 6AA7- 4226- A24C- 2B7F3CCA9A7B/ 0/RedTeamingGuiderevised12Feb10Webversion.pdf (vis-ited on 08/14/2012).

[rfc5322] _{IETF. RFC 5322 - Internet Message Format. url:}https: //tools.ietf.org/html/rfc5322.

[rossling2009] G. Rossling and M. Muller. “Social engineering: a seri-ous underestimated problem”. In: SIGCSE bulletin 41.3 (2009), p. 384. url: http://atlas.tk.informatik.tu-darmstadt.de/Publications/2009/p384.pdf(visited on 09/25/2012).

[scheeres2008] Jamison W. Scheeres. Establishing the human firewall: re-ducing an individual’s vulnerability to social engineering. Air Force Institute of Technology., 2008.

[schneier2008] Bruce Schneier. Schneier on Security: The Security Mind-set. url: http : / / www . schneier . com / blog / archives / 2008/03/the_security_mi_1.html(visited on 04/06/2012). [schneier2012] Bruce Schneier. Liars and outliers : enabling the trust that

(30)

[SET] _{David Kennedy. The Social-Engineer Toolkit (SET). url:} https : / / www . trustedsec . com / downloads / social -engineer-toolkit/(visited on 09/25/2012).

[spears2010] Janine L. Spears and Henri Barki. “User participation in in-formation systems security risk management”. In: MIS Q. 34.3 (Sept. 2010), pp. 503–522. issn: 0276-7783. url:http: //dl.acm.org/citation.cfm?id=2017470.2017476. [spykerman2003] Mike Spykerman. Typical spam characteristics - How to

effectively block spam and junk mail. 2003. url: http:// www.policypatrol.com/spam-filter-article.htm. [symantec2012] Symantec. Internet Security Threat Report, Vol. 17 Main

Report. Apr. 2012. url: http : / / www . symantec . com / content/en/us/enterprise/other_resources/b-istr_ main_report_2011_21239364.en-us.pdf.

[thornburgh2004] Tim Thornburgh. “Social engineering: the ”Dark Art””. In: Proceedings of the 1st annual conference on Informa-tion security curriculum development. InfoSecCD ’04. New York, NY, USA: ACM, 2004, 133–135. isbn: 1-59593-048-5. doi:10.1145/1059524.1059554_{. url:} http://doi.acm. org/10.1145/1059524.1059554(visited on 12/04/2012). [tims2001] R. Tims. “Social Engineering: Policies and education a

must”. In: SANS Institute, February 16 (2001).

[verizon2012] Verizon. 2012 Data Breach Investigations Report. Mar. 2012. url: http : / / www . verizonbusiness . com / resources / reports / rp _ data breach investigations report -2012_en_xg.pdf.

[websense2012] Websense Security Labs. Websense 2012 Threat Report. Apr. 2012. url: https : / / www . websense . com / assets / reports/report-2012-threat-report-en.pdf.

[wiles2011] Jack Wiles and Jennifer Jabbusch. Low Tech Hacking Street Smarts for Security Professionals. Syngress Media Inc, 2011. isbn: 9781597496650 1597496650.

Auditing the Human Factor as a Part of Setting up an Information Security Management System

Degree project in