Council social engineering test exposes flaws
Kingston City Council in Victoria recently conducted a social engineering experiment to see how its staff would react to a stranger trying to gain access to the server room; the exercise revealed, and helped fix, serious flaws in staff awareness.
Analyst firm Gartner defines social engineering as "the manipulation of people, rather than machines, to successfully breach the security systems of an enterprise or a consumer". This could mean persuading a user to click on a link or open an attachment or, in the case of Kingston Council's experiment, allowing a stranger into their server room.
Speaking at a security lunch hosted by Patchlink on Tuesday, Duncan Kelly, Kingston City Council's manager of information systems, revealed that although the council had spent a considerable amount of time and money improving its patching infrastructure, it wanted to test the strength of its "human firewall".
"We hired somebody to wear a suit, walk into the building and see how far they could get. [Employees] knew I and my network administrator were not in the building," said Kelly.
The Council's building has swipe card access on its doors and the server room is on the first floor so in order to get to there, the intruder needed to win the confidence of at least a few staff members.
According to Kelly, the intruder passed the first hurdle by simply saying he was a new member of staff on the IT helpdesk. It didn't take too long for the intruder to find the server room.
When the intruder got to the server room, he said he was sent by Duncan to service the Uninterruptible Power Supply (UPS).
IT staff sitting by the server room responded with "if Duncan sent you, no problem at all," and let the stranger into their server room.
"To get my name, anybody can ring the customer services. He could have walked into our server room and turned everything off -- or taken an axe to it. He wasn't hacking, he was walking. We have a very trusting group of people," said Kelly.
The experiment exposed some very serious flaws in the Council's security practices, caused a few red faces but ultimately, helped increase the awareness of social engineering tactics and educated users, Kelly said.
Kelly claims that following the test, people are now "hot to trot about who walks into our building".
As proof, he shared an example where he got a phone call from one of his staff who were inside the server room. The staff member said, "Duncan, there is somebody at the door". "Who is it?" asked Duncan. The response came back, "I don't know, but I am not going to let them in!"
"It shows people have learned. We all make mistakes and nobody got chastised or berated," added Kelly.
Last year, infamous hacker Kevin Mitnick, told ZDNet Australia that there was no point spending millions of dollars on the latest hardware and software to protect corporate networks if it was relatively simple for the attacker to manipulate staff in order to bypass technical defences.
"As the attacker, I am going to look for the weakest point where I can gain access. A security program is made up of people, processes and technology. Your company could be strong in one area, such as technology, but its people may not be trained up to recognise where the bad guys are going to strike. The attackers are going to look for the easiest way in," said Mitnick.
Two years ago, Gartner described social engineering as "more of a problem than hacking".
At the time, Rich Mogull, research director for information security and risk at Gartner, said: "People, by nature, are unpredictable and susceptible to manipulation and persuasion. Studies show that humans have certain behavioural tendencies that can be exploited with careful manipulation.
"Many of the most damaging security penetrations are, and will continue to be, due to social engineering, not electronic hacking or cracking," said Mogull.