Protect your organization against pretexters with help from Sun Tzu and The Art of War
Takeaway: You may have the most bulletproof security systems in place, but a gullible (or even not-so-gullible) employee might be fooled into giving an attacker information that could compromise your company's data or other assets. Find out how to defend against this 'pretexting' by applying rules based on the age-old principles of The Art of War.
This article is also available as a PDF download.
By Calvin Sun
In 1978, Security Pacific Bank in California lost $10 million to an employee who used ruses to trick the bank into wiring the money into his Swiss bank account. More recently, Hewlett-Packard gained nationwide notoriety in its attempts to uncover "leaks" by its board of directors to major newspapers. The company engaged private investigators, who approached the telephone company. Pretending to be various members of the board, the investigators requested, and in many cases received, the confidential telephone records of the members they were pretending to be.
These incidents have something in common. They all illustrate the loss of property to an attacker who used neither a gun nor a computer. In each instance, the loss occurred because someone was deceived, someone failed to follow a procedure, or someone ignored a safeguard. The act by which an attacker convinces a person in a company to give up confidential information or take an action that compromises company security is known as "pretexting," or "social engineering." Consultant Kevin Mitnick, a former computer criminal who now advises companies on protecting themselves in this area, defines it as "getting people to do things they wouldn't ordinarily do for a stranger."
Pretexting poses a major problem for companies today. The loss of data can not only hurt a company competitively, but it can also can expose the company to legal liability and cause huge negative publicity. Unfortunately, advanced hardware and software security systems can still be defeated, even if unintentionally, by humans within that company.
This issue illustrates the dilemma that companies and their employees must deal with when faced with a request from someone unknown, who could be either a legitimate person or a pretexter. In the interest of "customer service" or "being nice," they might comply with every request--but in doing so, they run the risk of enabling an attacker to steal valuable assets.
The good news is that through awareness and training, employees in a company can become more resistant to pretexting attacks.
Lessons from The Art of War
Several thousand years ago, the Chinese military strategist Sun Tzu wrote his classic work The Art of War. Despite its age, this book still receives attention from officers of the U.S Marine Corps and students at the U.S. Naval Academy. Indeed, this book has relevance in resisting and defeating pretexting attacks. Among his many principles, Sun Tzu expressed three that particularly relate to this topic:
- All warfare is based on deception.
- If you know the enemy and know yourself, you need not fear the result of a hundred battles.
- We impose our will on the enemy, but do not allow the enemy to impose his will on us.
Let's examine these principles more closely and develop some practical rules based on each one.
All warfare is based on deception
Things may not be what they appear to be. Unfortunately, the desire to be helpful and trusting leads people to give out information to those they don't really know. Just because someone says he or she is from the same company doesn't necessarily make it so.
Rule 1: Don't trust caller ID
"Well it's easy to tell where the caller is from," you say. "All I have to do is check my caller ID screen. If they say they're from the company, but the phone number is different, it's a dead giveaway."
Don't be so sure. Numerous calling cards, available on the Internet, allow a person to spoof a caller ID screen. That is, the calling card allows the caller to specify the number that appears on the screen. For example, someone calling from a telephone in Los Angeles (area code 213) can specify a display number for Washington D.C. (area code 202). With such a card, a caller could make it look as though he's calling from another office of a company when really he isn't.
Rule 2: Don't rely on what an untrusted source says or implies
In his book The Art of Deception, Mitnick tells how a security guard at a manufacturing plant encountered two young men on the premises late at night. Though neither of them had company identification, they did give the guard the name of their supervisor. After all three returned to the security office, the guard called the supervisor and asked her about the two young men. The supervisor asked to speak to one of the men, and the guard gave him the telephone. After speaking with the supervisor and apologizing for bothering her, he explained his reasons for being at the plant, listened for a few moments, said good-bye, and hung up.
The men then asked if they could continue their visit and whether the guard wanted to accompany them. The guard told them they could leave but next time to bring their badges and to let the security department know if they would be visiting after hours.
About 10 minutes later, the supervisor called back. She was surprised and confused by the man she had been talking to, who didn't listen to her but merely continued speaking. The security guard immediately put out an alarm, but by that time the two men already had left.
What happened? The two men were impostors. Neither of them really knew the supervisor. Because the security guard could hear only the young man and not the supervisor, he had no idea that the supervisor was perplexed and confused during the call, and that the young man was totally ignoring the supervisor's questions. By talking the way he did, the young man deceived the guard.
The guard could have handled the situation better in these ways:
- He could have kept control of the telephone and simply relayed information from the young man to the supervisor.
- Before handing the telephone to the young man, he could have told both the supervisor and the young man that he needed to speak to the former after they finished their conversation.
- The guard could have called the supervisor back to check on what the supervisor and the young man said.
These three alternatives have one thing in common: They involve confirmation directly with a trusted source (the supervisor), rather than via an untrusted source (the young men). Unless you verify that a requester, visitor, or caller is legitimate, distrust anything associated with that person. Such items include their representation of what a trusted source says (such as in the above example), telephone numbers and e-mail addresses, and software.
If you know the enemy and know yourself, you need not fear the result of a hundred battles
This Sun Tzu principle is perhaps his most famous one. Success in fighting a pretexting attack requires not only that we know our own strengths and weaknesses, but also those of the pretexter. The more we can understand how such a person thinks and acts, the better we are able to prepare for an attack. Police officers and detectives are often taught to think like a criminal when solving crimes.
Rule 3: Effective policies cause minimal offense to legitimate requesters but can potentially deter pretexters
Think of all the ways a company employee can respond to a request for information without knowing the legitimacy of the requester. They include:
- Option A: Singing a song
- Option B: Giving out the information
- Option C: Punching the requester in the nose (if requester is in front of the employee)
Option A safeguards company information from a pretexter but does nothing for the legitimate caller. Option B is the "helpful" approach, but unfortunately gives the pretexter information he/she isn't supposed to have. Option C protects company information and would stop a pretexter but would offend a legitimate requester.
We're looking instead for responses that satisfy two objectives:
- Minimal inconvenience/annoyance/offense to legitimate requesters
- High probability of deterring pretexters
None of the three options above meets these conditions. What about this response: When a caller asks for information, tell the caller that you need to put him or her on hold, make sure it's okay with the caller, then do so. Most likely, a legitimate caller will be patient enough to wait. However, a pretexter might become anxious, thinking that he/she is about to be discovered, and will hang up. This strategy may not always work, but it's a good one to try.
Rule 4: Effective policies incorporate features pretexters are known to dislike
In describing his techniques for dumpster diving (that is, rummaging through discarded trash in search of information), Mitnick told the audience that he explicitly avoided trash bags that appeared to have liquids inside.
How can you use this insight? I'm not suggesting that you dump a gallon of water into your trash, because your custodial staff will justifiably be upset. However, could you perhaps throw in a few damp paper towels at the top of the bag, before sealing it? Perhaps a pretexter, upon seeing those damp towels, will skip that bag.
Likewise, think of other practices that pretexters would dislike and incorporate them into your security plan.
We impose our will on the enemy, but do not allow the enemy to impose his will on us
When he was teaching me to play chess, my father said that if I was moving my pieces simply in reaction to how he was moving his, I was in trouble. He said that in chess, I should be striving to take the offensive and attack, so that my opponent would be reacting to me, not the other way around.
So too in warfare and in dealing with pretexters. A common way of gaining information improperly is for a caller to pretend that he or she is well connected--for example, a friend of or a consultant to a high-level executive. Through bullying or threats, the caller tries to get the employee to give out the desired information.
Rule 5: You, not the caller, are in control
Suppose you get a call that demands you give out information to a friend of the CEO. In listening to the request, remember that you are in control of the information. Possession, as the saying goes, is nine-tenths of the law. Your possession of the information puts you in a stronger position than that of the caller. Don't be cowed by callers who appeal to authority.
Rule 6: Use diplomacy and tact in declining a request
Dealing with potential pretexters calls for diplomacy and tact. Yes, you can tell a requester to "buzz off." What happens, though, if that requester really is the best friend of your CEO?
The way we say something is as important, if not more so, than what we say. For this reason, think about how you can make your statements sound better, even if you must decline a request. Consider the following examples:
|
Instead of |
Consider |
|
"I can't give out that information without authorization." |
"I'm sorry, but I need authorization before I can give out that information." |
|
"You could have forged the signature." |
"We've had issues previously with forged signatures." |
An effective technique is to express sympathy while rejecting the request. For example: "I'm sorry, I'd really like to help, but I'm limited in what I can do."
Rule 7 (for management): Support your staff when they follow policy
The Duke of Wellington, who defeated Napoleon at the Battle of Waterloo, was passing through the countryside once when he came upon a closed gate guarded by a boy. "Young man," said the Duke, "Open this gate so I can pass through." The boy replied, "I'm sorry, but my master gave orders that no one is to enter." The Duke then said, "Young man, I am the Duke of Wellington. I demand that you open this gate." Again the boy replied, "My master has ordered that no one is to enter."
At this statement, the Duke exclaimed, "I commend you, young
man. If I had a dozen men like you, I could conquer all of
To the managers and executives who are reading this article: Would you support your staff for standing up to a caller the way this young boy stood up to the Duke of Wellington? Presumably, you have a policy in place regarding verification of callers, no matter who they claim to be or to know. If your staff members believe they will be punished or fired for following your policy, they will be reluctant to enforce it.
Additional resources on pretexting
- 10 common social engineering ploys... and how to protect against them
- 10 ways to avoid being the victim of identity theft
- Out of the shadows, a pretexter's tale
- The threat of social engineering and your defense against it
- Change your company's culture to combat social engineering attacks
- Knowledge is power against these new social engineering schemes
Calvin Sun works with organizations in the area of information security, communications, and customer service. He currently is studying at Temple University Beasley School of Law and can be reached at csun@calvinsun.com.
Print/View all Posts Comments on this article
Protect your organization against pretexters with help from The Art of War
JodyGilbert | 01/09/07
|
Sun Tzu would have been a pretexter :D
Tony Hopkinson | 01/09/07
|
White Papers, Webcasts, and Downloads
- Unrivaled support from Novell, now available for Red Hat Novell If Linux is going to power your mission-critical applications, you'd ... Download Now
- Getting personal with business continuity: Five critical success factors in overcoming workforce disruptions IBM Corp. An event that disrupts your business, no matter how limited or broad in ... Download Now
- Qwest Network Services for Healthcare Providers Qwest Communications Demands for improved quality care and increased satisfaction require a ... Download Now
- Windows Activation Technologies in Windows 7 Microsoft Discover what Microsoft is doing to protect you from the risks of counterfeit software with the activation and validation procedures of Windows 7. Download Now
- Webinar: Best Practices for Windows 7 Application Compatibility Flexera Software Are your business-critical applications compatible with Windows? 7? Join ... Download Now
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
