Aujas US

An IDG Ventures Company

Aujas among the Most-Requested Information Risk / IT Security Firms at 2011 CIO & IT Security Forum

For Immediate Release

Jersey City, New Jersey, USA – Senior IT decision makers knew who they wanted to talk to at the May 24-26, 2011 CIO & IT Security Forum – and they wanted to talk to Aujas. The global information risk management company was among the top five most requested suppliers at the Jacksonville, FL, forum. Sameer Shelke, Aujas cofounder and Chief Operations and Technology Officer, and Karl Kispert, Vice President of Sales and Business Development, met one-on-one with close to 50 Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) who specifically requested a meeting with Aujas.

“The forum gave us the opportunity to meet with IT security executives and discuss the security issues that were keeping them up at night,” says Karl Kispert. “Phishing and application security are critical issues, and we were able to share with the execs how Aujas can help them manage risk in these areas as well as others.”

The forum, hosted by Richmond Events, is invitation-only for 100 senior IT executives with budget authority. It offers a unique experience for these individuals to get together, debate the big issues and explore collaborative opportunities. “From our perspective, the forum gave us the opportunity to meet and develop relationships with those we are most able to help,” says Kispert.

About Aujas
Aujas is a global Information Risk Management services company and an IDG Ventures funded company. It is headquartered in Bangalore, India, with its US headquarters in Jersey City, New Jersey.

Aujas consultants work with the client’s management teams to align information risk with business initiatives, so that security becomes a business driver and competitive advantage. The firm helps clients manage emerging technologies – mobile devices, social media, cloud computing – that are transforming the business environment and posing increasing security challenges.

Aujas offer global clients:
• Information Risk advisory services
• Secure Development Life-cycle services
• Identity and Access Management services
• Managed Information Risk services
• Vulnerability Management services
• Mobile, social media and cloud security services
For more information about Aujas services, contact Karl Kispert at karl.kispert@aujas.com or visit http://www.aujasus.com.

Advertisements

June 20, 2011 Posted by | Enterprise Security, IT security, Phishing, Risk management, Secure code development | , , , , | 1 Comment

Data Protection and Controls – Does Format Really Matter?

Identity and Access RiskNo one can argue that the most valuable asset for any enterprise, regardless of industry (whether military, finance, healthcare) is its Data. Whether that data includes an investment strategy/portfolio, personal identity, healthcare history or national security, it must be safeguarded and controlled.

We’re all familiar with the data lifecycle and related security controls, including storage transfer encryption and effective destruction. But do we also consider the format of the data? Data lives in many forms outside of the regular electronic email, Internet, PC, server or mainframe types that we normally work with. Unfortunately, some of our biggest vulnerabilities live in many other forms.

Printed paper is not the least of those. Scribbled notes, copied material, casual conversations on an elevator, voicemails or even a fellow passenger’s laptop (with the curious snooper watching over) are other forms of sensitive data. The main issue here is that most of us may not view these as “data types”. The truth is they can cause the same amount of harm as a DVD, USB or PC packed with information, and can just as easily land you on the front page. Let’s take a look at an unfortunate use-case to bring this all into context.

Henry S., a database administrator, was working over the weekend to get a presentation finished for his board of directors. His area of focus was his firm’s strategy on the proprietary development of a database-software that would revolutionize the storage and sharing of information with clients. Henry’s developments were ahead of all others in the enterprise and possibly the industry. What wasn’t being thought about was how valuable the information being prepared could be to competitors or thieves for profit.

It was late Sunday night and Henry was just happy finalizing and saving everything. Now he just had to print it. At about 11:30 that evening he found himself printing 20 color copies of his “master presentation” at the neighborhood copier. He felt the data he was bringing with him was safe since he brought it on an encrypted USB drive. At one point Henry’s copying streak went awry – after about 10 copies the machine began spitting out green paint. Henry wasn’t panicking – he knew there was plenty of time and his current set of copies were safe. After getting assistance and finishing the job on another machine, he found himself in the middle of a chaotic frenzy of paper crazily thrown all around his area. He was able to get things cleaned up, but what he wasn’t aware of was the 5 copies he’d left at the malfunctioning printer. Though a good multi-tasker, Henry was exhausted, yet practically livid with the thought of next day’s presentation and the effects it would have on his career and department. All he could think about was getting the deck right and being well prepared for the audience.

He got home with all the paperwork in his backpack and passed out. The next day at the presentation all went well, the crowd loved it and Henry was on top of the world. There’d been a slight mishap though, since there weren’t enough hard copies to go around for everyone at the meet. That was weird – he was sure he’d made enough. Everything had gone well, except for those 5 mysteriously missing copies of the presentation. What then seemed to be a small loss, within the next few days landed Henry and his firm on the front page of the paper.  The headline read “Leading Financial Firm’s Innovative Software Idea up for Grabs at Local Print Shop” – not quite the fabulous outcome he’d hoped for. Turns out that whoever got a hold of the lost copies managed to re-engineer the software and get it to market. To make things worse, the data-loss incident was widely publicized; the fall-out including Henry’s suspension and investigation, a full 10 point drop in his firm’s stock price and a long-term negative reputational impact for his firm.

Data in any format is an extremely critical asset and liability when not controlled or secured properly. The effect of negligence over that asset can be detrimental to a career, an innovative idea and possibly an entire franchise. Proper due diligence and controls for the entire lifecycle of the data; be it either encryption while in storage or transit for electronic material, or locks/safes for storage and shredding for destruction of hardcopy material.

Had Henry only given a bit of thought to these things as a top priority, reputations and careers may have been saved (and likely excelled astoundingly). Instead everyone had to run for cover, hope to not get hit by the shattering fallout, and hope to keep their shirts on their backs.

Need help with your company’s data protection programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data protection, IT security | , , , , | Leave a comment

Data Governance – What We Need to Think About

These are some risk areas that you might want to think about when discussing Data Governance with your team: 

1. Disparate sources of data across the organization’s applications, producing incomplete and incorrect production data used in key decision making processes for capital investment. (Accuracy)

2. Trading ledger for risk management review is typically delayed because of multiple data feeds, the availability of which is impeded by network speed due to file size in two custom applications. (Availability)

3. Inability to solve data quality issues in the sales division because data is spread across multiple systems and owners, resulting in a blame game. (Agility)  

4. Customer service representatives are not presented a single view of a customer account, and have to use multiple programs to achieve unified profile presentation, requiring more time to solve issues, and increased call center costs. (Access)

A Data Governance Methodology That Works

Building Blocks for Success

Analyze

* Perform data governance readiness assessment

* Define guiding principles

* Identify decision making bodies

Design

* Determine focus of data governance program (security/privacy, data quality, architecture, etc.)

* Design data governance program (standards, policies, strategy)

* Determine cross functional teams and data stewards

* Define decision areas and decision rights

Transform

* Conduct employee training and awareness

* Enact data governance program

* Deploy data governance mechanisms and tools

Sustain

* Monitor and adjust key performance metrics

* Ensure accountability and ownership through periodic review

Need help with your company’s data governance programs? Contact Karl Kispert, Aujas VP of Sales, at karl.kispert@aujas.com.

March 8, 2011 Posted by | Data governance, IT security | , , , | Leave a comment

Effective Data Protection Requires More than Technology

Data protectionMore companies are finding that despite their technology investments, effective data protection remains elusive. Data protection technology has become as commonplace as anti-malware technologies and most organizations implement it as a standard desktop endpoint and gateway security. The technology works using a combination of document ‘fingerprinting’, key words, and policies defined around what is allowed and what is not. The technology has matured to support endpoints and email data leakage risks as well as social networking risks. However, even with a mature technology and rigorous implementation, organizations often can find their data protection is ineffective.  

IT departments are able to quickly implement a data protection technology, but struggle with effectiveness. They are unable to bridge the gap between implementation and effectiveness, and end up with large numbers of data leakage ‘incidents’, which usually turn out to be false positives.  In many cases, organizations end up operating DLP tools in ‘audit only’ mode which completely defeats the tools’ purpose. 

This gap is usually due to the approach taken to data protection and not to the organization itself. Most organizations identify data protection as a risk and IT/IS department choose a vendor for implementation. The vendor usually ‘scans’ the file stores for ‘important’ files and policies are created to safeguard those files deemed important. While this approach seems simple enough, it is the root of the problem. IT organizations are basing policies on their own interpretation, rather than on what is important or appropriate for the business. 

Data, even if critical, may need to be exchanged with outsiders for valid business reasons. The challenge is to establish policies that allow the business to operate seamlessly while stemming the data leakage.  Another challenge is to build an ecosystem that supports this on an ongoing basis. The solution ideally integrates technology, process and a governance framework.  

 The first step is a data classification policy that clearly establishes how to classify data within the organization; the users should be made aware of how the classification policy applies. Next, the data flow within business processes should be understood to identify the type and nature of data, its classification and authorized data movement of ‘important’ data across organizational boundaries. Also, the important files, templates and data base structures that were identified during this exercise should be ‘fingerprinted’. The policies should then be configured and applied based on the authorized movement of data.

 Taking these two steps will help improve data protection technology effectiveness because it incorporates business rules for data. However, it still is a point-in-time exercise that does not address the fluid business data environment. To sustain the data protection, a governance process is required. One approach is to integrate with the data governance framework if one exists within the organization. If a data governance framework does not exist, a similar structure can be created. An additional benefit of this approach is close integration with data governance when such a framework is actually created. 

The governance function should be responsible at a high level for both the strategic and operational management of data protection. At a strategic level, the function should look at how data flows and is managed and its impact on data protection technology employed.  At an operational level, the function should look at how data protection incidents are managed, false positives reduced, user awareness on classification and protection improved.  Many organizations also employ active data protection with the use of data/digital/information rights management tools which require users to ‘protect’ based on allowed rights, time limits and expiry dates. Though the above approach remains the same for these technologies too, organizations have to spend more efforts on user awareness as their cooperation defines the success or failure of the technology. 

Though data protection technologies have changed the data confidentiality playing field completely, effective data protection cannot be achieved by the technology alone. It requires a focused lifecycle management approach for it to be more effective and sustainable.

January 24, 2011 Posted by | Data Leak Prevention, Data Losss Prevention, Risk management | , , | Leave a comment

5 Hot Topics in Information Security for 2011

Hot topics in information securityAccording to the Aujas information security experts, these are the five crucial security topics that should be on the radar for business executives in 2011:

Data Governance and Data Leakage Prevention (DLP) – Some executives believe their employees know exactly what data should be protected and what data can be shared via website, conversation or social media.  These executives have a false sense of security. Many companies still do not have a strong data classification program or policy in place to educate employees on what is critical to an organization and what is not.  Some execs may also think that having a DLP tool and plugging it in is the answer. That’s like plugging in a power saw and saying you can build a house! Having a tool and knowing how to use it effectively are two different things.

Tip: Find a champion to drive your data governance and loss prevention initiative.  If your company has a CISO, this person is the most logical one to take on this role. If not, you can assemble a small team of stakeholders to work with guidance from a third party who specializes in information risk management.

Application Security – With so many applications being developed and used in companies of all sizes, some are being created without security in mind.  Some technology companies have a need to be the first on the street with a new application and are bypassing Security Development Lifecycle (SDL) protocol. They are thinking about security after the application is released and, sadly, are finding that they are spending more money to fix the application.

Tip: First perform a penetration assessment on your company’s critical applications to identify vulnerabilities. Then be proactive!  Create a framework in which security is part of the SDL.

 Social Media – The intentional and unintentional release of sensitive information via Facebook, Twitter, etc. can affect your company’s bottom line.  Your intellectual property may wind up on an underground website or, if your secrets are shared with the world, you may not be first to market with your new product or service. 

Tip: You don’t need to declare social media off limits to your employees. It is an important business tool that is not going away.  You do, however, need to understand the risks of social media, and make users aware.

 Cyber Security – Over the past year, more organizations have come to understand that there is a very real cyber security threat in the US and that the US Government cannot take care of every threat-related issue. Your company needs to develop a strong internal and external security programs to protect it.

Tip: Putting in place a robust information risk management (IRM) program is essential so that your stakeholders understand the people, process and technology risks and how they can affect your access, availability, and agility to conduct business.

Phishing – Hackers continue to use phishing, a type of social engineering, to solicit information from individuals.  Though the incidents of phishing were down in the second half of 2010, the attacks continue to get more and more sophisticated. 

 Tip: Perform a phishing diagnostic so that you are aware of the threat, specifically who in your organization is susceptible to this type of attack.

Aujas can help your company manage risk from these threats. Contact Karl Kispert, our Vice President of Sales, to learn more. He can be reached at karl.kispert@aujas.com or 201.633.4745.

January 24, 2011 Posted by | Data Leak Prevention, IT security, Phishing, Risk management, SDL, Social Engineering | , , , , , , | Leave a comment

Secure Code Development Is in Your Future

Microsoft SDL Pro Network Is at the Forefront – and Aujas Is There

SDLSecure code development will become a standard in the near future, according to industry experts at Network World. As the Federal Government continues to require cyber supply chain assurance, you won’t be able to sell any technology products to the government unless you adhere to a Secure  Development Lifecycle (SDL) model. Other critical infrastructure industries such as financial services, utilities and telecommunications are adopting these requirements as well.

The Microsoft SDL is a security assurance process that combines holistic and practical approaches, and introduces security and privacy throughout all phases of the development process. Microsoft made its own SDL public as part of its commitment to protecting customers and enabling a more trusted computing experience.

Member of the Microsoft SDL Pro Network

Aujas is now a member of the Microsoft SDL Pro Network. As a Network member, we are part of a group of security consultants, training companies, and tool providers that specialize in application security.  Network members have substantial experience and expertise with the Microsoft SDL methodology and technologies.

According to David Ladd, Principal Security Program Manager at Microsoft, “We are very happy to have Aujas join the SDL Pro Network.  As an IDG company with a global presence, Aujas will help organizations around the world improve their software security process to overcome security and privacy issues.”

Adds Karl Kispert, Aujas Vice President of Sales, “Our vision is to manage risk and enhance information value for our clients. By implementing the SDL framework, we can help our clients manage their software risk, meet compliance requirements, improve software quality and enhance information value.”

The services Aujas offers as a Network member are designed to span the entire lifecycle and make security and privacy an integral part of how software is developed. Specific capabilities include:

  • Training, Policy and Organizational Capabilities, including security training and advice on how to implement the SDL
  • Requirements and Design, including risk analysis, functional requirements and threat modeling
  • Implementation, including use of banned APIs, code analysis and code review
  • Verification, including fuzzing and Web application scanning
  • Release and Response, including final security review (FSR), penetration testing, and response planning and execution

Aujas’ Secure Development Life Cycle Services assists in recognizing and avoiding security pitfalls during the software development lifecycle, and also corrects security problems once they arise. It is the transformation of Software Development Lifecycle into a Secure Development Life Cycle.

Our Strategy and Planning help organizations to categorize the applications according to the risk the application presents to the business and formalize the security requirements for the same.

The Aujas Application Architecture and Design Review services check if all the security elements have been considered during the design phase and provide feedback for the architects to adjust the design for maximum security and privacy.

To find out how Aujas can help you implement Microsoft SDL, contact Karl Kispert, our VP of Sales.

January 4, 2011 Posted by | IT security, Risk management, SDL, Secure code development | , , , , | Leave a comment

Ephemeral Borders: Privacy and Security of Data in the Cloud

Privacy and security in the CloudBusiness is expanding across national borders at an accelerating rate.  Most corporations of significant size have facilities in many countries.  Cloud applications and storage offer savings and efficiencies, such as 24/7 availability of data and applications, enhanced access and elimination of costs associated with server maintenance.  Multinational corporations considering implementation or expansion of Cloud use should, however, tread cautiously, and obtain guidance on applicable privacy and security issues.

For example, litigation or government oversight proceedings involving such companies may result in demands for data originating in, say, France, yet stored in Cloud repositories in other countries  The servers will, for the most part, be located beyond the borders of France.  Personal data, which includes emails by definition, are subject to the European Union Privacy Directives and local enabling law, which hold that the personal data of an individual may not be sent outside the European Economic Area (the E.U. member states plus Norway, Switzerland, Iceland and Liechtenstein) without the individual’s consent.  Appropriately informed consent documents, then, must be drafted.  Additionally, no data of any kind may be sent outside France, pursuant to the Blocking Statute, for use in a foreign judicial proceeding.  Other states, such as Switzerland, have similar statutes.  Criminal penalties lie for violation of these provisions.  Data sent to Cloud repositories, then, with the intent of onward transfer for litigation, may run afoul of these laws.  In addition, The Data Protection Authority of the German state of Schlewsig-Holstein recently opined that it is a violation of German law to send data to Cloud repositories for which the servers are located outside the European Union.

Those companies registered with the U.S. Safe Harbor Program would require amendment to comprise personal data in the Cloud repositories. The Service Level Agreements with the Cloud providers must contain provisions for E.U. levels of security and privacy in the Cloud repositories (other countries where the company does business will have similar provisions) or, perhaps, provisions that the data will not be transferred to or stored in locations outside the country in which the data were created.

Finally, multinationals considering the significant economic and security advantages the Cloud offers would need documented protocols for Legal Holds for data in Cloud repositories.  Legal Holds are considered “processing” of data in the E.U., and must be done in a manner consistent with the Privacy Directives and for retrieval and production of such data to governmental agencies and courts.  

Security consultants, working closely with U.S.-based counsel experienced in cross-border data disclosure conflicts, can assist in navigating the byways of this new and complicated area of information governance.  This is where Aujas can help.

This article provided by Kenneth N. Rashbaum, Esq.     Rashbaum Associates, LLC

January 4, 2011 Posted by | Cloud Security, Data Leak Prevention, Risk management | , , | Leave a comment

Information Risk Management and M+As Part 2

M+A and business data accessPart 2 Implications- Unavailability of business critical applications preventing access to business data.

Approach

Organizations undergoing merger face challenges during integration in managing costs and risks and in providing long-term business value. Failure to address risks and appropriate control around IT security may escalate costs and incur higher risks.

To ensure that organizations achieve the maximum benefit during systems integration, an effective approach is to:

  • Involve IT security, audit and compliance professionals early in the integration planning along with the business owners. Our experience is that this generally a reactive effort.
  • Create an Integration team that involves people with prior M&A experience working closely with the IT Integration, IT Security and Compliance teams.
  • Focus early on IT security, risk and control along with IT integration to save cost and time while minimizing risk.

The multidisciplinary team will be better equipped to make informed decisions and move towards realistic targets of integrating people, processes and technology and minimize risk.

Though from an SOX compliance perspective , the SEC does allow organizations acquiring a company to take advantage of a one-year waiver to assess the internal control of the acquiring company, early focus on compliance while integrating IT systems, processes and people will help the combined entity to reduce the cost of compliance and minimize risk.

For the four challenges identified above, this is our approach:

1.      To address compliance requirements and establish effective and efficient internal control and risk environment for the combined entity 

  • Identify key risk and control owners for the combined entity.
  • Engage experienced finance and audit personnel for maintaining compliance during transition
  • Perform a top-down risk assessment to identify the risk profile of the combined entity and gaps existing in the risk and control environment
  • Develop a remediation work stream to fix deficiencies
  • Determine which entity’s compliance processes are the most efficient, or what needs to be modified to form a new compliance process
  • As units, functions, geographies, and processes merge, remove redundant controls, while keeping key controls to address the risks
  • Develop risk-based test plans that direct effort and resources to the controls that are related to the highest levels of risks

 

2.      To manage access rights for employees, customers, affiliates and third parties in an integrated environment

From an access management perspective, a merger brings multiple users, applications and legacy systems to be integrated for simple, faster and secure access to data. During a merger, various applications are consolidated, restructured or rebuilt and managing appropriate access to the information resource is a challenge. Security issues related to unauthorized access to data, information leakage, and regulatory requirements for protecting privacy of personnel information, need appropriate access management:

  • Inventory all regulatory requirements for access control and normalize them to get the common regulatory requirements for data access
  • Derive access policy for employees, customers, affiliates, and third parties for the combined entity
  • Identify all the applications that need to be consolidated on Day One (e.g., ERP, email system, customer portal, payroll) and the access requirements for the data in the respective applications
  • Ensure a common account termination process is in place as rogue accounts pose serious risks to business data
  • Plan and implement the unified strategy for the combined entity for data access during transition and after Day One

 

3.      Addressing privacy requirements of the combined entity 

  • Develop an integrated privacy compliance strategy for the combined entity
  • Evaluate business processes for potential high risk privacy areas
  • Develop and implement the privacy program strategy, components, policies, standards and procedures
  • Design and establish a privacy organization to govern privacy program operations
  • Develop and deploy a set of rationalized privacy controls and privacy operational processes
  • Establish privacy training, communication and awareness processes

 

4.      To manage business continuity during transition phase while integrating different IT systems, operations and people  

  • Identify the business critical applications and data for both the entities
  • Develop change control and fallback procedures for the business critical applications
  • Create an incident response plan
  • Identify people involved in change management, incident response and emergency changes and ensure their availability as per the plan with contact details.
  • Develop a communication plan

 Conclusion

In today’s environment of public scrutiny, companies cannot afford non-compliance with privacy and regulatory requirements, nor to have an event because of inappropriate access. While some companies have included compliance in their 10K as a key risk after M&A transactions, there are ways to avoid public scrutiny and minimize risk of non-compliance.

So, how do you know that the M&A process includes all the right steps to address Compliance, Risk and IT Security?

  • Plan early
  • Execute as standard post-merger integration activities
  • Address all components of Risk, Security and Control
  • Monitor and evaluate throughout the process

November 22, 2010 Posted by | Mergers and Acquisitions | , , | Leave a comment

How I Hacked My Car Manufacturer

There are very few articles that I would consider ‘rerunning” in Risky Business however this is one that is worth repeating. 

How-I-HackedWhen I read there was going to be a social engineering competition at this year’s Defcon (the annual hacker gathering held every summer in Las Vegas) I knew I had to enter. It was the perfect chance to hone my sweet talking skills in a judged and neutral setting, and also to test my hypothesis that not only is social engineering a risk to regular end users in an enterprise, but that even corporate InfoSec teams are not immune from the threat.

Social engineering is essentially “pretexting” yourself into getting people either to divulge sensitive information or getting into areas you otherwise shouldn’t be in. You’re a sprinkler inspector who shows up unannounced at the front desk or the harried internal auditor racing to meet a deadline who calls an employee seeking information about their computer system. Given most people’s inherently trusting and helpful nature, social engineering attacks are surprisingly successful, which is why most corporate information security training programs address the threat. One would assume this would mean the InfoSec groups should be aware of any such attempt. As Gershwin would say, “it ain’t necessarily so.”

For the Defcon contest, each entrant was randomly assigned a major corporation as a target. Mine just so happened to be the manufacturer of my car. Sweet revenge. The first task was to create a dossier on the target company, solely from information gleaned from the Internet and public sources. There were to be no pre-contest calls, visits to the company’s headquarters, or contact with the company in any way whatsoever.

After crawling various search engines for email addresses, phone numbers, addresses, press releases, and other valuable information, I moved onto social networking sites like LinkedIn and Facebook. Soon I had accumulated almost 1,000 email addresses, hundreds of recent press releases, and a couple of employee handbooks as a good starting point. Next, any email addresses not correlated to a name were cut, as were any that couldn’t be verified as current or recent employees. The remaining email addresses were then fed into the various search engines to pick out only employees that worked in my target’s information security group. These were in turn fed back into the search engines to see if anything interesting fell out; information like hobbies, school affiliation, etc.

Soon the file was whittled down to approximately 75 people that I had gathered at least two points of information with which I could engage them during my pretexting in order to gain an elevated level of trust. If the target person had an interest in flying, I’d be sure to work a local air show into the conversation. Building any sense of familiarity or commonality with a target boosts the success rate of a social engineering attack exponentially.

Next I had to develop the attack vector I would use. Since I was targeting the InfoSec group, I knew I couldn’t use the old standby of posing as an auditor for the company. That is such a commonly used ploy that most if not all InfoSec employees should be able to sniff that attack out a mile away. Instead, I settled on posing as a survey taker for CSO Magazine. That would give me cover for calling the security group and asking questions about their security environment.

Three weeks later I was in the soundproof booth at Defcon, dialing through my list of numbers in front of a live audience as I perused the list of “flags” the judges had given me to collect; essentially pieces of information useful for a hacker attack. The first number to answer gave me hope that my hypothesis might be wrong. The security engineer at the other end of the line was very hesitant to speak with me, and very quickly shut me down, refusing to answer any questions that would reveal any technical information about the company. That was a promising sign – perhaps training of InfoSec personnel was starting to become effective.

Not so much. My next target was another security engineer, who, although initially having misgivings about speaking with me, was quickly convinced to participate through both my pleading that I only needed 10 minutes of his time and that I was risking losing my job if I didn’t meet my daily target, but more importantly, that there was a $25 iTunes gift card waiting for him upon completion of the “survey”. Greed is always a good motivator. Within 15 minutes I had sweet talked the guy into revealing everything from the OS version and service packs installed, browser type and version, to his anti-virus engine and signature version. Basically anything needed to launch a successful targeted attack.

So much for training

In the end I had proven my point; InfoSec people are no different from other end users. While they may have more security awareness training than others, they are still susceptible to the same weaknesses of others; greed, a desire to assist, and a fear of getting in trouble or creating delays in “mission critical” tasks. More important is that they suffer from the same weakness that everyone seems to suffer from – the belief that they would know if they were ever being “snookered.”

So what can be done to protect against social engineering attacks? To prevent on-site attacks make this the golden rule that is *never* broken – “unannounced visitors aren’t let in if their corporate sponsor isn’t reachable to validate the visit.” To prevent general social engineering attacks focus your efforts on ongoing awareness training (once a year is not enough), routine testing of personnel to see how effective the training is, and most important of all, reducing information leakage. The amount of information that companies allow employees to post about their jobs and corporate environment is shocking (not to mention the information the companies themselves leak). Take an hour and peruse the various social networking sites liked LinkedIn and Plaxo and see what information you can glean about your employees, the projects they are working on, and what software they are using. Regularly run your company’s name through the various search engines to look for information coming from unlikely sources (it’s not unusual for contractors or suppliers to post information about dealings with other companies which inadvertently leaks helpful information to an attacker). Doing this exercise from the point of view of an attacker or competitor who knows nothing about your company will allow you to quickly see how many pieces of seemingly disparate information can eventually form a cookbook for a successful attack.

Train and monitor your staff, plug the leaks, monitor the web. Take these three steps and you will be on your way towards reducing (but never eliminating) the threat of social engineering attacks.

Shane MacDougall is a principal partner in Strategic Intelligence, a Canadian-based corporate intelligence gathering firm. He has been a professional white hat hacker, security consultant, and speaker since 1989.

November 8, 2010 Posted by | Risk management, Social Engineering, White Hat Hacking | , , , | Leave a comment