Social Engineering - Christopher Hadnagy [186]
This particular point is not always easy to implement because employees, especially those facing the customer, must be able to release some information without fear of attack. Simply being aware of the value of information cannot alone stop an attack.
Keeping Software Updated
In most businesses you must be able to release information to the public and to clients. Even in my business I must be able to give out my phone numbers, emails, and web addresses. I must be able to send and receive PDF files and I have to be able to freely talk on the phone with clients, suppliers, and vendors.
However, the points discussed so far indicate that releasing any of this information can be the end of one’s business and possibly privacy. What can you do to have the freedom to release certain information and not fear the end?
Keep updated. In our contest, more than 60% of the companies that were called were still using Internet Explorer 6 and Adobe Acrobat 8. Those are staggering statistics.
Dozens if not hundreds of public vulnerabilities exist in those two applications alone. Knowing that a target uses those two applications opens them up for an enormous number of attacks that can be so malicious that all the IDs, firewalls, and antivirus systems cannot possibly stop them. But do you know what can stop them?
The answer is updates. The newest versions of software generally have patched their security holes, at least the majority of them. If a particular piece of software has a horrible track record, don’t use it; switch to something less vulnerable.
The problem that comes up is that companies are very slow when it comes to upgrades. IE 6 is very old, almost to the end of its life on Microsoft Support. Adobe 8 has dozens of exploits publicly available. That is just two of the many pieces of information we found out in the contest. The reality of the matter, though, is that you have to be able to release information. You must be able to freely tell people what is going on. To do that with less worry, you must make sure you and your employee use updated software.
In the contest calls, if an employee divulged that the company used Firefox, Chrome, or another secure browser, or FoxIt or the most up-to-date Adobe software, contestants would have been shut down. I am not saying those pieces of software do not experience any problems at all. Exploits for certain versions certainly exist, but this software is significantly less vulnerable. The possession of that information is still valuable but if no exploits are available then the next phase of the attack cannot be launched.
Keeping software updated is the one tip that seems to get the most flack because it takes the most work and can cause the most overhead. Changing internal policies and methodologies that allow very old software to still be in play can be very difficult and cause all sorts of internal shifts.
However, if a company is committed to security and committed to creating a personal security awareness then committing to these changes will become part of the business culture.
Developing Scripts
One more beneficial thing bears mentioning: develop scripts. Don’t cringe; I don’t mean scripts in the sense that the employee must say X if a situation equals A plus B. I am talking about outlines that help an employee be prepared to use critical thinking when it counts the most. Consider these scenarios:
What is the proper response when someone who claims to work for the CEO calls and demands your password? What do you do when a guy who has no appointment but looks and acts the part of a vendor demands access to a part of the building or property?
Scripts can help an employee determine the proper response during these circumstances and help them feel at ease. For example, a script may look like this:
If someone calls and claims to be from the management office and demands compliance of either handing over information or internal data, follow these steps:
1. Ask for the person’s employee ID number and name. Do not answer any questions until you have this information.