Forwarded from: William Knowles 

http://www.zdnet.com.au/news/security/soa/Council_social_engineering_test_exposes_flaws/0,130061744,339271857,00.htm 

By  Munir Kotadia
ZDNet Australia
25 October 2006

Kingston City Council in Victoria recently conducted a social 
engineering experiment to see how its staff would react to a stranger 
trying to gain access to the server room; the exercise revealed, and 
helped fix, serious flaws in staff awareness.

Analyst firm Gartner defines social engineering as "the manipulation 
of people, rather than machines, to successfully breach the security 
systems of an enterprise or a consumer". This could mean persuading a 
user to click on a link or open an attachment or, in the case of 
Kingston Council's experiment, allowing a stranger into their server 
room.

Speaking at a security lunch hosted by Patchlink on Tuesday, Duncan 
Kelly, Kingston City Council's manager of information systems, 
revealed that although the council had spent a considerable amount of 
time and money improving its patching infrastructure, it wanted to 
test the strength of its "human firewall".

"We hired somebody to wear a suit, walk into the building and see how 
far they could get. [Employees] knew I and my network administrator 
were not in the building," said Kelly.

The Council's building has swipe card access on its doors and the 
server room is on the first floor so in order to get to there, the 
intruder needed to win the confidence of at least a few staff members.

According to Kelly, the intruder passed the first hurdle by simply 
saying he was a new member of staff on the IT helpdesk. It didn't take 
too long for the intruder to find the server room.

When the intruder got to the server room, he said he was sent by 
Duncan to service the Uninterruptible Power Supply (UPS).

IT staff sitting by the server room responded with "if Duncan sent 
you, no problem at all," and let the stranger into their server room.

"To get my name, anybody can ring the customer services. He could have 
walked into our server room and turned everything off -- or taken an 
axe to it. He wasn't hacking, he was walking. We have a very trusting 
group of people," said Kelly.

The experiment exposed some very serious flaws in the Council's 
security practices, caused a few red faces but ultimately, helped 
increase the awareness of social engineering tactics and educated 
users, Kelly said.

Kelly claims that following the test, people are now "hot to trot 
about who walks into our building".

As proof, he shared an example where he got a phone call from one of 
his staff who were inside the server room. The staff member said, 
"Duncan, there is somebody at the door". "Who is it?" asked Duncan. 
The response came back, "I don't know, but I am not going to let them 
in!"

"It shows people have learned. We all make mistakes and nobody got 
chastised or berated," added Kelly.

Last year, infamous hacker Kevin Mitnick, told ZDNet Australia that 
there was no point spending millions of dollars on the latest hardware 
and software to protect corporate networks if it was relatively simple 
for the attacker to manipulate staff in order to bypass technical 
defences.

"As the attacker, I am going to look for the weakest point where I can 
gain access. A security program is made up of people, processes and 
technology. Your company could be strong in one area, such as 
technology, but its people may not be trained up to recognise where 
the bad guys are going to strike. The attackers are going to look for 
the easiest way in," said Mitnick.

Two years ago, Gartner described social engineering as "more of a 
problem than hacking".

At the time, Rich Mogull, research director for information security 
and risk at Gartner, said: "People, by nature, are unpredictable and 
susceptible to manipulation and persuasion. Studies show that humans 
have certain behavioural tendencies that can be exploited with careful 
manipulation.

"Many of the most damaging security penetrations are, and will 
continue to be, due to social engineering, not electronic hacking or 
cracking," said Mogull.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
===============================================================C4I.org - Computer Security, & Intelligence - http://www.c4i.org 
*==============================================================*



_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org