VioPoint

From a historical perspective, traditional technology testing exercises were relegated to using scanning tools to identify open ports and services at the network layer. Once open ports were identified, focus would shift to understanding the potential impact and exposure so vulnerabilities could be remediated before an incident occurred. Numerous remotely exploitable vulnerabilities present in external facing Windows NT or 2000 servers were motivators for organizations to start introducing defenses and countermeasures beyond the network layer to protect vulnerable systems. However, with advances in the development of more secure operating systems and perimeter defense technologies, the landscape of traditional remotely exploitable systems and network layer attacks has changed. Malicious users have also realized that remotely exploitable vulnerabilities no longer provide an efficient means of obtaining results that they once did. This reality is evidenced by the fact that remote vulnerabilities aren't as pervasive in today's technology landscape, which means that attempts to penetrate the perimeter (short of brute forcing authentication or finding a rare remote vulnerability) are usually defeated rather quickly.

Another traditional attack on information assets involves social engineering. Social engineering is one of the oldest and most common attack techniques as it requires virtually no technology to employ. The art of social engineering has been around since humans have interacted with each other and relies heavily on trickery and deceit. These kinds of attacks have been known throughout the security domain for decades and security practitioners worldwide often evangelize the success rate that social engineering tests have on a large number of business environments. The success rate is traditionally high because social engineering bypasses technology and relies on exposing human nature and the desire to help others. Techniques involve establishing a brief trust relationship between the attacker and victim. The attacker may use the telephone or an in-person guise to convince the user to provide access to a computer system or even credentials for remote systems. End-users are highly susceptible to these attacks if they have not received proper awareness training for these scenarios.

It is important to note that neither the traditional network attack nor the social engineering attack should be abandoned as part of an overall holistic testing strategy. Furthermore, stakeholders should be aware that neither of these attack scenarios is the primary focus for many motivated attackers in today's world. Instead, an interesting convergence of several vectors has surfaced, due in large part to the rapid evolution of social media technologies. Social networking sites and the way that we exchange data have expedited the spread of information from a global perspective. Reconnaissance is easier than ever for most motivated attackers and sites such as Facebook, Myspace, LinkedIn, Twitter and even IT related forums offer easy, fast access to several pieces of information that can be pieced together with minimal effort.

With access to social networking utilities, farming email addresses, company information, employee information, birth dates, org charts, culture, political affiliations, outside interests and other information can be completed in minutes. The types of information available can allow an attacker to put together a compelling guise in order to effectively circumvent employees through traditional social networking attacks alone. However, when coupled with a highly targeted email message (referred to as spear phishing or client-side attacks) an attacker can exploit a vector which has traditionally gone untested and unmitigated. Because sites such as LinkedIn or even Facebook can be used for legitimate business purposes, policies for some organizations may be at a crossroads with regards to allowing or blocking these types of sites. This dilemma includes allowing the use of these sites on company owned assets during business hours. Because of this gray area, attackers may hide their intent within deceitful emails that may appear to originate at the sites from which they gathered the information. Facebook, LinkedIn and other bogus emails have been highly successful in luring employees to take action on crafted links or executing attachments. We realize that phishing has been around for quite some time, but the sheer ease of use with regards to putting together a highly effective phishing campaign is alarming.

Attackers also know that IT stakeholders are often bogged down with deploying patches to the infrastructure. Remotely exploitable vulnerabilities have traditionally been so damaging, that patching operating systems and moving away from older and vulnerable technologies has become a critical priority that consumes IT resources. With resources heavily focused on the perimeter technologies and infrastructure, desktop software often lags behind on patch levels; but desktop software is not free from exploitable vulnerabilities. Microsoft Office, Adobe Acrobat, Firefox, Internet Explorer and several other common desktop applications may remain unpatched well beyond the date that vulnerability alerts are made public. These suites can contain critical vulnerabilities that allow attackers to prosper once they have circumvented the hardened external perimeter by way of targeted spear phishing campaigns. A seemingly harmless PDF file, a fake LinkedIn invite full of malicious URLs and many others can trick users because it contains highly personalized messages. Taking advantage of unpatched desktop software and capitalizing on the social media frenzy are two things that when combined, can have very severe consequences and present a much easier path to compromise an end-users desktop machine that would have previously been impossible to do.

FUTURE CONSIDERATIONS

Security stakeholders must recognize that the convergence of these attack vectors and the pervasiveness of mobile devices and social media have rapidly evolved. In fact, penetration testers should include these attack vectors as part of the overall testing strategy. Many stakeholders may resign themselves to the fact that social engineering vectors will be successful, but testers should still conduct these exercises to learn whether spam filters, anti-virus clients and other technology defenses (in addition to the obvious human element) are working properly. Publishing your own test results to the end-user community as part of the general awareness program can be a powerful motivator as well.

Lastly, the spread of information these days is not limited to a reconnaissance activity. Increasing volumes of information coupled with the ability for employees and friends to communicate instantly, creates the need for reputation risk management as a component for a comprehensive security program. Although reputation risk is not a traditional information security domain practice, management stakeholders may consider including reconnaissance for reputation based items being tested. Social networking status updates, forums, online postings, blogs and other public information may be valuable to attackers, but it may also negatively affect a business. Airing grievances, posting negative information or photographs and inadvertently releasing trade secret or competitive intelligence is becoming a very real threat as well. This variable underscores the evolving nature of communications in general; it should also motivate testers to think of new and creative ways to provide ongoing value for testing and overall risk management decision making.

VIOPOINT • 3254 University Drive, Suite 195, Auburn Hills , MI 48326 • (248) 373-8494 Tel • (248) 373-5557 Fax
©2009 VIOPOINT, All Rights Reserved.