To: Boss

From: Brandon Moore

Date: August 1, 2011

Subject: Social Engineering Attack on the Company

Recently several of our user's have reported slowness of their computers. Not coincidentally, each of these users had also received a suspicious email reporting a problem with a particular item on the company website. This email contained a URL which, upon clicking, directed the user to a page in which nothing appeared out of the ordinary.

It is my conclusion that both these events are intertwined and the users have contracted a computer virus, specifically a Trojan virus, which allows this attacker to gain access to the computer systems it infects.

The attacker was able to accomplish this by manipulating our employees into believing they had a legitimate issue to raise with the company. Once they clicked on the link in the email, they were likely directed to a site that appeared to look the same as the company’s website, or they were sent to another site which downloaded the virus and were quickly redirected to a legitimate page before the user would ever notice.

Additionally, the email address that contained the malicious URL had a “made-up” email address configured as the “Reply-To” so that when a user attempted to reply the email would not get anywhere.

In conclusion, the actions that ultimately took place are as follows: ← User's received an email that appeared to be legitimate, but instead came from an attacker looking to gain access into the company's network. ← The link contained in the email that was clicked on was the main factor in these computers contracting the virus. ← The virus is likely a Trojan which means the attacker likely has access to the machines and the data on them. ← The “Reply-To” address is not an email address that exists to any person or machine.

Security Recommendations

In response to this attack, it would be wise to evaluate how this attack occurred and what actions can be taken to prevent another similar attack from happening again. After personally reviewing the facts of the matter I have derived some recommendations that would aid in accomplishing the goal of preventing future incidents.

First and foremost there needs to be an information security awareness training session performed regularly within the company. The training should include when to question an email they receive, a stranger they see around the building, and phone calls they receive. The training should include tips to detect an impersonation attempt. Calling back a company or entity on a published phone line to verify the identity of a stranger posing as a contractor, contacting a manager when a stranger is claiming to work with the organization, and not clicking on any URL's from bizarre emails would be some examples to combat impersonation.

Second, an intrusion detection system(IDS) should be installed on the network. An IDS can be configured to look for anomalies in network traffic. This particular case likely involved data being transmitted to the attacker or the attacker may have even gained remote access. Since this would be considered “out of the norm” an IDS would send an alert which could be inspected further. Although an attacker may have gained access to the network or data, such activity could be shut down sooner than later.

Third, users should only access their computer on a limited user account. This method would allow sensitive data to be encrypted with only Administrator access. If a user does get a virus that virus will only be subject to the users limited access and not have default access to encrypted files.

Lastly, each user should have an anti-virus installed and forced to update automatically. Although a virus, and particularly the Trojan involved in the attack in question, can change it's signature to reduce detection by an anti-virus an anti-virus does add a last line of defense before infection.

Auditing the Social Engineering Vulnerability

The above security measures would be additionally complimented with the use of a regularly scheduled audit of an individuals access to sensitive data and the network via social engineering means. This would be an audit much unlike any other in that it would be the testing of the employee's responses to queries from strangers. As an employee of the company I would not be a candidate to perform this type of audit, thus I would seek out a professional security consultant capable of thoroughly auditing the company in this manner.

To begin with, I would ask this contracted security consultant firm to perform the following tasks: ← Determine if employees are vulnerable to an impersonation or or any other social engineering attacks including, but not limited to phishing, pretexting, or quid pro quo attacks. ← Test physical security to all areas of the company's building and specifically noting potential flaws where attackers could take advantage of. ← Collect data from third sites like Google Newsgroups to determine if any sensitive data is available that would aid in an attack on the company. ← Conduct an after hours access test to determine if access can be granted outside of normal business hours. ← Finally, in any situation where some level of access is granted to the auditors those auditors should look for ways in which they can gather passwords or other useful data to an attacker, and areas that are vulnerable to devices being placed on the network to facilitate an attack.

As the audit is performed, any data gathered should be used by the auditor to further their access into unauthorized areas. For example, as names of employees, expected shipments, or scheduled maintenance work is discovered the auditor should use this information to gain access. In addition, no employee should be excluded as a possible target of a social engineering attack in the above manner.

A second type of social engineering attack that cannot be performed by a stranger would be that of an employee looking to obtain greater access to perform malicious activities. This type of attack would be one that myself, an employee of the company, would perform with written approval. The reason being that having a familiar face and being known as a fellow employee would yield different social engineering opportunities than that of a stranger.

The audit performed in this manner would need to include the following techniques: ← Shoulder surfing ← Tailgating ← Phishing for technical help from other users and asking for passwords to assist in resolving technical issues. ← Gaining access to unlocked computers. This can be achieved by directing people away from their machines using scenarios like donuts in the break room.