In a recent blog and briefing, Hank Marquis considers the pros and cons in the use of social media like Facebook and Twitter to augment or replace IT technical support functions, by creating a community of users that can support themselves. While the notion of self-service via social media seems to be an easy and cost-effective method of serving a large community, Hank correctly points out many of the shortcomings and drawbacks to replacing a formal technical support function with a self-organizing community.
Using social media to address technical support issues can results in multiple answers being given, leading to a lack of correctness, inaccurate answers, and a loss of organizational knowledge capture resulting from ad-hoc methods. It can also reduce the productivity of the IT organization as well as users, as they attempt to use crowd-sourcing to get answers to support questions.
Another drawback, and potentially very serious concern, is an increased potential for social engineering attacks. Social engineering is the ability "to manipulate people, by deception, into giving out information, or performing an action".
One of the favorite targets for social engineers is the IT helpdesk staff as outlined in Kevin Mitnick's book "The Art of Deception". The helpdesk or IT support group's main function is to "help people" in their use of corporate IT applications and services. Social engineers will create a ruse and use the support center personnel to aid in their attempt to bypass security. This is why a solid identity management and authentication function is required in providing IT support services in accordance with best practice standards like ITIL.
The use of social media to augment or replace IT Technical Support opens at least two possible social engineering attacks, due to a lack of identity management. First, it makes it easier for an outsider to masquerade as an employee or authorized user and request the support of the community. By simply monitoring the community dialog, an outsider will be able to learn on the "lingo" and develop his alternative personality as an "insider" for further attacks.
In the second scenario, a skilled social engineer can adopt the persona of a Tech Support expert and guide un-suspecting users into revealing passwords, access codes, and or the location of sensitive information.
In my view, the current social media platforms lack the strong identity management and authentication mechanisms needed for providing critical IT Technical Support Services.
A recent event in the U.S. demonstrates a blatant and amateur attempt at social engineering. This case involves an independent and conservative investigative report, or depending on your perspective, an activist, James O'Keefe and three other associates. O'Keefe is known for successfully infiltrating political organizations like ACORN, posing in various undercover roles to expose information, wrongdoings, and the like, using classic social engineering tactics.
The latest event involving the district office of U.S. Senator Mary Landrieu of Louisiana has been widely covered in the media, including articles CNN and FoxNews, and many others. A brief quotation from the article at CNN illustrates the social engineering tactics that were used:
The two men were "each dressed in blue denim pants, a blue work shirt, a light green fluorescent vest, a tool belt and a construction-style hard hat when they entered the Hale Boggs Federal Building," the release noted.
After they entered the building, the two men told a staffer in Landrieu's office they were telephone repairmen, according to the release and Rayes' affidavit. They asked for -- and were granted -- access to the reception desk's phone system.
O'Keefe, who had been waiting in the office before the pair arrived, recorded their actions with a cell phone, said the affidavit by Rayes.
Flanagan and Basel later requested access to a telephone closet, claiming they needed to perform work on the main phone system, the release and affidavit stated.
According to Rayes' affidavit, the two men went to a U.S. General Services Administration office on another floor and requested access to the main phone system. A GSA employee then asked for their credentials, and the two men said they left them in their vehicle, the affidavit said.
Whatever the aims of O'Keefe and his associates, they are currently being charged with entering (a federal) office under "false pretenses for the purpose of committing a felony."
However, this story sounds like it might have come straight from Kevin Mitnick's book "The Art of Deception". The one difference is that these men appear to be amateurs in the field of social engineering. Why? They got caught. And, to me, the reason seems to be that they did not "do their homework" to prepare for unforeseen circumstances (i.e. being asked to show credentials).
The lesson to be learned from this (for those in IT and security) is that the senator's office appears to have done an adequate job in training its staff and employees with proper procedures and security awareness to spot and avert social engineering attacks. The staff involved did not fall blindly for the ruse posed by the workmen's overalls and hardhats that appeared to make them look like telephone service personnel. Rather, they were sent to the proper office (General Services Administration) and once there, they were asked to show proper credentials.
The result? BUSTED !!!
Even if the two men posing as telephone repairmen had obtained false credentials, I would hope that the GSA employee would have checked to insure that "maintenance had been scheduled", or called their telephone service providers to verify the employment and activities of the two men.
And to borrow the subtitle of Kevin Mitnick's book again, that is how you "Control the Human Element of Security".
In the past year or so, your employer, like mine, may have REQUIRED you to attend some form of security awareness training. This training is often delivered through some form of web-based self study, often an interactive video with case studies and interactive Q&A. And they're about as enjoyable as a dental cleaning.
Seriously, there are two groups of people that attend these security awareness training courses - 1) those with a background in risk management, compliance and information assurance, and 2) the rest of us. If you fall in the "rest of us" camp, you probably endure the 30 to 90 minutes required to complete this training and come away thinking "That was a waste of time".
The scenarios and admonishments to "never give out your password", "do not divulge 'confidential' information", and "protect personally identifiable information" - all seem basic. Most of us think, "Of course, I know that". I did too.
Lately, I've been doing some self-study in the fields of security, privacy, cryptography, etc. A colleague suggested also studying the art of social engineering and provided his copy of Kevin Mitnick's book "The Art of Deception". The main premise of Mitnick's book is that a good social engineer can overcome any security technology that is in place, and he therefore subtitled his work with "Controlling the Human Element of Security". Throughout the book there are a "series of tales of how some old-fashioned blarney and high-tech skills can pry any information from anyone".
Most of us, myself included, simply do not believe that we are prone to social engineering, or high-tech digital con artists. "I'm too smart, or too savvy, to be taken in by something like that" we often believe. But think again. A social engineer learns enough of the lingo, traits and inside information to pass himself off as an insider and then he goes to work on his "mark".
Here's one scam that could take many people. After the social engineer gets enough inside information on your company payroll department, or outsourced provider, he calls you on the phone and the con goes something like this, only with realistic names and corporate lingo inserted.
"Hello, first-name last-name, this is John Doe. I'm an audit and control supervisor with the payroll-department. I'm calling to let you know that we will have to manually process your direct deposit change request as we had system problems last night. I want you to know that we will be making the change that you requested but it could take a few days. Is that OK?"
Of course, you never requested a change to your direct deposit, and your likely reaction will be one of rage followed by fear that you will not receive your upcoming pay. Most people will have a semi-violent reaction, or at least will go into a state of panic and frenzy. This is exactly what the social engineer (con artist) wants. Now, you're not thinking clearly and, to you, you've got a major problem going on. The rest of the con has the social engineer assuring you that he can correct it and he wants to help. Now, he is your 'friend'.
He then asks if your social security number is 123-45-6789 (he has the right one; it's not hard to find). He verifies your employment number (again he has the right one). He may also give you're your department, manager name, date-of-birth - all of which he could have gotten through subtle tactics. And now that he has established "trust" he asks:
"I'm showing your deposit at bank routing number 123 with a destination account of 456 - is that correct? No.... ok what should it be then?"
Morale: Read Mitnick's book and at least pay attention the next time that security awareness training comes around.