OSI: Securing the Stack, Layer 8 -- Social engineering and security policy

Other tips in this series have examined the seven-layer OSI model from the perspective of security. Although security was not the No. 1 goal of the designers of the OSI model, the idea behind these tips was to highlight the importance of adding security at each layer to get the reader to consider the concept of defense in depth. Now that we have completed the seventh layer, some may think we are through. The OSI model is a framework for data communications, but does security stop there? No, there is the mythical eighth layer. While not included in the OSI model, this human layer does exist. The eighth layer is the layer at which technology interfaces with people. The eighth layer deals with people and policies. Let's begin by talking about people.

Willie Sutton, one of America's most notorious bank robbers, is supposed to have said, "I rob banks because that's where the money is." Hackers attack computers because that's where the information is. But where else can this kind of information be found? Where can an attacker go for information where it won't be protected by firewalls, IDSs and IPSs? The answer is -- people! By some estimates, 80% of a corporation's knowledge resides in the heads of its people. That's good for the attacker because people -- without proper training -- can be easier targets than computer systems. The primary means by which people are exploited is through social engineering.

Social engineering is the art of manipulating. One of the best-known social engineers is Kevin Mitnick. His book, The Art of Deception, details the techniques social engineers use. These techniques can be carried out in person, on the phone, or even by email. Regardless of how the victim is approached, the social engineer will typically use one of the following six techniques:

• Authority: The social engineer portrays himself as being in a position of authority, so employees are likely to comply with his requests.

• Liking: The social engineer will appear as a likable person and, typically, people want to do things for people they like.

• Reciprocation: When someone gives us a gift or does us a favor, we want to give something in return. Studies have shown that people will give something valuable in return for something of much lesser value, such as a pen or keychain.

• Consistency: People want to behave in ways that are consistent with their values, and especially with their public statements of those values.

• Social validation: People want to belong and be accepted. The best way to belong is to be like others.

• Scarcity: People want things that are in short supply or available for only a short time. You might put off acquiring something your whole life if you believe that it will always be available, but if you believe that your opportunity to acquire that particular thing may irrevocably disappear, you'll be motivated to acquire it now.

Security training

As logical controls such as firewalls become more advanced, hackers look for easier means of attack. Just consider the increase in the many new targeted phishing attacks known as spear phishing. The best defense against social engineering is to make sure employees are trained and aware of such potential attacks. You can help educate your employees using one or more of the following:

• A security newsletter on paper or in email
• Posters in the common area
• Contests that reward employees for positive behavior with respect to security
• Banner messages that appear when users log onto their computers or when they start a specific program such as email

Security policy

The second line of Layer 8 defense is policy. Establishing security policies, guidelines and procedures is a critical step in securing an organization against an attack. The lack of well-designed, viable security polices and documents is one of the biggest vulnerabilities many organizations have. Policies put everyone on the same page and make it clear where senior management stands on policy issues. They also set the overall tone and define how security is perceived by those within an organization.

Policy enforcement must flow from the top of the organization. Bill Gates gave us a good example of this back in 2002 when he wrote a memo addressed to all employees. In this memo, Gates spoke about how security was to become Microsoft's No. 1 priority. What's most important about this story is that Gates did more than just state that security was the objective; he provided a strategic roadmap that detailed how security goals would be met. These changes can be seen in products that have been developed since the memo. Good policies and procedures are not effective if they are not taught and reinforced to the employees. Employees must be trained so that they understand the importance of security policies and procedures. Finally, after receiving training, the employees should sign a statement acknowledging that they understand the policies.

People are an organization's most valuable asset, but they can also be its greatest vulnerability. To reduce the threat of social engineering, employees must be trained to make sure they are knowledgeable about the threats they face. Employees don't automatically know good procedures and practices. Policies define the specific controls and conditions developed to help protect a company's assets and its ability to conduct business.

About the author: Michael Gregg has more than 15 years of experience in IT. He is the president of Superior Solutions Inc., a Houston-based training and consulting firm. Michael is an expert on networking, security and Internet technologies. He holds two associate degrees, a bachelor's degree and a master's degree. He presently maintains the following certifications: MCSE, MCT, CTT, A+, N+, CNA, CCNA, CIW Security Analyst and TICSA.