TrustCC, Information Security Consulting & Compliance

Site Navigation:

• Home
• Industries
  • Financial Services
  • Healthcare
  • Retail
  • Government
  • Service Providers
  • Public Companies
  • Higher Education
  • Professional Services
• Solutions & Services
  • IT Compliance
    • GLBA Compliance
    • HIPAA Compliance
    • SOX 404 Compliance
    • PCI DSS Security Preparedness
    • TG-3 PIN Security
  • IT Audit
    • General Controls Audit
    • FFIEC Audit
  • IT Security Testing
    • Comprehensive Security Assessment
    • Penetration Testing
    • Mainframe Security
  • IT Policy and Program
    • Information Security Risk Assessment
      
    • Incident Response
    • IT Security and Compliance Training
    • Business Continuity Planning
    • Policy and Procedure Development
• Resources
  • Articles
  • Checklists and Samples
  • Presentation Materials
  • Case Studies
    • Penetration Testing Case Study
    • Social Engineering and Phishing Case Study
    • Outsourced IT Audit Case Study
    • Policy Development Case Study
  • Partners
  • Useful Links
• Company Info
  • The TrustCC Advantage
  • Management Team
  • Security/Audit Vendor Due Diligence
  • TrustCC's Internal Controls
  • Client Demographics
  • Code of Ethics
  • Job Openings
  • Contact Us
• News & Events
  • News & Press
  • Seminars and Training

Social Engineering and Phishing Case Study

A regional financial institution was concerned about the effectiveness of their information security awareness training program. The organization had appropriate policies and procedures which employees were required to read and sign each year. They held monthly staff meetings and information security was always a topic of discussion. Emails were sent to all employees on a regular basis which discussed recent security issues in the news and they had placed posters with information security messages in strategic locations such as break rooms. The organization however, had no way of determining the effectiveness of their well thought out program.

TrustCC was engaged to evaluate the effectiveness of their information security program. Through consultation with management, it was determined that the best way to measure the effectiveness of their program would be to test it through Social Engineering (as Kevin Mitnick, the famed hacker turned security consultant describes it in his book The Art of Deception – getting people to do things they normally wouldn’t do for a stranger).

We set out to test the client’s awareness program in two ways: through physical engagement and through email Phishing.

Physical Security Breach

The client’s web site and other information on the Internet were scoured to identify the key players in the organization – namely, the IT manager and the Chief Information Officer. We then used the information gathered from the Internet to masquerade as members of the IT department to gain access to sensitive areas of the client’s branch offices. The script went something like this:

    TrustCC to branch personnel: Hi, my name is Dave. I’m working for the IT department and have been called in to help troubleshoot your slow network connection to the main office.

    Branch personnel:  Oh, thank god they finally sent someone; it’s been slow for months. What do you need? (branch networks are never fast enough)

    TrustCC: We just need access to your wiring closet so that we can monitor the link.

    TrustCC: No problem. The tests shouldn’t take more than 30 minutes (we then sign in using a fictitious name).

We are then escorted to the wiring closet where we are left alone to do whatever we want. A secure wireless access point is plugged into the branch switch and within 5 minutes we tell them that we’ve identified the problem and will work to resolve the issue over the next week or so. After leaving the building we proceed to our vehicle in the branch parking lot to connect to the wireless access point we had planted, breaking into their systems from their own internal network.

This phase of testing was successful at four of the five locations tested. The organization had well defined procedures for access to secure areas, but they were not followed except for one location.

eMail Phishing

Meanwhile, TrustCC security engineers were setting up the email phishing campaign. Email addresses were gathered from various postings on the Internet including news groups, DNS records, and other unrelated web sites. In total, more than 70 email addresses were gathered. Through port scanning, it was discovered that the organization used a web based interface for remote access to their email. TrustCC engineers duplicated the web site on one of our servers.

An email was then sent purporting to be from the CIO stating that the organization had recently upgraded their email infrastructure to accommodate the constantly increasing volume of email. The message went on to state that in order to complete the migration process, the users would need to log into their mail accounts via the web interface. A link to the web mail interface was provided. The message went through all of the organization’s filtering applications and was delivered to the unsuspecting users’ mail boxes.

Within 30 minutes, more than 40 people had responded to the message and entered their actual usernames and passwords into our hostile server. With the usernames and passwords, we were then able to connect to the organizations VPN and proceed to compromise their systems from their internal network.

Conclusion

The response from the client was overwhelming. Six months later a follow-up test was conducted and the organization followed their procedures for physical access to secure areas without exception. The phishing exercise was also conducted again and only a handful of personnel responded to the email which consisted of mostly new employees who had not been through the half-day training yet. The organization integrated the TrustCC presentation into their awareness program and has engaged TrustCC to present on a regular basis to maintain organizational awareness.