The Human Factor. Why do so many organisations continue to ignore staff awareness and social engineering from penetration testing scopes?

On average, Sec-Tec receives four penetration testing RFQs (Request for Quotation) a week, from a massive array of organisations, all with different information security goals and objectives. As you would expect, they range from organisations deeply experienced in information security – often with a dedicated security team – to those who are just realising that information security is something that cannot be ignored, and need quite a bit of help and guidance.

Interestingly, one common factor amongst many of these pen test project scopes is a perceived lack of requirement for social engineering: i.e. the manipulation of staff to facilitate access to the organisation. Let’s be clear, for the price of a throwaway domain name and a rake through LinkedIn, there is (based on our previous assessments) a massive chance that a significant percentage of your staff will yield their account credentials. If you have any Active Directory authenticating devices at the perimeter (OWA, SSL VPN, SharePoint), then that’s a problem. And even if you don’t, it’s likely that credential reuse is rife. Social engineering is often the simplest, cheapest, fastest way to obtain corporate data, so why do so many security assessment scopes ignore this vital component? Well, the same few responses can be heard time and again:

“We know our end user security awareness is terrible, we will definitely fail.”

Firstly, it’s counterproductive to view your information security efforts, including your penetration tests, with a pass/fail mentality. The real value of any security assessment is that it provides organisations with a mechanism to implement continual improvement. The security landscape is ever changing; you wake up one day and the next Heartbleed, Poodle or Shellshock vulnerability is splashed all over the IT press, and your technical risk has just changed. The measure you used yesterday is no longer useful without amendment; there are new issues/risks/vulnerabilities to consider. The cycle of constant improvement continues. Secondly, if you suspect your staff awareness is lacking, do something about it! There are lots of good options, from corporate videos to onsite bespoke training, that can teach your staff how to spot the dangers, and how to react. It need not be expensive (certainly nowhere near the cost of even a minor breach), and when planned properly, can create an almost immeasurably small drain on staff resources.

“It’s a Human Resources problem.”

Have you agreed that with Human Resources? Is it opaquely documented within your ISMS (Information Security Management System) that undertaking staff security awareness training shall be an HR responsibility? Or is it an assumption that will result in the matter falling between the interdepartmental cracks? It really doesn’t matter what department is responsible, or whose budget is used, the majority of people in the western world, regardless of education, class or culture, do not readily know how to spot the types of attack that are frequently compromising organisations, and certainly do not know how to thwart them. Let’s be realistic: Most users aren’t even sure what constitutes a decent password.

“It’s too expensive.”

Due to the nature of the Fat Four auditing firms that have historically delivered these kinds of assessments, I can understand where this perception comes from. However, fast forward to 2015, and a simple social engineering assessment can be undertaken in a couple of days, using automation to record metrics such as click rate, passwords obtained etc.

In summary

An attacker will, just like electricity or water, take the shortest path. This may not be the path you envisage, or are interested in, but it’s the path you should be concentrating on. When assessing your information security, it’s easy to see it as an “IT problem”, but it isn’t, it’s an organisational problem that spans every department, every remit and every level within the organisation. The one thing all of those departments and levels within the organisation have in common is people. Adding a basic social engineering component to your penetration testing scope can demonstrate currently unconsidered attack paths into your organisation, and need not cost the earth.