Industrial threats: how to protect an enterprise from information leakage
Social engineering in the energy enterprise risk system
Today, most enterprises use multi-level information processing systems — computers, cloud storage, corporate networks. All these systems not only transmit data, but also are the environment of their possible leakage. In this sense, the energy sector is one of the most sensitive to failures and all sorts of incidents. If there are problems in any link of the energy supply chain, then problems arise for consumers and businesses — this can lead to serious economic consequences. Specialists of TGC-16 JSC told how the company solves security issues.
Social engineering as a phenomenon
Probably few people today have not heard about the thing such as social engineering. Although the term itself appeared relatively recently, this phenomenon has accompanied humanity probably throughout its history. Human weaknesses have always existed and are unlikely to disappear in the foreseeable future, and therefore, social engineering will remain a constant threat to the security of any system, part of which in one way or another a person is.
There are many definitions of social engineering. This phenomenon is also described as the set of techniques, methods and technologies for creating such a space, conditions and circumstances that most effectively lead to a specific desired result, using sociology and psychology and as a method of unauthorized access to information or information storage systems without the use of technical means and even called the science and art of hacking human consciousness. To put it simply, social engineering is the use of human weaknesses or imperfections to achieve a subject's goals.
A human being is deservedly considered the weakest link in any chain. It is possible to “close” the perimeters by technical means, apply ideal protocols and security policies, powerful cryptographic tools, certified software and hardware, however, the notorious “human factor” has not been cancelled. Why use cinematic hacking techniques to obtain sensitive information, if any middle manager involved in a particular business process can easily tell the same information and even with pleasure to a “new inexperienced employee of a remote branch”? Here the role of a “hacker” is played by a social engineer, and the object of his “development” (an employee of the company he interested in) is a vulnerability, security breach.
Perhaps, the most famous social engineer of our time, in the classical sense of the word, is Kevin Mitnick. The world-famous hacker, and later security consultant, Mitnick in 2001 published the book The Art of Deception, which most vividly describes the real cases of social engineering and remains relevant to this day, despite the release date. All his “professional experience” emphasizes the importance of social engineering as a threat, its superiority in terms of efficiency compared to technical methods of influence.
TGC-16 is an energy company supplying heat and energy to the largest industrial enterprises of Tatarstan. The importance of smooth operation and reliable security system of TGC-16 is difficult to overestimate. In this sense, the energy sector is one of the most sensitive to failures and all sorts of incidents. If there are problems in any link of the energy supply chain, then problems arise for consumers and businesses — this can lead to serious economic consequences. Therefore, the company pays the most serious attention to security issues, including the prevention of threats to the implementation of social engineering methods. The increased attention of the state in this area further enhances the importance of countering the methods of social engineering. Paradoxically, this is so — the better the technical channels of penetration are protected, the more attractive the alternative channel — the human factor — becomes for the attacker.
Automated process control systems (APCS), which are part of the FEC enterprises, as a rule, are combined into industrial networks and are mostly associated with office networks, so the influence on energy equipment through an office employee is a very likely scenario, to prevent which it is necessary to apply maximum effort.
In order to successfully resist social engineers, it is necessary to know well the methods and techniques they use. Let's remember some of them.
Without exaggeration, the most famous and popular technology of social engineering is phishing.
Usually, in this case, the social engineer sends the victim a letter disguised as an official message sent from the corporate mail of a serious organization, such as a bank or payment system. In the letter, as a rule, there is a link leading to the site, exactly simulating the official one, with all the inherent elements — logos, texts, etc. This site contains a form that requires for the best of intentions to enter sensitive information, for example, the pin-code of a bank card.
Phishing has several varieties
Non-existent links. The letter indicates a tempting reason to visit the website of the service, the client of which the victim is, and a link to it, which only looks like the original. For example, instead of the reference PayPal.com it is specified PayPai.com where “i” is specified in the form of the capital “I”.
Fraud using brands of well-known corporations. These phishing schemes use fake emails or websites that contain the names of large or well-known companies. The letter may contain a message about any survey conducted by the company, about winning the competition, which urgently requires changing your credentials or password.
Fake lotteries. The user receives a message about winning a lottery, which was conducted by any well-known company. In appearance, these messages may look as if they were sent by a reputable company official.
False anti-virus and security software. Such fraudulent software, also known as scareware, rests on the user's sense of fear, scares him. The programme may look like an antivirus that finds a dangerous virus on the victim's computer, threatening complete destruction of data if the victim does not perform certain manipulations. The user may encounter such software in the mail, online ads, social networks, search results and even popups on the computer that mimic system messages.
Voice phishing — vishing is named so by analogy with phishing. This technique tries to recreate the “official calls” of banking and other IVR systems. Typically, the victim is asked (for example, through phishing email) to contact the bank and confirm or update any information. The system requires user authentication by entering a pin or password. Therefore, after writing down the key phrase, one can find out the necessary information. For example, the user hears a typical command: “Press 1” to change the password, execute it, and then follow the commands to enter the password.
Pretexting— the attack when the attacker introduces himself as a different person and on a pre-prepared scenario (pretext) fishes for confidential information. This attack involves proper preparation, that is, obtaining some initial information in advance to talk to the victim, so as not to arouse suspicion and ensure confidence in the conversation. Usually used via phone or email.
Quid pro quo
Quid pro quo — “something for something” in Latin. The attacker calls the company using the corporate phone or writes an e-mail. Often, the fraudster introduces himself as a technical support officer who asks if the victim has technical problems in the workplace and, if so, offers to fix them. In the process of “solving” technical problems, the attacker forces the target of the attack to perform actions that allow the attacker to run commands or install various software on the victim's computer.
Trojan horse software
This technique exploits the curiosity or greed of the target. The attacker sends an e-mail containing an allegedly important software update, obscene content, or even dirt on an employee or his colleagues. This tactic is very effective because curiosity is one of the strongest properties of the human person.
It is a kind of Trojan horse software where a physical medium is used to transmit malicious software. The attacker throws “infected” information mediums in public access places where these mediums can be easily found — toilets, parking lots, canteens, workplaces of the attacked employees. The mediums are designed as official for the company, which is attacked, or is accompanied by a caption that can cause the curiosity. For example, a social engineer can throw a flash drive with a sticker with the inscription “The wages of the management”. The flash drive can be left on the elevator floor or in the lobby.
Collection of information from open sources
Social engineering technologies require performers not only knowledge of psychology, but also the ability to collect the necessary information about a person. Social networks are best suited for this. For example, Facebook, Instagram, Vkontakte, Odnoklassniki contain a huge amount of sensitive information that people not only do not try to hide but post it with pride and pleasure.
Even limiting access to information on your page on the social network, the user cannot be sure that it will never fall into the hands of scammers. For example, a Brazilian computer security researcher has shown that it is possible to become a friend of any Facebook user within 24 hours using social engineering techniques. During the experiment, researcher Nelson Novaes Neto chose the victim and created a fake account of a person from her environment — her boss. First, Neto sent friend requests to friends of friends of the head of the victim, and then directly to his friends. After 7 and a half hours, the researcher made so that the victim added him in his contacts. Thus, the researcher gained access to the user's personal information, which he shared only with his friends.
Reverse social engineering
In this case, the victim himself or herself turns to the attacker for help in solving certain problems and readily reports the necessary information. To do this, the social engineer undertakes the necessary preparation, for example, initiates a malfunction on the victim's computer and somehow advertises himself as a person who can solve the problem.
The main thing that is worth noting, today most successful attacks on businesses use social engineering, to some extent. If we talk about the energy industry, perhaps the largest invasion in this industry remains the classic case of the planting Stuxnet virus in Iran in 2010, when the timing of the launch of the nuclear power plant in Bushehr was disrupted because 1,368 out of 5,000 centrifuges at the uranium enrichment plant in Natanz were successfully attacked. There are many variables in this story, as none of the parties concerned was in a hurry to share the details. But it is obvious that it did not do without social engineering. It is believed that the virus was unintentionally “brought” by an employee of Siemens, which was the contractor in this project, using a conventional flash drive (remember “road apple”?).
Employees of Positive Technologies, conducting a study in February this year, found that social engineering is used in every third attack. “Phishing of the employees of the victim company has already become a proven scheme of attackers in the framework of targeted attacks,” said Alexey Novikov, the director of the expert centre for security at Positive Technologies. “So, in November 2018, our experts found a malicious attachment in emails that allowed the attacker to capture images from webcams, to record sound, to take screenshots of the screen, copy files from media devices. Criminals deftly attracted the attention of recipients using a catchy subject of the letter and a blurred image of the opening file, where the coat of arms could be seen — so that the document inspired confidence and the desire to read it, containing the necessary script. While the victim saw on the screen a document-plug, on the computer imperceptibly for the user it was installing the malware for remote management Treasure Hunter, which collected information about the system, sent it to the remote command server and accepted commands from it.
The specialist of the department of economic security, protection and regime, Ayrat Shagiyev, told about the methods of counteracting social engineering used in TGC-16:
“We in TGC-16 are aware of the importance of social engineering threats to business, so we have developed and applied a system to counter these technologies.”
Since people are the key factor in the success of the application of techniques of social engineering, it is necessary to increase the awareness of the employees. To do this, we periodically conduct interviews and training with the staff.
In order to make employees understand the importance of careful handling of key information, it is necessary to explain to them what the danger of its provision to outsiders is, what consequences the invasion of a social engineer can entail.
First of all, we work with groups of personnel who have direct contact with the “outside world” — secretaries, specialists of specialized departments, security guards. Moreover, if the first three groups communicate with strangers through means of communication (telephone, Internet), the guards have direct contact with social engineers. In this sense, they often forget about guards, they do not perceive this group as high risk for attacks. Meanwhile, in a casual conversation with a security guard, a social engineer can get information that a secretary is unlikely to give him.
Another unobvious but important group — employees of the financial unit. Their phone numbers or e-mail addresses are usually not publicly available, but they interact directly with the business partners and the impact on them of the social engineer who introduces himself as a business partner may be the most severe, including financially.
Perhaps the most important point in working with personnel on this topic is the formation of competent job descriptions and monitoring their implementation. First of all, the instruction should prevent precisely those threats that can be carried out against specific employees. Here we do not rely entirely on our knowledge, but work in close conjunction with the heads of key departments: we interview them and identify the most vulnerable points, potential goals for social engineers in relation to a particular group of personnel.
The job description should be concise and clear, the actions of employees should be described very specifically. Through managers, we communicate to the units the procedure for verifying the identity of the contact, if it is presented by the employee.
In addition to regular monitoring of the execution of instructions, from time to time we conduct test penetration attempts, for example, by phone. This is one of the most effective measures to counter social engineering, as it allows not only to check the level of training of the employee but also to obtain additional information about the “pain points” of communication with the outside world.
With the regular implementation of such activities, employees form a certain suspicion of any situation relating to personal data, trade secrets. The employee will think well before sharing information with the interlocutor.
Another nuance, important from the point of view of countering the methods of social engineering, is the need to pay attention to the information posted in open, official sources. It is recommended to carefully monitor that contact information on the website, business cards, in the media is not excessive.
For example, telephone directories are often treated carelessly, it doesn’t come to mind to protect them, although it is just a storehouse of information for scammers. Telephone directory allows to not only find the numbers by which one can contact the staff but also get an idea of the structure of the organization. Therefore, telephone directories in our organization are included in the list of protected information resources.
In conclusion, I would like to say, though social engineering may seem to be something elusive, a threat that is difficult to identify, and, therefore, to deal with it, one should not be afraid to “get involved” in this topic. Moreover, in today's situation, it is necessary to do it. In itself, the awareness of the problem and the formulation of the right questions is the key to successfully countering this threat.