New Threats Supplant the “Dirty Dozen”

• By Steven Titch
• Apr 24, 2008

Security organizations must adapt to new threats to enterprise assets that can come from groups and individuals who don’t need to set foot on the property, warns a leading security consultant.

Joseph E. Krull, senior manager of Accenture’s Technology Consulting Security Group, which performs security program consulting, implementation and training for a large share of Fortune 500 companies, said most companies still build their security strategy around the so-called “Dirty Dozen,” a fairly low-tech list of ploys that, although familiar enough to fans of spy thrillers, have been supplanted by new tricks, some of which are remarkably effective while being no more complex than their predecessors. The trouble is, traditional physical security defenses -- perimeter fences, lighting, vaults, badges and CCTV -- are no longer as effective because the intruder can accomplish his task by phone, email or Internet, from as far away as the other side of the globe.

Speaking at a breakout session at the 2008 Texas Regional Infrastructure Security Conference (TRISC) in San Antonio last week, Krull, who has 30 years of experience with corporate and government security, including stints with the U.S. intelligence community, outlined eight new threats that require a change in security approach that emphasizes more specific policies as well as greater education and awareness on the part of all employees.

1. Social engineering. Also known as “pretexting,” Krull says. This involves a caller misrepresenting himself as a customer, vendor or partner in an attempt to access proprietary or guarded information, including usernames and passwords. In addition to education, the best defense is a repeated security reminder than under no circumstances give out username and passwords over the phone, he said.

2. Bogus industry survey. Similar to “pretexting,” here the caller claims to be an intern from a major market research firm and will usually promise a reward of cash or a gift card in return for responses to questions regarding sales, market share, products in development and so on. Best defense, Krull says, is a policy that prohibits any employee from answering a survey without management approval.

3. Trojans, rootkits and keystroke loggers. With greater frequency, these fraud tools are coming masked as attachments, or are being embedded in JavaScript on Web sites. While many organizations have made employees are aware of the danger in opening unknown attachments, Krull said, fraudsters are getting craftier, often hoping to catch an emotionally reactive user click by using a tagline message such as “You’ve been photographed naked on the Internet!” or “Look what we’ve caught you doing!”

4. Spearphishing. This takes phishing, the practice of enticing a user to reveal sensitive information with a phony email claiming to be from a bank or credit card company, to a new level, Krull said. Although it does require some sophistication, spearphishing involves the dummying up of a fake email message from the corporate CEO, usually directing the target to “forward” sensitive company documents or material. The information, of course, is sent to the phisher. Effective prevention is an IT task, involving proper configuration of corporate mail servers, Krull said.

5. “Free” USB Drives. Krull said this low-tech technique, which can be accomplished by simply dropping thumbdrives infected with trojans and keyloggers in parking lots and building lobbies, has proved surprisingly effective. Drives can contain programming to make the PCs directly addressable, or to upload their data to pre-specified location, or initiate a denial-of-service attack. In some of Accenture’s baseline security tests, employees picked up as many as 18 out of 20 USB drives and plugged them in to their office PCs or laptops. Defense is relatively easy: prohibit use of any foreign USB drive.

6. Phony Internet Kiosks. A wireless Internet kiosk, often seen at airports and hotel lobbies, can be acquired on eBay for as little as $500, Krull said. Information thieves, buy the equipment, haul it to a public location, advertise free Internet, and capture usernames and passwords of unsuspecting users. The thieves don’t even have to provide connectivity; they can simply program the kiosk to display a 404 Error page, Krull said. What’s more, users will often continue to enter other usernames and passwords in attempts to reach other sites. After a few days, the thieves return and remove the kiosk, which now contains a trove of sensitive personal data.

7. Rogue Wireless Access. Also known as the “evil twin,” the thief sets up a wireless access point in close proximity to another public WiFi site, say at a coffee shop, airport or hotel lobby. A nearby wireless user then connects through the rogue access point, which collects all the data transmitted back and forth. Krull advised his audience, when using unsecured public WiFi, to avoid accessing sites that require passwords. Companies who know employees must access their networks from the road should incorporate two-factor authentication, he added.

8. Steal the Laptop. Lost or stolen laptops are proving to be the most costly liability in terms of information security, Krull said. Moreover, CEOs and corporate officers are now being targeted. A car break-in that results in a laptop theft may not have been the random smash-and-grab it appears to be. Thieves are going as far a casing their targets to see what type of laptop carrying case they have and purchasing the same model. After that it’s purely old school. Often using a partner, they distract the mark, switch cases and are gone. Good security defenses recognize that some laptops may indeed get stolen, and require full disk encryption, two-factor authentication and use of security tokens, Krull said.

Overall, security tools exist to help counter these intrusion threats, Krull said, but education and policy is critical in bringing defenses up to date. “There must be targeted education for senior management,” he said. “Use short sentences and small words.”