Our management team and board of directors feel it is important for us to to do some testing to determine our exposure to social engineering - through various scenarios (in person at our facilities, over the phone, etc.) Does anyone have a program for doing this type of testing? Also, has anyone outsourced this type of testing to an auditing firm? Any discussion on this topic would be appreciated.

Just curious, why do you feel its important to do this testing? Have you had some problems in this area? Are you going to let your folks know you're going to do the testing? Is Human Resources on board with the testing? Call me conservative, but I'd tread lightly and get some legal advice before pushing too far ahead with this.

IT (with senior management approval) coordinated ours through Jefferson Wells.

It was an eye opener. Variety of tests... phone, email, physical in office. Only the IT officer, CIO and CFO knew it was planned, and only the IT officer knew when.

Funny part is, the lower rung employees did the best... it was the compliance officer, the HR officer, the security officer who fubarred big time.

We have not had problems in this area. The desire for doing the testing arises from situations that have occurred at other companies regarding data breaches as a result of situations other than electronic data compromises. We had not planned to inform employees this was going to take place and our HR department has not been involved in any discussions to date. I do appreciate the recommendation to obtain legal advice.

I think it's a great thing to test! And no you would not inform the employees because then it would be pointless...

We outsource this to Crowe Chizek. It's called a penetration test. They try and 'attack' through phone calls, e-mails, etc.

So you think!

We thought the same thing, but via the testing, we found that we had several holes that either we felt were sound, or that we had not considered.

This is fairly standard testing. I am not quite sure of reason for the need for legal counsel.

For those of you that have done testing, was the testing focused on being able to gain information to then penetrate systems? We had one proposal that didn't seem to meet our intent - their plan was to send e-mails or call around to various individuals in the company and try to gain information about our system security (such as e-mail address formats) so that they could penetrate our systems. We would like to focus more on the ability to gain customer information either through phone or physically at our locations that could then be used in a fraudulent manner

Ours consisted of both purposes.

For several years, our institution has done such testing by phone(haven't done in person yet). To keep costs down, we haven't used an auditing firm. As Internal Auditor, I write up various scripts to be used for the testing. If you have basic scripts, almost anyone can do the testing as long as your employees don't recognize their voice. One year we had a brand new employee do the testing. Other times, we've hired an outside, trusted individual (of course, you'll want a confidentiality clause in place). Only myself and the bank President know when testing will be done.

Here are a few of the testing scenarios we've used in the past.
1.
“Hello, this is Sandra Jackson with the Internal Revenue Service. I’m working on a case that involves one of your customers, Mr. _____ ______, and we need to place a garnishment on his accounts. I’m trying to fill out the proper paperwork to send to you so that this can be done and I just need Mr. Brown’s account numbers.”

Depending on the employee’s response, offer the customer’s social security number and/or address to try to get them to give you the information.




2.
“I need to see if a check will clear on _____ _____ . The check is for $3,000.”

If the employee asks you to FAX a copy of the check or asks for the account number and/or the check number, tell them that you don’t have the check in hand yet. Say that the individual is going to give you a check, but you wanted to make sure it would clear before you accepted the check from them.



3.
“This is Janet with (company who maintains the bank’s network). I’m working on the network system trying to update all the employees’ user profiles and I need to get your user ID and password to test your system access.”

The reason I suggested talking to legal is really more to protect the bank from an HR standpoint. I don't know what you're planning on doing with any employees who fail the test, but things could get very ugly, very quickly from a privacy breach standpoint and from an employee liability standpoint.

Personally, I think it's foolhardy to jump into something like this without understanding the legal implications of what could occur if you do find problems, especially a major problem.

How would it be any different than discovering an issue through say a TIL audit, or drawer shortages? Coach and cousel the offending employee, and if it continues, or if the initial violation is big enough, you term them.

It is simply another form of audit, and when you discover you have employees not following the rules and putting you in a position to cause either a financial or reputational loss, or continues to do so, you let them go (depending on your state rules of course).

Jay, as I implied, it depends upon what you're going to do with the results. The more severe the action taken against offending employees, the more you want to be sure you've got your ducks in a row from an HR perspective for the bank to defend itself from lawsuits from employees.

In other words, you better be sure that if you need to notify employees that management has the right to call them up (or hire someone to call them up) and pretend to be someone else that you have done so.

This is only my personal opinion, but this is not just another audit and to approach it that way could lead to some interesting surprises for management.

I agree with JJ.

It's like any other audit. The findings will go in a report along with the auditor's recommendations - which will most likely involve some sort of training.

If the violations are severe enough, then the individual employee(s) should be dealt with as appropriate, but that's management's decision.

I've even heard Banks go as far as hiring the outside auditors to 'dumpster dive' and see if they can get any information that way.

JJ & Audit Guy, perhaps my warnings are better directed at management rather than the auditors. My advice? "Let the buyer, in this case, management who is purchasing audit services, beware."

And as a department manager and bank officer, I appreciate your advice, but we have found it to be an effective tool in identifying and closing gaps in our systems.

I would rather have an audit reveal that we have an employee disclosing information they should not be and then deal with it, rather then seeing it on the evening news when the disgruntled customer goes to the local bottom feeding news action team reporter, instead of coming to the bank to deal with their breach of information issue.

Better to be caught by an auditor than by an examiner!

We do the testing two different ways. We hire a company to do the penetration testing on our system and we hire a consultant to do our privacy audit and attempt to get into secured areas of the branches. The tester will open an account at one branch and go to another branch and try to take money out without any id on him.

These are standard audits that we have done for a long time. These two audits are necessary if you are doing compliance audits. Our examiners and outside auditors request these.

Not always, AG, believe me, not always.

We do social engineering auditing regularly. We post fraudulent journal entries to see if they are caught. We call tellers, new account specialists, lenders, etc. randomly to see if they quote rates correctly and/or ensure they do not provide non-public personal information, etc. We call the main line to ensure account balances are not given unless we provide accurate information. We search a random number of garbage cans at the end of the day to ensure no non public personal information was improperly disposed (found two out of 15 garbage cans with NPPI). We recently called a sample of 25 employees and asked for their network password and shockingly, about 20% gave up their network passwords with very little effort (yikes).

You do NOT need HR's advice unless you are targeting certain employees - as long as you do this randomly (e.g. select 10 random tellers), legal risk is low. Management chooses what to do with your audit results (warning vs. reprimand vs. probation vs. termination) and assuming they act reasonably with HR's input, do the audits because you will find amazing results.

Finally, the auditor should recommend management actions (e.g. additional training, better policies/procedures, etc.).

We have found tests can be very eye-opening to banks (both to management and employees) – it also provides a great tool for training.

One thing to be cautious of when preparing for Social Engineering (particularly onsite testing) is pretending to be someone else without their permission (i.e. pretending to be the local gas company or fire department, etc.). You will want to go into these engagements carefully to gain the benefits without possible problems (loss of trust, legal issues, etc.).

Homestar,

Information Security is a high risk area and having employees give out give out information is a high risk. Mitigating is done primarily through policy and training.

Social Engineering is the test of those controls

For those of you that have conducted testing through use of internal resources, have you had an employee or other third party to to pose as a vendor in entering a bank facility and attempting to gain personal information to use for social engineering? If so, how have you gotten around the legal concerns that have been brought up?

I really think this subjet should be moved to the private forums. We are giving the general public way too many ideas.

I must tell you our outside Audit Firm performed a Social Engineering test on our bank and four branches. It is well worth the money we paid. It opened our eyes to some things that we thought nothing about, that could lead to potential problems if they continue. As the banks auditor I was amazed at some of the things they found. We have set new guidelines and policies for our employees and hope we won't be as "SOCIAL" the next time. We will be doing this yearly now.

In our experience and based on article after article and study after study, people continue to be the weakest link in security.

"Controls are only as good as the people implementing them," Johns says. "Education really helps employees understand the importance of the institution's information security program." People really are the weakest link in the chain, he adds. "They'll do silly things when they don't realize that it's not appropriate. They will give out information that they shouldn't if they aren't educated about the different schemes that try to get that information."
(from http://www.bankinfosecurity.com/articles.php?art_id=908&opg=1)

Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, reminds us that social engineering, aka "socio-technical attacks" is really all about the human aspect, and that means trust. Kevin Mitnick, renowned and reformed hacker, in his book The Art of Deception, goes further to explain that people inherently want to be helpful and therefore are easily duped. They assume a level of trust in order to avoid conflict. It's all about, "gaining access to information that people think is innocuous when it isn't," and then using that information against the real target. We are the weakest link in the security chain. This point cannot be underemphasized. People are the weakest link, not technology.
(from http://www.securityfocus.com/infocus/1860)

I quickly found both of these articles by Googling "weakest link". The fact of the matter is, you can have a voluminous Information Security Program, the finest set of policies and procedures and an impressive Acceptable Use Policy but testing through social engineering / penetration testing is the only way you can assess the effectiveness of your controls.