ID 20/20: Putting a Stop to Social Engineering
2019 marked the first year a deepfake was used to pull off a heist. 2020 is likely going to be the last year it makes it to the front page though. The cat’s out of the bag with this one.
There’s a lot to be concerned about for 2020. Windows 7 is reaching end of life, the Internet of Things is everywhere, and everything is more connected than ever before. There are so many security concerns, but most of them can be fixed by applying basic security principles and technology.
The one thing that technology has so far been unable to change is the threat of social engineering. As Kevin Mitnick put it in his keynote at VISION 2019, social engineering is the easiest way to get into any given network. It doesn’t matter how smart the system is if the person behind it is stupid and unlocks it for them.
There are solutions, but most of them are cumbersome for IT administration. Things like Duo require installation of an app or some other end user interaction. We thought about this and built a system called ID 20/20 targeted with ease for end-users in mind. Your bank doesn’t make you install an app to call in, so why should any other service? Let’s go over what makes social engineering tick and what makes ID 20/20 so different from other security solutions.
What Is Social Engineering?
At its highest level, social engineering is the use of human weakness to exploit a network. This is where someone calls in and pretends to be “Carl from the accounting department” and is locked out of the building or his account with the hopes the person answering doesn’t check. This gets especially problematic in larger companies where it is harder to know who someone is. Social engineering preys on common, social courtesy.
Social engineering is made even more problematic when it is combined with technology. There are tools to steal RFID card codes, compromised personal information on the dark web, and countless ways to ascertain information in the digital age. It’s near trivial to spoof a phone number with the right tricks. There are deepfake programs which can emulate a voice live.
How Could Social Engineering Impact an MSP?
How soon do you know about a fired employee from one of your clients? How often do you take inventory of employees at a given company? These all seem like a waste of time at first, but if you know who can ask for what from your client, you can prevent compromises and reduce costs.
A fired employee may call the help desk before they’re notified and ask for a trivial account to be made which can later be used to shred files. Whose fault is that one? Will your client just happily accept it wasn’t yours and be on their way? Almost definitely not, and even if they do, a single employee can bring down a business with the right damage.
By keeping tabs on your clients, you further understand what different people do which can help you better tailor your services and get acquainted with potential opportunities for upsales. It gives you a stronger relationship and keeps your client safer. You also lower the chance of social engineering because you know who is who at the company and you make sure when someone is fired, you know first. You also know if “Carl from accounting” is actually someone there.
How Could Social Engineering Impact The 20?
To put it simply, The 20 takes the MSP model and extrapolates it to the next level. Multiple clients could be hit without the right preparation against social engineering. We know this and we take security seriously.
Due to the fact that we have so much oversight into so many environments, we need to be sure we know who we’re talking to has permission to do what they’re asking for. It doesn’t matter if they claim to be the regional VP if they aren’t documented properly (though obviously we say this a lot less directly to the client). What happens when an MSP’s employee is terminated and calls in for a password? We tell them the same thing, no. We have to, or else we’d be compromised. Process needs to be followed or else social engineering becomes trivial.
What is ID 20/20?
In the era of deepfakes, we had no choice but to evolve with the times, so we created ID 20/20. ID 20/20 is a multi-factor authentication solution which takes out any requirement from the end user except they have an email address or a cell phone (and either one can be optional if necessary), and even a code for places where they can’t be near a computer or phone.
We thought through the pain points of our end users so that they are safe but not impacted. We also thought through the pain points of our partners and what makes it hard to push out these kinds of changes. Applying security changes is always hard, but it doesn’t have to always be painful.
How Does ID 20/20 Stop Social Engineering?
ID 20/20 requires a user verify their identity partially verbally then again with a randomly generated code which is sent to their email or cell phone. The tech then asks them for this code and puts it into the system which verifies. The tech does not know the code and does not volunteer any information about the user unless necessary. This prevents us from unwittingly providing information to a potential malicious actor.
ID 20/20 sits on top of the standard operating procedure of the site as well. By combining these factors, we limit what a user can get from us and what they can do unless they’re authorized. The process takes about a minute total so far.
It also integrates with Kaseya BMS in order to update a ticket to log what the tech did, whether they were successful or not, and helps keep track of how the client was verified. If a client won’t cooperate, you know. If someone has been unable to be verified, you know. There are no more questions of whether a tech followed protocol or not for verification. If a malicious actor can get through, you’re already compromised.
How Can You Stop Social Engineering?
ID 20/20 can reduce a lot of social engineering attacks, but you have to also train the end users. Do you click on an email from a bank you don’t use? I know I don’t, but I know plenty of users do. Teach your users how to recognize and avoid phishing attempts.
Following a process which butts against social norms is hard, especially for things like doors. Social engineers will use door holding to get physical access. How do you tell your employees: “Pull the door shut and make the next person badge in?” It’s hard, but necessary in bigger companies. You also have to make sure verification processes are followed. There may be a “Jim in accounting,” but how do you know you have permission to grant their request or not? There has to be process.
Technology may eliminate as many issues with security as it helps create, but little has previously been manageable with social engineering. Social engineering preys on common courtesy and the fallibility of the human element. ID 20/20 aims to address that weakness with the cold resolve of a machine for the underlying process and a human face guiding the process to make it acceptably warm.
ID 20/20 is ready to address the technological side of many social engineering attacks with negligible overhead for the end-users. Just because deepfakes are here, doesn’t mean they will get through unchecked. We thought ahead, what about you?
by Sage Driskell