The weakest link in a bank's security system is more likely to involve human failings than faulty firewalls. To protect against this, there is growing interest in a type of penetration testing known as "social engineering testing," or interacting with people via the phone, fax, Internet or in person to test their ability to both use and guard the technology that protects a company's data.
The Intense School, a provider of IT certification boot camps for Microsoft, Cisco and ISC certifications, has jumped on this bandwagon to launch a live over-the Web format that includes teaching security pros how to social-engineer test their institutions to make sure that policies and procedures put in place are actually being followed.
"How do you know your policies and procedures aren't being broken unless you test them?" asks Ralph Echemendia, a principal at Intense School. "There's software, hardware and wetware. Wetware is people, and social engineering is how we test the wetware. ...There's no patch for human stupidity."
By way of example, Echemendia cites two recent social engineering tests he conducted. In the first, he was able to penetrate the central routing room at three of a certain bank's branches by simply showing up at the branches with a clipboard, hardhat and a belt emblazoned with a Bell South logo.
In a more dramatic instance, he and a camera crew talked their way into a bank headquarters claiming to be working on a college thesis. Though heavy security was in place, a PR person escorted them through the data center, cameras rolling. Those cameras recorded the lead Windows and Unix administrative passwords scribbled on sticky pads, access codes to doors, and the audio recording of keyboards, which through "keyboard emanation" can be used to reconstruct the actual keystrokes to about an 85 percent accuracy.
"From a technical perspective we couldn't get anywhere," Echemendia says. "But we robbed the bank through social engineering."
Such live, in-person testing obviously cannot be done through an on-line course, but the techniques of social engineering and the use of phone, fax and Internet can. "You need a specific contract for social engineering testing because of the legal ramifications," Enchemendia says.
On the issue of legal ramifications, Enchemendia is quick to note that background checks are done on all potential pupils and no one is allowed to participate who hails from a country on the government's list of terrorist countries.
"Intense School's live on-line program...leverages a compelling combination of leading textbooks, personalized mentoring and study programs based on detailed skills pre-assessment, strong content, a powerful, real equipment-based lab environment that effectively simulates real-world networks, and support throughout the process to ensure that students both gain certification and the necessary skills to perform in the job," says Patrick von Schlag, chief learning analyst at Deep Creek Center, which assists companies in creating IT classroom and e-learning education classes.
"In an institution with fiduciary responsibilities, they have to stay on top of security issues, and on-line courses are a more convenient, lower-cost way to get IT staff educated," says Michael Haney of Celent Communications. "If he or she can do it on their own time at their own desk, that's great."
Since 1997, Intense School, which counts Citigroup as one of its top clients, has certified more than 15,000 IT professionals. Typically bank employees taking its courses belong to what are often called the "Blue Team" and the "Red Team." At many big banks, the Red Team is the response team, and the Blue Team is the risk-assessment team, reporting directly to bank executives. "It is because of the financial services industry that we have a business," says Barry Kaufman, CTO of Intense School.
An ally of Intense School is Chuck Bianco, the information technology examination manager at the Office of Thrift Supervision. Last month he asked Intense School to conduct a seminar in Texas for bank examiners. "With laws like Gramm-Leach-Bliley and Sarbanes-Oxley, a lot more is required by everyone," he says. "Education is very helpful in getting people to get in the mindset of a hacker and think about how a hacker would get in. ... Basically, I want to go into a bank and know if you are properly protecting yourself-are you doing enough?"
The week-long, on-line course costs about $4,000 per person, though discounts are available, Kaufman says. And these courses cover more than social engineering. Indeed, Kaufman notes that social engineering is just one aspect of penetration testing, a component of testing that often does not get the same attention as auditing and assessment testing.
In auditing and assessment, the testers and the bank employees are working side-by-side. Yet it is only through penetration testing that a bank's security measures are tested as if from an actual attacker, someone with perhaps little knowledge of what security measures are in place, but savvy in circumventing whatever is there-thus exposing weaknesses people on the inside don't realize exist.
