Information Security and Social Engineering Gone Astray
The Surprising Weakest Link in the Information Security Chain (and What to Do About It)
By Jay Trinckes
Chief Information Security Officer of Path Forward IT
Security experts have long prescribed to the idea that good security comes from “Defense in Depth”. This principal describes ways in which layers of protection or security controls are placed on top of each other to provide different levels of protection for sensitive information. Unfortunately, most experts would agree that the weakest link in the information security chain is ‘people’. One of the vectors of attacking this ‘human layer’ of security is through Social Engineering.
Social Engineering is defined as “any act that influences a person to take an action that may or may not be against their best interest” (source “The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules”, CRC Press, 2012). We see Social Engineering in multiple areas of our daily lives such as through advertisements, marketing, parenting, teaching, mentoring, etc. In most cases, attempting to influence behavior in a positive way is a good thing; however, when this influence is done in a negative manner or with malicious intent, it can lead to a compromise or other devastating consequences.
One of the most recent examples of this ‘social engineering’ gone astray involved the tragic death of a nurse at King Edward VII Hospital in London. As some believe, this 46-year-old mother of two apparently committed suicide as a result of being tricked into forwarding a call reference to the care of the Duchess of Cambridge who was being treated at the hospital. This ‘prank’ was performed by two Sydney radio station employees pretending to be the Queen and the Prince of Wales. (Additional information can be found here. As this scenario relates to information security, it illustrates how important it is to authenticate and validate the authority of an individual with access to protected health information. It further illustrates how important it is to make your workforce members aware of these potential risks.
I don’t claim to know the exact details of the referenced incident or to indicate that anyone was at fault, but rather, present this incident to emphasize the point about the importance in making sure that someone is who they say they are. It is also important to know if the individual is authorized to access certain information that is made available to them. This is known as authentication or the corroboration that a person is the one claimed to be. Currently, usernames and passwords are assigned to individuals to assist in performing most authentication activities in the modern technical environment. The thought process behind this assignment is that only the individual that claims to have certain access rights would be the only one to know their own appropriate username/password combinations. In most situations this works fairly well, but if security procedures or security awareness training is not provided appropriately, this type of authentication method can be easily circumvented allowing unauthorized individuals access to certain restricted information.
Information Security and HIPAA
Although the HIPAA Security Rules require unique user Identification and addresses mechanisms to authenticate electronic protected health information, most information security awareness training programs that I’ve reviewed do not adequately discuss social engineering type activities. To this end, it is important that awareness is raised and a discussion of the risks that your workforce members may face in dealing with ‘tricks’ or ‘pranks’ scenarios. Here are some tips that you should consider:
- Identify social engineering attempts – although healthcare is about taking care of patients, you should be on guard to suspicious activities. Always trust your ‘gut’ instincts.
- Develop personal and interactive security awareness training – make sure to include different types of scenarios and proper actions to take when covering specific policies/procedures in your training.
- Information is valuable – be aware of the information you may possess. Ask yourself, “would I provide this type of information to someone if it pertained specifically about me?” Protect the information you have as if it was your own.
- Role Play – be prepared to handle some unknowns. What would your workforce members do if they click on a suspicious link in an e-mail? Do they know who to report this incident to or what actions they should take?
- Conduct an Assessment – along with the required HIPAA Security Assessments and Meaningful Use security risk analysis, consider including social engineering panels to test how well your workforce members will deal with certain scenarios.
Hopefully this will assist you and your workforce members in understanding information security as it relates to social engineering and avoid becoming a victim.
Author John ‘J’ Trinckes, CISSP, CISM, CRISC, C-EH, NSA-IAM/IEM
Jay is the chief information security officer of Path Forward IT, a managed IT/Security service provider of healthcare providers throughout the US. He is also a published author of “The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules” (CRC Press, 2012) and “The Executive MBA in Information Security” (CRC Press, 2009). Jay can be reached for additional information on Path Forward IT’s HIPAA/Meaningful Use Risk Assessment and other related IT services at CISO@PathForwardIT.com