ICE Hacked Its Own Employees to Teach Self-Defense in Cyberspace

One federal agency is replacing workforce security awareness tutorials with real world hack attempts to test employee reflexes. So far, 80 percent of the personnel trained have successfully fought off potential cyberspies.

The "social engineering" prevention initiative has earned Immigration and Customs Enforcement a nomination for cyber trade group (ISC)2's 10th annual Oscars of the federal sector, the Government Information Security Leadership Award. GISLA winners are scheduled to be announced on Tuesday night. 

ICE's program focuses on a cyber hazard that is difficult tackle: human nature. Social engineering involves tricking individuals into divulging sensitive information that can be used to override computer protections.

To immunize employees against these threats, a handful of agency security personnel call everyone from administrative assistants to senior executives and convince them to say their computer passwords. They send “phishing” emails with links to credential-stealing forms and ask that office managers snoop around desks for thumb drives lying around.

Self-defense training, which includes in-person workshops, is voluntary right now. Of the 5,000 employees who have undergone coaching since winter 2012, only about 20 percent fell for the ruses, program officials said. Whereas, half of the uninitiated were about to spill usernames and passwords until the testers cut them off. 

“We want to instill into our employees a healthy sense of paranoia,” said Chuck Mader, ICE regional information assurance manager program lead. “They have to be cognitive that they are targets and to question that email that comes in that they weren’t expecting.”

Basically all government employees are social engineering targets, security researchers say. White House staffers recently had their personal Gmail accounts hacked after they received phishing emails with links -- labeled to look like legitimate BBC or CNN articles – that directed users to an authentic-looking Gmail or Twitter login screen for full article access. The fake login forms stole their credentials.

Incidents like this one are the reason ICE also educates personnel on how to fend off social engineering in their private lives. “That conversation on the Metro” subway car with a stranger “is very informative for someone who is looking to cause harm to the agency,” said Alex Ruiz, director of ICE's security authorization and risk management branch. Someone “knowing where you work and what building you’re in” by eyeing an ICE badge hanging from a bag is just as risky “as not securing and locking down your computer.”

ICE officials insist the goal of the bogus emails and calls is to assess employees’ responses, not ridicule them. There are "no repercussions or recourse. The only information we collect is anonymized statistical information so we can measure the outcome. We have to be careful from a government perspective with unions," Mader said.

If employees start to disclose information over the phone, program officials ask that they immediately reset their credentials to get in the habit of reducing the risk should they make the same mistake during a real attack.

The phishing emails teach similar lessons.

If they were to click on the link in the message, “it takes them to a dummy webpage that says, ‘You should not have clicked the link, and this is how you handle it in the future: Contact the service desk, etc.,’” Mader said.

All ICE employees are equally susceptible to social engineering, according to program officials.

Agents investigating virtual currency fraud, for instance, are just as vulnerable as a "a clerk who is handling financial documents regarding a future contract award,” Mader said. By teasing out information from the ICE worker, a company could gain an unfair advantage during the competition for the job, agency officials said.  

The main challenge for the social engineering instructors today is a limited audience.  

Training is not required and some personnel work in different time zones overseas. Covering 5,000, or about 13 percent, of the agency's 40,000-person workforce "doesn’t sound like a lot but most of that has been done in person,” said Maureen Premo, head of the social engineering training program and one of two employees dedicated full-time to the initiative.

To reach personnel abroad, program officials said they might offer recorded sessions through the agency’s virtual university for on-demand viewing.

Tuesday's awards incidentally coincide with National Cyber Security Awareness Month. (ISC)2 Executive Director Hord Tipton said in a statement that “the accomplishments of this year’s GISLA finalists demonstrate the exceptional skill and commitment to excellence that is required to stay one step ahead in this increasingly complex security environment.”

--

(Image via /Shutterstock.com)