You can have the best security technology in the world, but all it takes is one smooth-talker to slip past a “gatekeeper” and instigate a security disaster. Yet, this “social engineering” doesn’t receive the attention it deserves in many companies.
Perhaps that’s because budgeting for a new firewall is tangible and quantifiable, but dealing with social threats is more amorphous and deals with the vagaries of human behavior.
But the fact remains that historically, most break-ins don’t depend on technology, but rather on people who rely on human behavior without ever writing one character of malware.
“It was the kind of box job that didn’t require a bean-shooter, just a palooka with a sweet spot for a sob story … “
The Social Engineer Capture the Flag Contest
Organized by Social-Engineer Inc. for the DEF CON 21 conference that took place last August in Las Vegas, the Social Engineer Capture the Flag Contest had 10 men and 10 women test their social engineering skills against big corporations like Apple, Boeing, and Walt Disney. There were rules about how contestants could gather intelligence. For example, they could only use open source information available through sites like Google, Wikipedia, and social media sites. Then at the DEF CON conference, each contestant did live calls to his or her target company.
The Gumshoe Work
The first phase of the Capture the Flag contest took place before DEF CON and involved plain old detective work. This aspect of social engineering is laborious, but can make or break the success of a social engineering break-in. Readily available information online can give a person a sound understanding of where, when, and how companies conduct business, and what kind of online activities their employees engage in. A social engineer can collect an astounding amount of valuable information without ever interacting with anyone at the target organization.
When someone using social engineering to get into a target organization engages with a company insider, one of the most common tactics used is pretexting. This is where the perpetrator impersonates someone on the inside to gain information. Pretending to be an employee is the most common pretext used, though people often claim to be students, survey conductors, vendors, or job seekers. In the case of the Capture the Flag contest, Social-Engineer Inc. found that women had an easier time successfully using pretext to gain access to a company. In fact …
Being or Pretending to Be Female Helps
Security researchers Aamir Lakhani and Joseph Muniz tried getting into an unnamed US Government agency last year using made-up male characters and failed. But once they created a female character and gave her a Facebook profile, they had little trouble. Penetrating the agency’s computer network took less than a week.
“My company laptop needs to be here by Friday. Those cat videos aren’t going to watch themselves!”
Before it was over, Lakhani and Muniz had the agency believing the fictitious woman was an employee, and had conned them out of network credentials, a laptop computer, SalesForce logins, and administrative rights. They were also able to steal documents containing sensitive information concerning national security. Likewise, at the DEF CON 21 contest, women took three of the top five scores, exceeding male scores by around 30 points.
Conclusion: Social Engineering Won’t Go Away
Social-Engineer Inc. has sponsored five annual Capture the Flag contests, and despite the fact that there have been numerous high-profile security breaches at major corporations, government agencies, and retailers, people with social engineering skills are still able to successfully gain access without a lot of difficulty. So how do you guard against the social engineer / hacker?
Three Pillars of Social Engineering Mitigation
1. Strong Information Handling and Social Media Policies
Organizations have to balance security with the risks associated with openness. Corporate policies on information handling and social media have to be clear, specific, and realistic concerning what is and isn’t allowed and what type of information can be uploaded to unsecured areas of the internet.
2. Education for All
Annual or twice-annual security reminders should be sent out, but that’s not enough. Organizations have to bite the bullet and allocate the resources necessary to make training a top priority. Education has to be specific to the organization, and often specific to the department.
3. Risk Assessment and Testing
Organizations have to identify areas of vulnerability like social media accounts, and potential attack vectors have to be anticipated. A social engineering penetration test should be carried out to test the company’s defenses. Sure, this can be profoundly uncomfortable, but it’s one of the best ways to really prepare for a social engineering attack.
Great IT asset management and running a diligent and reliable IT service desk are both critical to maintaining security. Provide your IT team with Samanage, and they’ll have the power, flexibility, and technological tools they need to keep your IT infrastructure running, accounted for, and secure.