Social Engineering: Are you Prepared?

Social EngineeringExactly what is social engineering?  It sounds like something complicated and technical, when the reality is that it’s not.  It’s a trick used by criminal used to gain access to places where they are not supposed to be. Once the criminal has gained access, they can then use that access to commit whatever crime they wish.
Here’s a fun example.  I had met up with some work colleagues, and some of us had passes for an exclusive party.  My one colleague did not have a pass to get in.  We all wracked our brains trying to figure out who we could call to get him into the party.  Finally, my colleague says, “leave it to me, I’ll social engineer my way in!” Being in the cyber security industry, this presented a fun challenge for him.  Security was tight at the event entrance.  He tried “tailgating” which is walking very closely behind another person in the hopes he could sneak in along with them.  That didn’t work.  He tried the waving at someone he knew in the hopes the security guard would let him come in and talk to the other party.  That didn’t work.  What did work?  He told the security guard he really needed to use the bathroom and would be in and out in a few seconds.  That did the trick.  Once inside the washroom, he took off his belt and wore it around his neck, slightly hidden by the collar of his coat, to make it look like he had on the same lanyard as the other guests.  He stepped out of the washroom and quickly joined the rest of us at the party. While the above is a fun example, and no one was harmed, it shows if there is a will to get into a space, someone will find a way in.  Here is another example from the Infosec Institute.  Their example is of a high-level governmental institution in an unnamed country, where penetration testers were trying to find holes in the physical security of the building.  When walking in the front door didn’t work, the pentesters noticed a fire escape staircase that wasn’t monitored by cameras.  They also noticed an ashtray on the landing where employees were sneaking out for a smoke break.  Here’s how the infosec Institute breaks it down. “The pentesters were not smokers, but here they were, standing on the fourth floor of the fire escape staircase, cigarettes in their mouths, waiting. A dozen or so minutes passed before the first government employees came out to have a smoke. They said “Hi.” Pentesters chatted them up about how they were going to spend the whole day in meetings. Usual office water-cooler talk.A couple of minutes later, they were done with the smokes and employees let the pentesters inside, wished each other a nice day and went on their separate ways. Within minutes, the pentesters had found a printer with admin-level network access to one of the most important networks in the country.” So, what is the fault in this scenario?  Basically, it’s the fact that employees are human.  Even though staff knew they were not supposed to smoke on the fire escape, they still did it.  It likely also didn’t occur to anyone that someone would use that fire escape to try and breach the organization.  In fact, the staff thought they were probably keeping their breaks shorter by not going all the way down the stairs out to the front of the building.  Better monitoring of the fire escape and making it difficult to access the fire escape could have also helped, but it is the human element that let them in. When you are thinking of what is going to give you the best bang for your security dollar spent, employee training in security awareness can go a long way.  After all, your employees are going to be the difference between being breached and helping you to prevent a breach.  Make your staff part of the solution.  Contact Uzado today for more information on their security awareness training programs.

Leave a Comment

Your email address will not be published. Required fields are marked *