Social engineering did not go away, but it seems to have taken a backseat to other attack techniques over the last few years. With the publication of the results of the social engineering contest at Defcon this year, the participants in the contest have shown that social engineering is still alive and well and a very successful attack technique. The following quote from the report on the contest says it all.
“Targeting people has become the most cost efficient attack vector in many situations, and all indications point to this trend continuing to increase.”
Social engineering is one of the most insidious attack techniques around. Unfortunately, organizations do little to address social engineering and have only made social engineering easier over the years. Customer service methodologies and training over the last 30+ years have done a great disservice to organizations. For example, organizations trip all over themselves to be the JD Power customer service leader. Employees are assessed on their ability to solve a problem on the first customer contact. Yet in my experience, these sorts of activities typically focus organizations on blindly providing customer service at the expense of the organization’s security.
The organizers of the contest defined 32 objectives or flags that contestants could obtain over a 25 minute call to the target. These flags were assigned point values based on the perceived difficulty in obtaining them. While the flags were not considered to be highly sensitive information, the flags were such that one as to wonder if even more sensitive information would have easily been obtained had the contestants been allowed to go after it.
Prior to the contest, contestants were required to develop dossiers and attack scenarios on their targets that were also graded and given a value that became part of their score. In the 25 minutes, contestants could call their target once or multiple times.
The statistics gathered as a result of the contest bear out the effectiveness of social engineering. Of the 15 organizations targeted, 14 of them did give up at least one flag. More troubling is the fact that if a contestant encountered difficulty in obtaining information all it took to get the information was to hang up and call back and get a different employee.
Another area that provides concern is the amount of information the contestants were able to obtain through their dossier development. The use of Google, Google Earth and Google StreetView provided an amazing amount of information for the contestants. Also used were social media sites such as Facebook, MySpace and LinkedIn. While Facebook, MySpace and similar sites have garnered the most attention by the media, it was LinkedIn that provided the most information, in a few cases providing the contestants with the ability to develop an organization chart for the target.
Security is only as good as the weakest link. As this contest points out, an organization’s weakest link is probably their employees – the likely cause of which is a lack of or only cursory focus on security awareness. The contest just magnifies the fact that organizations have done little or nothing to protect their organizations from information leakage by employees. As I constantly like to remind everyone, security is not perfect. While you may have a fairly good security awareness program, you are still at risk from social engineering. As PT Barnum liked to say, “There’s a sucker born every minute.” Humans are fallible and as much as we try, everyone has their moments, but some people have a lot more moments than others.
If you think this is all just a nice exercise and it really does not present a strong enough threat, then go back over the last six months and read all of the news clippings about data breaches and other exploits. The majority of these attacks are all social engineering based or had a very strong social engineering component.
I highly recommend that you visit the Social-Engineer.org Web site and obtain a copy of their report. Share the report with your executives, particularly the leader of your customer service area. Hopefully they will get a clue regarding the amount of information that is inadvertently leaving your organization.
PCI Guru 