What is Social Engineering
Social engineering is a psychological manipulation of people into performing actions or divulging confidential information in order to gather information, commit fraud, or access systems, and it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.
It was just a normal work day, but my work isn’t what people call “normal.” I walked into the building in full pest control regalia. This job was a little different from the usual. This test was for a series of departments occupying 7 floors of a skyscraper. Each department pretty much operated in isolation from the others with their own unique entry points, receptionists, and methods for handling visitors. Starting with the top floor, I worked down until I was done. As I moved through the building, I met little to no resistance. I spent way too long doing practically nothing but documenting what I saw. I was snapping pictures of unlocked computers, opening unlocked shred bins and getting out papers with sensitive data on them, identifying easily accessible open ports and so on. At the end of the job, I had all but lost count of how many ways I could have attacked their network while on the inside. Fortunately I had recorded everything for the report I would be writing later that day.
100s of attack points.
0 knowledge I was ever there.
Over the years, I have conducted hundreds of these types of tests, and I have never been caught. Here is a list of some of the biggest failures I have seen over the years.
Social Engineering Recon
Leading up to the day I show up at your door I do some research on your business and the employees. I start Social Engineering Testing with LinkedIn I check to see what technology you use. I look at your IT staff to see what they say their job role is and more often than not they give details about what systems they manage. Even if they don’t give details about their current employer, they have their history of past jobs where they say what they did and I can assume they probably do that for you too. After all, do you hire the guy with decades of experience and certifications in Cisco equipment to write C# applications? Before you get too worked up about what your employees are posting about their jobs, keep in mind you posted that job listing somewhere before to hire that guy in the first place and I do go looking for those things too. I figure out the email addresses of your employees and start searching for them on other social media sites and forums. Hopefully I can find a post where the Cisco guy you have writing code is posting some problems he’s having with the login functionality of the web application he is working on and even supplied the code so that others can take a look and offer help.
Another thing I’ll do depending on access and availability is dig through your dumpster. I can’t do that if you are in a large shared facility, but if you have your own, or share it with just a few people, I’ll get a truck, drive on over, load it up with the bags, and take them home to go through. Still think my job is cool? I’m looking for any documents that can help me get a better understanding of your business. Obviously, sensitive data that should have been shredded is on the top of my list, but other things that show who your clients are, maybe some calendar data, a password list that got thrown away because Peggy in accounting just changed her passwords and wrote a new list. Why would I want a list of her old passwords? Maybe I find a pattern in how she creates passwords, maybe she will one day reuse those, or maybe I now know what the paper looks like in the little notebook she keeps in her desk drawer where she has all the new passwords.
You are leaking a substantial amount of data in a variety of ways and you need to be aware of them. Aside from not writing down passwords, and ensuring your trash doesn’t contain sensitive data, you can’t do a whole lot to protect yourself from recon. You can be aware it happens and learn not to trust people just because they seem to have a good deal of insider knowledge of the business.
Social Engineering – Know Your Visitors
This is by far the most common failure during social engineering testing once I get on the premises. I’ve come to your building as a phone tech, or pest control, or whatever other random thing we’ve agreed upon and I’m asking to go behind the counter into employee only areas and I’m not verified, or signed in or anything. This is a problem for a host of reasons. Yes, you can safely assume that a real attacker is going to forge that information, show you a fake ID, and so on. However, this is the key moment to stop the attack. Once I pass the the front desk, it’s over. Everyone else is going to assume I’m supposed to be there by virtue of my being beyond the public area already. In addition, it gives you a log of who has been back there so in the event something is discovered wrong, you can go back and review who has been in that area and start the investigation with that. It won’t take long to at least be able to identify when something happened once you go through that list and call everyone. If you call a business on that list and they say not only did they not have anyone visiting you that day but they don’t have anyone employed there with that name, you can be fairly certain that at least the time entry is correct and your breach has been going on since that point in time.
Escorting the Social Engineer
Let’s just assume I pass all the tests. It turns out I actually do work for the pest control company, we are scheduled to be at your business that day, and in fact I’ve been legitimately running your pest control services for a long time. You recognize me. You should still escort all visitors at all times in non-public spaces. You don’t know where my mind is. Maybe times are tough and I’ve been paid by some hacker to put something in an open network or USB port. That may be far fetched, but let’s just say I could really use some money and your employees are leaving things like purses and phones around where I can easily steal them. We can make it even less malicious, it’s not the crime of the century, but what happens if I wander into an area with sensitive equipment and I accidentally spill something on your servers? A lot of things can happen back there and you need to be keeping an eye on your visitors at all times regardless of your relationship with them.
You know all this, everyone is well trained in the procedure. Is the escort prepared to handle every situation? What if, while we are walking around, I communicate with a partner to call in with an urgent call for the escort. Am I abandoned to answer the call? What if I go sit in the bathroom for a very long time? Does my escort grow bored and leave me? How about if I combine them? I’m in the restroom while the escort waits outside the door when they get an emergency call. Do they leave me? What if I bring my partner into the building and while we are working our way around, one of us needs to go retrieve something from the truck? What does the escort do as we split up? What if we start saying politically incorrect things in front of the escort? Do they get mad and storm off? There are lots of ways to shake the tail and your staff needs to be aware that they are not to leave anyone unattended for any amount of time. I’ve had jobs where I was escorted through an office, but when it came to the cube farm, the escort just stood at one end of the 4 cube corridor while I walked down them. Was I out of site? Not entirely. But I was able to lean into a cube and plug in a device.
Social Engineering – Once I’m In
That brings us to the point where we need to discuss just what exactly I’m looking for once I get inside during a Social Engineering Test. I’m looking for anything that either gives me direct access to the network, sensitive documents, and computers, or anything that can be used to help further penetrate the organization at a later date. I’m looking for open, live network ports I can slip a device onto. I’m looking for users that have left their computers unlocked while they have stepped out of the office. I’m checking their trash and shred bins for information, I’m looking for passwords written down somewhere. I’m looking for physical files, unlocked filing cabinets, keys, proximity cards. I’m checking printers to see if someone sent something to the printer that has sensitive data on it and hasn’t yet picked it up. I tell people these things, and for the most part they think it’s absurd. They will generally admit people leave their workstations unlocked, but the other stuff doesn’t happen. It does happen. Very frequently. I once had a nice gentlemen in a bank’s file room ask if he should leave the room while I was in there as a pest inspector. Keep in mind, I wasn’t spraying, just doing an evaluation. I didn’t have a canister or anything, just a tool belt and a clip board. I told him “yes” and he left the room, leaving his computer unlocked and shut the door on the way out which I immediately locked and proceeded to email the CEO and took pictures of all the files for every account at the bank.
Defending Against the Social Engineering Attack
People all too readily assume that anyone beyond the public area that has some sort of a legitimate reason for being there, are supposed to be there and leave them alone. Worse, they can provide great help. Policy should explain exactly how to manage visitors. All visitors should be properly escorted and the escort should never leave the visitor. In the example where two visitors try to split the escort, the escort needs to either round up both of the visitors and return to the front together to either let them both go to the truck or pick up a second escort so they are both watched. If an emergency call comes in, that escort should have someone else assume the responsibility before leaving the visitor. Sign in sheets need to be enforced and archived. During the process, you may implement a procedure where the visitor turns over their license until they exit. That will ensure they return to the front to sign back out before leaving, allowing you to keep better control over visitors in the facility. If you have varying levels of sensitive areas vendors may need to access, it is good to have additional sign in sheets at those posts, such as the server room. In fact, you may want everyone entering the server room, including employees, to sign in. With policy in place, you need to periodically test the effectiveness of those policies with Social Engineering Testing with lessons learned from the testing used to strengthen policies, and incorporate them lessons into an ongoing Security Awareness training program.