Social Engineering that gets someone in a company to give out information that they should not give out is something common, so why don’t more companies doing anything about it?
Beyond the HP Pretexting issue, and the desire of RIAA/MPAA to have the ability to pretext, and people being lured on web sites, or dating sites where the love lorn get conned, or the host of other ways that people get conned both in their personal lives and in the corporate environment. What is it about people that makes them more or less likely to give out information on the phone?
Norfolk State University has an interesting profile of both sides of the social engineering process:
– Social Engineers take advantage because:
– It is natural for people to want to help.
– It is natural for people to trust.
– It is natural for people to fear what happens when they do something wrong.
– The most predominant way data is compromised.
– Usually, the first type of attack to occur
– A direct request from the attacker.
– An indirect request from the attacker.
– They ask questions that are not directly related to their objective and want the victim to supply the answers with the information they really want.
– Use statements that make the person feel a certain way.
– Fear of reprimand or losing their job.
Source: NSU
From some of the assignments that I have been on, I know that claiming to be a manager, or a boss can usually get the help desk to cave in pretty quickly, especially if it is high enough in the company or there are enough people in the company that personally knowing someone is impossible. Alternatively, if the help desk knows that if they do anything to upset management they will be fired, that first tier will be more likely to turn over information out of fear of loosing their job or ticking off a senior manager. This works about 99 times out of 100 because the help desk personnel either knows, assumes, or have evidence that they are disposable and management will not back them up on a decision.
Social engineering relies on someone outside the company getting information from a group of people who are disposed to want to help the customer, has an insecure job position and or weak management that will not support the decisions of the help desk.
Social engineering also relies on the ability of the social engineer to elicit or work around the help desk person or person answering the phone a response to a series of questions that build trust very quickly, and then once the trust is established, go for the information that is wanted either directly or inferred. Multi-tiered attacks, over a series of days also builds out trust, and lets the social engineer gather a lot more information of value than would under a “smash and grab” social engineering scenario.
Call backs, in that if someone calls wanting information, you say thank you I’ll call the help desk right back, and call the internal help desk to see if they just called. False calls mean that there is social engineering going on. Never pass out a password to anyone on a phone, even if the caller id says that they are internal. Use a one-time password and e-mail it only to a corporate e-mail address.
The real outcome on this is that the people who answer the phone need to know that if someone is just not behaving as if they are part of the organization. Or are asking for things that folks should not have then it is time to get the number (caller ID is excellent) or do call backs as a normal company policy, or just say no and refer the issue upwards to a tier that can hold itself against a raging senior VP. Social engineering can be reversed, especially if there is a policy of callbacks to the service desk, and the manager can hold their own against people who are trying to throw their weight around.
Tag:
