About a year ago I had missed an interstate flight and found myself at a certain airport with eight hours to kill and few ways to do it.
I took a call from a hacker friend well versed in the ways of social engineering. With a little liquid confidence and a few lessons in building a pretext, I decided to test the social engineering savviness of one airliner's staff who was guarding access to a premium lounge.
It took no more than a run down of how the airliner grants access to its lounge (and a change into a collared shirt) for me to be sipping a flat white and killing time in a leather chair.
The receptionist ostensibly knew who was and was not allowed into the exclusive area -- a fairly cut and dried matter of showing a card -- but she wasn't trained in the ways someone may skirt it.
Neither was the airliner aware of ways its access control could be circumvented, or didn't care enough to stop it, but my simple, unskilled and first stab at social engineering demonstrated how the odds are stacked in favour of attackers.
It also showed that knowledge of policy alone was as ineffective at defence as keeping a journalist away from free stuff.
The SendGrid case provides the most recent example of this; one staffer at the email distributor approved over the phone a request from someone claiming to be from SendGrid customer and US cloud provider ChunkHost.
The swindler wanted to change the company's email address - a request that when approved (despite being in breach of company policy) gave them enough information to hack the customer.
The con allowed the attacker to activate SendGrid's blind carbon copy feature and obtain copies of password reset emails they sent to two of ChunkHosts' customers.
The attack later failed thanks to ChunkHosts' two factor authentication, but so did SendGrid's security policy.
We don't know if SendGrid rehearsed its social engineering policy, but it is clear that security dogma when left to paper is soon forgotten.
The hack was one of scores of more devastating multi-faceted attacks that have been launched using information or access acquired by tricking staff.
Organisations therefore must bolster their social engineering policies by regularly reinforcing the defensive message. One of the best ways to do this is by tasking internal security teams or external contractors to launch mock attacks against staff to test their resilience.
Twitter was one of many organisations which conducted regular phishing attacks against staff in a bid to pry information that would be useful to attackers from them. Its attacks were dynamic and increased in complexity as employees became better at recognising the ruses.
The company boasted that staff actually enjoyed the tests and the prizes that come along with being more security savvy.
You don't have to reinvent the social engineering wheel; PhishMe was the first white hat phishing service to hit the market and in its wake dozens of paid and free applications exist to help security teams form phishing campaigns and plot the resilience of their staff.
SendGrid is just one of many companies to fall prey to social engineering attacks, one of few to be aware of it, and one of fewer to have had any policy in place that mentions the attack vector.