Inside social engineering tests

The social engineer may rip off an individual with a simple scam, or defraud a multi-million dollar organisation with relative ease. That’s because to the social engineer, an organisation is not a unified defensive machine, but a collection of individuals with different levels of awareness, gullibility and privilege.

 

Even as far back as 2004, analyst firm Gartner had called social engineering the most significant threat of the decade. 

 

In 2010, a local security tester demonstrated how susceptible organisations are to social engineering attacks when he conned a staffer at one of the world’s most recognisable beverage companies into handing him the keys to the castle. Wayne, a penetration tester from Sydney firm Securus Global, donned a well-worn disguise as a timepoor auditor as he dialled the company’s IT helpdesk. He knew staff there would have access to the sensitive information he sought.

 

Wayne the auditor held a higher position than the helpdesk operator who, after a bit of schmoozing and a few jokes over the phone, bent over backwards to give him details of the company’s operating systems and web browsers, its anti-virus solution, radio frequency identification software and telephony platform. Lucky for the company, Wayne was competing in the DEFCON 18 social engineering capture the flag competition, overseen by the FBI. But he could have been anyone.

 

Others haven’t been as lucky. The most prolific social engineering attack vector is phishing which hooks innumerable victims each year. Users are just as likely to click phishing links in the office as at home, a fact that led to high-profile breaches at security giant RSA, marketing firm Epsilon, Mitsubishi Heavy Industries and the Oak Ridge National Laboratory. In many breaches, social engineers had sent staff at the organisations crafted emails with malicious attachments thatwhen executed provided access into corporate networks.

 

News of the breaches and a series of large coordinated phishing campaigns targeting chemical and defence industries have increased demand for phishing penetration tests. Companies can test their vulnerability to phishing by using services such as PhishMe.com which delivers fake targeted phishing emails to staff and measures how many open would-be malicious content. “Phishing tests provide valuable insight if they are run after security awareness training,” Nick Ellsmore, veteran pen tester and head of business development at StratSec says. “It provides a measurement from which to gauge whether training has sunk in.”

 

Companies undergoing social engineering tests should brace themselves for some scary results. One StratSec pen tester who masqueraded as a rogue employee with access to a segregated network breached security controls and stumbled on company merger plans, known only to top executives. “We couldn’t put it in the report, because the guys who would read it had no idea about the merger,” Ellsmore says. Over four days, the tester hauled in sensitive product source code, domain account passwords, router credentials, hardware schematics, and control of the BlackBerry Enterprise Server and CCTV system.

 

Securus Global managing director Drazen Drazic had similar success during a social engineering test that is one of his company’s most notable. A large company had conducted a sweeping security review ahead of tender contracts worth more than $20 million and requested an engineer walk through its Australian office and attempt to obtain access to restricted areas. “I was able to waltz into the offices, past reception, find an empty office, plug in my own computer and download hacking tools which were used to attack and own the internal systems and data,” Drazic says.

 

He walked around the office chatting to staff, and entered the server room while being watched by the IT staff without challenge. He had pretty much free rein to bring a corporate to its knees in the space of a few hours. The company baulked at the results and overhauled security, including running regular sweeps of boardroom for listening bugs ahead of sensitive business meetings.

 

Next: Bang for buck

Tags: