A report by Social-Engineer.Org reveals some alarming information regarding a DEFCON CTF contest which included targets such as BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola, Symantec, Phillip Morris, Walmart, Mcafee and Ford.
One of the most worrying findings was that it doesn’t take a seasoned expert in social engineering to successfully penetrate a company.
Inexperienced attackers have easy access to free resources including Facebook, LinkedIn, Twitter, Google Search, and Google Street. These resources, coupled with call centers and customer service departments that are focused on customer satisfaction, were enough to gather valuable information from most targeted companies.
For the more resistant targets, there were plenty of believable pretexts to choose from (e.g., employee satisfaction survey, helpless customer, recruitment agency interviewing a former employee who just posted a resume on a job-seeking website, etc.). As a last resort, any resistance encountered was easily overcome by simply hanging up and calling again until a more cooperative employee could be reached.
Sensitive information (e.g., financial, strategic, etc.) was off limits for the CTF, but fair game “flags’ included employee schedules, browser versions, and anti-virus software used. Contestants were also encouraged to fool targets into opening a fake URL as a way of demonstrating a very common attack technique.
Based on findings from this contest, the average entry-level and call center employee did not appear to have adequate security training. Due to this fact, they typically did not sense any danger in being as helpful as possible in sharing information that they perceived to be trivial. With the right information (i.e., the above-mentioned flags), social engineers can pretend to be an insider, essentially gaining the trust of key gatekeepers within any organization, which ultimately leads to the compromise of sensitive information.
The big challenge for any organization looking to defend itself from this threat will be to find a balance between their customer-centered training and their anti-social-engineer security training. Companies want to help their customers, but they don’t want to share seemingly-trivial information that ends up sinking their ship.
Savvy organizations have found that the best prevention naturally falls into place when they identify any security training gaps, include all employees in their security training program, and distribute anti-social-engineer tips on a regular basis.