Social Engineering - Christopher Hadnagy [182]
Teach yourself and your employees how to “stop, drop, and roll,” so to speak, when it comes to these types of attacks. What are the latest news stories on how social engineers are attacking companies? Knowing them can be a first line of defense, the same as knowing what a fire can do to your home. Learn the different methods that modern social engineers and identity thieves use. You can find an archive of news stories and examples of social engineers, con men, identity thieves, and the like at www.social-engineer.org/framework/Social_Engineering_In_The_News.
Another good step is reading this book. It is full of all the methods and principles that social engineers use to manipulate their targets. This book is more than just a compilation of stories and wonderful hacks; it offers an analysis of the thinking and tactics used by the malicious social engineer.
Also check out the videos on the www.social-engineer.org site, in the Resources area, which demonstrate exploits in action. The average user does not need to watch them with the intent of understanding how to perform these attacks himself, but to understand how an SE performs the attack.
Basically, the more you know about how these attacks occur, the easier you can identify them in the “wild.” Being aware of the body language, expressions, and phrases used in an SE attempt will make your ears perk up when you hear or see someone utilizing these methods.
You don’t need to spend tons of time learning about SE methods. However, spending a few minutes now and then reading the news and reading stories on www.social-engineer.org or other sites can help you see the methods being used now against companies.
After you have a good basis of knowledge and an audit under your belt, the next step, creating a security-minded culture, will seem simple to develop.
Creating a Personal Security Awareness Culture
In July of 2010 I was part of a small team of security professionals that held one of the first organized and professional-level social engineering contests at Defcon 18. Some of the best and brightest minds from around the globe come to Las Vegas, Nevada, once a year to speak, teach, and learn.
My team and I decided it would be a great opportunity to hold a contest that would showcase whether corporate America is vulnerable to this attack vector (responding to a “contest”). We organized the contest by having interested people sign up to take part in two stages of social engineering : information gathering and active attacks.
To keep the contest legal and moral we did not want any person victimized, and no Social Security numbers, credit cards, and no personal identifying information would be gathered. Our goal was not to get any of these people fired. In addition our goal was not to embarrass any particular company, so we decided also no passwords or other personal security–related information from the companies. Instead we developed a list of about 25–30 “flags” that ranged from whether the company had an internal cafeteria, to who handles its trash disposal, to what browser it uses, and to what software it uses to open PDFs. Finally, we chose target companies from all sectors of business in corporate America: gas companies, tech companies, manufacturers, retail, and everything in between.
Each contestant was assigned one target company in secret, on which he had two weeks to do passive information gathering. That meant contestants were not allowed to contact the company, send it emails, or in any way try to social engineer information out of it. Instead they had to use the web, Maltego, and other tools to gather as much information as possible and enter all they found into a professional-looking report.
From the information gathered we wanted contestants to develop a couple of plausible attack vectors that they thought would work in the real world. Then contestants had to come to Defcon in Las Vegas, sit in a soundproof booth, and make a 25-minute phone call to their target to implement their