Social Engineering - Christopher Hadnagy [187]
2. After getting the identifying information, ask for the project ID number related to the project he or she is managing that requires this information.
3. If the information in steps 1 and 2 is successfully obtained, comply. If it’s not, ask the person to have his or her manager send an email to your manager requesting authorization and terminate the call.
A simple script like this can help employees know what to say and do in circumstances that can try their security consciousness.
Learning from Social Engineering Audits
If you have ever broken a limb you know that as you recover your doctor may send you for therapy. As therapists rehabilitate you, you may undergo some stress testing. This type of testing enables your doctors to see whether you have weaknesses that need to be strengthened. The same applies for your business, except instead of waiting for the “break” to occur before you “test,” social engineering audits enable you to stress-test your company before a breach occurs.
The following sections answer a few key questions when it comes to social engineering audits and how to choose the best auditor. Before getting into the depth of social engineering audits, you should know what an audit really is.
Understanding What a Social Engineering Audit Is
In the most basic terms a social engineering audit is where a security professional is hired to test the people, policies, and physical perimeter of a company by simulating the same attacks that a malicious social engineer would use. The two main differences between a malicious social engineer and a professional auditor are:
Usually, moral and legal guidelines exist that a professional auditor will follow.
The goals of the professional auditor are always to help and not to embarrass, steal, or harm a client.
Professional audits generally have scope limitations that are not imposed upon real attackers.
The professional auditor will spend a lot of time analyzing and gathering data on a “target” or client and will use that information to develop realistic attack vectors. While doing this the professional auditor always keeps in mind the goals that are set forth in writing for each audit. This is an essential piece of the puzzle, because going down a path that can have very bad repercussions on both the SE and the target might be tempting. Clearly defined goals can keep a social engineering auditor from making that mistake.
Setting Audit Goals
The professional social engineer must engage in moral and ethical behavior while still stretching across that line that allows him or her to put on the true “black hat” of a malicious social engineer. This means taking note of things that he or she can use to gain access and expose a hole or weakness in a company’s defenses, no matter how low it may seem.
Finding the security gaps has to be balanced with a concern for the individual employees. Companies who are hacked with a social engineering audit often think that firing the employee(s) who fell for the attack fixes the problem and plugs the “hole.” What the client fails to realize is that after an audit, those employees who did fall for the attacks are probably the most secure people in the building at that time.
The professional social engineer must take extra precaution to ensure that the employees are not put into the line of fire. Personally I make it a key point to tell clients that the audit is not about the employees and, as far as I can help it, I do not include names of the employees who were used. In cases where that cannot be helped and I need to include those names, I focus the report on the flaws the company has in its training, policies, and defenses that allowed the employee to falter.
Throwing an employee under the bus, so to speak, or ruining his or her character or life should never be an option for a routine social engineering audit. When outlining the goals of an audit with an auditor I outline the level of intensity from 0 to 10 for these key areas:
To determine whether employees will click on links in emails or open files from people