Social Engineering - Christopher Hadnagy [188]
To determine whether an employee would go to a website and enter personal or business-related information on that site
To determine how much information can be obtained via the phone or in-person visits of employees at work or personal places (that is, bars, gyms, daycares)
To determine the level of security in the office perimeter by testing locks, cameras, motion sensors, and security guards
To determine the ability of a social engineer to create a malicious USB or DVD that will entice the employee to use it on his or her work computer, compromising the business
Of course, more areas will be tested, but what I try to do is outline closely the goals the company has for this audit. What I find is that companies often do not know what they want. The auditor’s job is to walk them through different avenues into the company and to determine which of those they want tested.
When these goals are clearly defined, you should also include a list of things that are never to be included in an audit.
What Should and Should Not Be Included in an Audit
Many different ways exist for testing the outlined goals to see clearly whether a security hole exists in a company. Using all the principles in this book can help outline a good plan for attack. However, avoid some things when planning an attack. Things like:
Attacking a target’s family or friends
Planting evidence of crimes or infidelity to discredit a target
Depending on the laws of the land, impersonating law enforcement can be illegal
Breaking into a target’s home or apartment
Using evidence of a real affair or embarrassing circumstance to blackmail a target into compliance
Things like these should be avoided at all costs because they do not accomplish the goal and leave the target feeling violated. However, the question does come up about what to do if in an audit evidence appears of some of these things. Each auditor must personally decide how to handle these circumstances, but consider a couple of examples.
In one audit, an auditor found out an employee was using the company’s high-speed Internet to download gigabytes worth of porn to external hard drives. Instead of risking the employee’s getting fired he went to the employee and told him he knew, but he didn’t want him to get fired and just gave him a warning to stop. The employee became embarrassed and upset and figured the auditor was going to still report him. He decided he wanted to preemptively combat this attack and he went to the owners and said the auditor was planting evidence of this offense on his computer.
Of course, the auditor had logs and screenshots of when the compromise occurred and the employee was fired anyway. But also the auditor was reprimanded for not coming forward when he found an offense of which the company had a strict policy.
In another account, the auditor found evidence of a man downloading child pornography to his computer and then distributing it to others on the Internet. The auditor knew from the other images on his computer that he had a wife and children and that reporting this would lead to divorce, probably jail time, and the ruination of his career as well as the family’s life.
The law of the land was that child pornography was illegal, as well as morally disgusting and vile. The auditor turned the man in to the company as well as the authorities, which cost that man his career, family, and freedom.
Having a clearly defined “do not” list enhances your audits and keeps you from crossing your own moral and legal guidelines. In one interview I had with Joe Navarro, one of the world’s leaders on nonverbal communication, he made a statement about this point. He said that unless you are a law enforcement agent you have to decide what lines you will and will not cross before you enter into an engagement. With that in mind then what things should an auditor include in audits?
Phishing Attacks: Targeted email attacks that allow a company to see whether its employees are susceptible to attacks through email.
Pretexting In-Person