Social Engineering - Christopher Hadnagy [189]
Baiting: An in-person attack where access is gained to the target’s building or other property by some method, and USBs or DVDs are dropped that contain malicious files on them embedded with malicious code.
Tailgating (or piggybacking): An in-person attack where the auditor attempts to approach a group of employees to gain access to the building by just following them in.
Physical Security (Red Team): An attempt to gain physical access to an office and take items of value to the company.
This short list can help a professional auditor set some guidelines to define what should and should not be included. Still, one of the largest problems many companies have is trying to pick out a good auditor, one who can accomplish these tasks at hand.
Choosing the Best Auditor
If you broke a limb and the damage was bad, and a doctor told you that you have a chance for only 50% recovery, but that going to see a good surgeon could increase those odds, wouldn’t you search high and low for a good surgeon to fix your problems? And when you found him, what questions would you ask? Wouldn’t you want to see his past work? You would want some proof of his ability to grasp the concepts and perform the tasks that would increase your chances of recovery.
You follow a similar process to find the right auditor. Here are some of the basics that you might want to find out as you speak to an auditor:
Knowledge: Has the team released any research, papers, speeches, or other materials that display they are knowledgeable about social engineering? Are they known in the community for being leaders in this field? You do not want to trust your audit and security to a team that is using outdated methods and is not up on the most recent tactics being used.
Determining the amount of knowledge an auditor and team has is hard to do without a little research. Asking auditors about any papers, articles, or information they have written on the topics is not a bad idea. Make sure the team you hire is at the top of its game.
Experience: Clients often do not want to be identified or named. In my case, many clients do not want to be put on a website or marketing material because they feel this will embarrass them or make them vulnerable. But you can determine the experience of the auditor in other ways. Ask him about the methods he has used and how he implemented solutions in the past.
An auditor often does not want to let all the secrets out of the bag in an initial meeting, but ask him for one or two accounts of attacks he launched, which will help you determine his level of skill.
Contract: Having the audit completely outlined, documented, and limitations set can go a long way toward a successful audit. Personally, I do not like to work with a ton of limitations because most malicious social engineers do not have any at all. But at least a small subset of rules written out on what is and is not allowed should be agreed upon.
A social engineer wants permission to record phone calls; video-record the building and interactions; and especially if an audit includes physical security, to have written permission to remove items from the premises. An auditor doesn’t want to finish the audit just to be presented with a warrant or a lawsuit.
Also designate an emergency contact person who knows about the audit and can vouch for the auditor and team. If an auditor finds himself in a legal jam he’ll want a number to call. No one wants to be performing a late-night dumpster dive to be met by the police and have to sit the night in jail. Having a contact person provides a “get out of jail free” card and can save a lot of hassle in the long run.
Rapport: Apply the principles in this book to find a good auditor. When you speak with him on the phone or in person how does he make you feel? What do you see? Do you get the sense he is very professional and his goal is to really help you?
Does the team