Member Article

Flattery will get you everywhere, even in the most secure systems

Andrew Mason, co-founder of Wetherby IT security and compliance company, RandomStorm dicusses the exploitation of human flaws in security systems.

The BBC has reported that tourists in Edinburgh were being targeted by criminals posing as police officers, who stole cash after asking to check their wallets for ID and counterfeit money.

Commonly referred to as “blagging,” social engineering is an issue that affects us all, whether it’s avoiding clicking on malicious links in phishing emails, or teaching your colleagues not to give out too much company information to strangers who visit your premises.

While an organisation can have the most expensive, cutting edge security systems in place, savvy bosses know only too well that criminals can employ flattery and deception, or exploit employees’ surprise and fear to gain access to the information or assets that they guard. It was for this reason that RandomStorm’s Senior Security Engineer, Gavin Watson, spoke to a packed audience at last month’s premiere information security conference, Infosec Europe.

One of the most heart-breaking examples of the impact of social engineering was the death of Jacintha Saldahna, a nurse at the King Edward VII private hospital, which treated the Duchess of Cambridge in December 2012. Mrs Saldahna put a telephone call through to a duty nurse, who divulged private information on her patient’s condition, after answering a hoax call made by Australian “shock jocks,” pretending to be members of the royal family. At the inquest last year, the Saldahna family’s barrister asked whether Mrs Saldahna had been provided with the appropriate training to deal with such an attack.

While some would view the incident as a prank that had tragic consequences, the DJs employed a tactic that is also exploited by criminals to gain access to sensitive customer information.

At InfoSec Europe, Gavin Watson spoke to a crowd of more than 100 business managers and security professionals about the common social engineering tactics employed by criminals. He described how businesses can develop frameworks to test an organisation’s level of vulnerability to social engineering attacks.

When undertaking social engineering penetration tests for clients, RandomStorm applies tactics such as:

• Donning a uniform, or copying a company logo and trying to gain physical access to the client’s premises by sweet talking the receptionist.
• Checking that security processes are followed if visitors call at the company premises
• Looking at the position of the entry keypad on external doors to check whether they can be spied upon.
• Applying pretexts, to ensure that staff will not be bullied or coerced into revealing company or customer information.
• Looking at publicly available information to check whether this could be used in a phone call, or phishing email, to persuade employees to yield additional information that could facilitate a hack.
• Developing structured target identification and pretext design mapping, to create a framework for comprehensive testing of an organisation’s vulnerability to social engineering attacks.

During his presentation Gavin provided examples from a book that he and I co-authored with Richard Ackroyd: “Social Engineering Penetration Testing”, which is due to be published by Elsevier in June 2014. The book describes how organisations can test how vulnerable they are to a social engineering attack and details the frameworks that can be used to assess how well a social engineering penetration test has been performed. We also share real life scenarios that can be used to train employees to recognise criminals’ tactics and stop an attack in progress.

Judging by the queue outside the InfoSec Business Strategy Theatre last Wednesday, social engineering is a problem that affects all organisations.

This was posted in Bdaily's Members' News section by Andrew Mason .