This part of the presentation encompasses Chris Hadnagy’s first three preventative tips to identify social engineering attacks and be cautious about sensitive company information that employees possess.
So these six tips that we are going to discuss here are vital for us today. It’s very important that we apply them and we learn from them so that we cannot become victim of social engineering attacks.1 The first is learning to identify social engineering attacks. If you haven’t heard of famous social engineer who wrote a couple of books and whose name is Johnny Long, he wrote a book called: “No-Tech Hacking”. And I had this one engagement that I was hired to do for a large international organization. They felt very secure as they had these massive iron doors with bulletproof glass that even if you broke it you could not get through. There were couple-thousand-pound magnetic locks. On the outside there were no locks that could have been picked. Inside it was all motion detection. Outside it was all RFID1. So they felt pretty secure, and due to that they put no security in the back of their building, thinking that no one would be able to gain access that way.
But after reading Johnny’s book, I was looking for something, and that was in between the two doors – there was a gap maybe about half an inch to an inch big. Because of the engagement, I was wearing a tie, and in my knapsack I always have a coat wire hanger, it’s a social engineer’s best friend. I unraveled the wire hanger, put my tie off and shoved that through the little crack in the doors, waved in front of the motion detector – and, well, the two-thousand-pound magnetic locks got bypassed by the tie and the hanger.
So what does this tell you? They wouldn’t have thought of that because they were not aware of the social engineering attacks that are being used today on companies. So becoming aware of these attacks, knowing what kind of attacks are being used and how they are being implemented is the first and essential preventative tip. If we don’t know what is being used, then we can’t possibly prevent against it. So becoming aware of it using information gathering tools upon our security teams, our IT teams or even personally, knowing what’s happening in the market – is a big preventative tip for us.2 Our second tip talks about security awareness. Now, security awareness for many of us who work within organizations unfortunately tends to be maybe a DVD that you slap in, you watch it, you put a checkbox that you actually took that training, maybe 45, 50, 60 minutes at a time, and it’s impersonal, and it’s boring, and it’s obviously not working in the industry. We can see by the attacks last year that many of the victims that fell for it fell for attacks that were very simplistic, like the ones for the IRS.
So security awareness needs to become something personal. In one engagement that I had, doing information gathering on employees, I found an employee who was running an RC racing car club – nothing wrong with that, company didn’t care, it wasn’t moonlighting, he just ran this little club on the side. People paid a small fee and they were able to come and race RC cars on the weekends. But he was using his corporate email account on his Facebook page where he advertised the service.
So we were able to play a part. I was now Jim and I was interested in learning how to race RC cars, especially the one I’d just got for my birthday. I had some pictures on this website of my new RC car that I wanted him to check out and see if he can help me learn how to race this car efficiently. And of course now we had similar likes, it was very personal. He clicked on the link – and the company was breached.
What does this have to do with security awareness? Well, the reason it worked is it was personal, it was something that was between him and me, and it was an interest of his. Security awareness needs to apply those same exact principles. If you want it to work, it should be something personal, something that is very deeply involving the individual that you are trying to train. And if you do that, then you’ll have success in your security awareness training.3 Our preventative tip number three, this is kind of an interesting one – employees need to understand the value of the information that they possess. Another story that came to my mind thinking about this question at the bottom – is your waste disposal company important to you? Well, many of us would say: “Of course they are: they take the garbage out”. But what many of us wouldn’t think is that this is a very valuable piece of information.
In one engagement we called the Accounts Receivable department and we said: “Hey, this is Larry, I am calling from ‘ABC Waste Disposal’, a new company in town. I would like to send you a quote”. I built a conversation with her over the phone, and after a few minutes I was able to ask her: “So who is your present waste disposal company?” She gave me the name, and I said: “Okay, I will be emailing you a quote shortly”.
The quote never came, but what I did is I went to the website of the company that they used. I grabbed the logo form the website. You can go online, you find a 5 dollar shirt printing company, and you get a hat and a shirt printed with that logo on it. I then called the security desk and said: “Hey, this is Jim over at your waste disposal company. I am going to send Paul down tomorrow because he has to check out your dumpster as we got a call from environmental department saying it was damaged”. He puts the name Paul on the security checklist. The next day I come with my shirt, my hat and the clipboard. Clipboard makes you official, doesn’t it? No matter what you’re doing, if you have a clipboard – you’re official. So the clipboard made me official, I didn’t even need to go through security, they let me right in, pointed me in the direction of dumpsters – and now I am doing a dumpster dive in the middle of the day, collecting all of their paper trash, able to go through and find the documents that we needed to perform the breach.
Critical thinking is key in this preventative measure. Teaching employees to understand that the value of the information that they possess, even what seems like a very little and unimportant piece of data, can cause a breach. It’s important to know when we give out information whether that person we give it to deserves that information. And the question that should be asked is: “Do they have the right to ask it?” It’s a very important tip here for prevention of social engineering attacks.
1 – RFID (radio frequency identification) is a generic term that is used to describe a system which transmits the identity (in the form of a unique serial number) of an object or person wirelessly, using radio waves.