Social engineering has become one of the primary methods of gaining access to information. For instance, we were able to get the IP address of the main facility of one of our pen-test clients by simply calling the ISP and claiming we wanted to set up a web server so could we please have the IP address? On another occasion, when I was at the reception desk at a customer facility, I was going to be "made" (i.e. discovered as a BS artist) when a higher up was going to try and determine if I needed access to the facility, I quickly asked if I could go to the bathroom, and the receptionist helpfully pointed me in the right direction. I waved at the higher up as I entered the bathroom, waited a minute or two and gained more intel from a fellow who was there, and went to a meeting room and planted a trojaned laptop.
The point is that while some may say we were clever, had some basic procedures been in place we would not have gained access. We gained access due to trust and taking advantage of simple human decency. While I don't advocate a world without any trust or human decency, perhaps some suspicion and hardheadedness is in order at your facility. In the first instance, our identity was not validated at all. In the second, simply waiting outside the bathroom for an escort would have been sufficient to stop someone who wants to gain access to a facility without an appointment. If someone is doing something weird (which is not really the case with the IP address scenario) their actions call for more scrutiny until the weirdness is sufficiently explained. It is my opinion this personnel can do this without being rude or obnoxious.
While social engineering is a potent method of gaining access to information, it is also comparatively easy to stop.
Friday, July 16, 2010
5 comments:
Comments are moderated. It may take some time for your comment to appear should it be approved. Comments which we judge to be inflammatory or purely rhetorical without advancing the discussion may be rejected. Stay on topic and address the information presented, not the person who wrote the post or the comment.
Subscribe to:
Post Comments (Atom)
a tactic that i use is levity, it throws people off guard. and while you have them backpedaling the defense then you go in for the kill. the unsuspecting "client" will give you just about anything with the right mix of humor & confidence.
ReplyDeleteeruh
But if the target had some rudimentary procedures and training, all the fast talking in the world becomes ineffective. Social engineering depends on lax procedures and policies, which allow attackers to take advantage of normal human behavior, such allowing someone to go to the bathroom.
ReplyDeleteanother human behavior trait would be to laugh at something funny ;-)
ReplyDeletePen-tester: Hey, I need to get into your wiring closet because we are experiencing some phone problems on the third floor and thwir wiring passes through your wiring closet. It should only take a few minutes. BTW, I didn't catch your name...
ReplyDeleteReceptionist:
I didn't throw it. And who is your contact on the third floor and what kinds of issues are they experiencing..I just spoke to them a couple of minutes ago...
It is actually quite simple to thwart a social engineering attack.
Pen-tester: OK, you know what? I really don't have time for....,. hold on a sec... so if you could just sign this document stating you refused to give me access to the wiring closet, so i can close this work order and move on with my day. I'm sure Property management does not wont to pay me $200 an hour to argue with a receptionist
ReplyDelete