Companies issued failing grade in social engineering experiment
Companies are failing the social engineering test, big time. This was the conclusion of a contest held at the DEF CON 18 Hacking Conference last weekend, in which volunteers took turns to call legitimate businesses as they attempt to coerce information from employees that shouldn't be given out.
Of course, ground rules were established forbidding contestants from cajoling for information pertaining to passwords, IP addresses and other such sensitive data. Instead, contestants sought to determine information such as those pertaining to the version of browser used, and the software used to open PDF files.
The results were sobering, as reported by eSecurity Planet: "Of the 140 phone calls made by contestants to real employees of real companies in an effort to collect information about those companies, only five employees declined to give contestants the information they were seeking." Even so, it was a trivial matter to simply call back and try again via a different employee.
And yes, the majority of the people who took part in this contest were not in any way considered to be professional security auditors or social engineers, noted Chris Hadnagy, one of the founders of Social-Engineer.org, which put the event together. Even so, at least one contestant managed to get his target to visit a particular URL, which could well be primed with malicious software in a genuine attack.
Instead of continuing to pour vast sums of money into advanced networking tools such as firewalls and intrusion detection and prevention systems, companies need to realize that the weakest part of their armor is really the human element of it. On that front, the only viable solution unfortunately, appears to be continual education.
For more on this story:
- check out the article at eSecurity Planet
- check out the article at CNET News
Related Articles:
Tricks of the social engineering trade
Defcon contest targeting corporations concerns FBI
Report: Enterprises are a growing target for cybercrime
Proof of concept attack highlights new weakness in PDF specification
Comments