Losing Enterprise Data Through Social Engineering

Imagine sitting at home and you receive a phone call from a complete stranger requesting various pieces of personal information over the phone. In exchange for the revelation of your information, they may tell you that you have won something such as a clearinghouse sweepstakes, a certain amount of money or some other item that completely removes you from remembering the fact you are speaking to a stranger. This is called social engineering. It also happens when a particular piece of spam e-mail entices you to provide the same type of information in exchange for some large sum of money provided by a long-lost relative and you appear to be their only heir.

Hackers trained in the area of social engineering took part in a contest at the Defcon security conference in Las Vegas. The participants in the contest use their social engineering skills against major corporations in order to get employees to divulge pieces of information that have the potential to be used in a variety of computer hacks and attacks. While the information did not involve anyone's personal information, such as a Social Security number or a home address, it did include what kind of browser they were using, the browser version number, what kind of software the employee or company used for PDF documents, the type of operating system the company used, what client was utilized for e-mail, any antivirus applications, and their local wireless network provider.

One of the contest individuals contacted a major company and, while being watched by the audience, contacted an employee within the IT call Center Department and pretended he was a consultant performing a very critical audit. Even though the employee requested an employee number to verify who he was speaking to, the hacker talked his way around it by providing a story about how it was very vital he completed his audit. The employee who was only working for the firm for a month since his hire, was only happy to comply. Not only did he provide all answers to questions he was asked he even visited an imitation webpage that was set up for this purpose. This is only one example, as every company that was chosen in this contest provided information that was asked. One of the creators of the contest firmly believes those who were called would've given up much more sensitive information including passwords if they were asked.

The rules of the contest did not allow for any questions that inquired sensitive data or were targeted toward a certain kind of business or organization, including any financial institutions or government facilities. The individual who had the best call of the day, said he performed this type of social engineering for more than 15 years in his job as a security consultant. He also said he performed approximately 20 hours of prep work before the contest knew exactly how to access the information technology call centers and which names to use once he contacted an employee.

“Getting a new employee means you have contacted the best source available. If you choose an individual who is higher up in the organization, you'll probably get nothing from them as they have a great deal to lose.”

The next contestant bypassed the call center and decided to contact someone in the security department at a very well known organization. He indicated he was performing a survey for a well known technical magazine. To the employee's credit he recognized exactly what was happening and refuse to answer the questions. Those participating in the contest were only provided a total of 25 minutes to obtain the information. The next contact who worked in security engineering department and had only been hired two months previously provided a great deal more information. First the contestant loosened up the employee with some easy questions about how satisfied he was at his job and how he preferred the food in the cafeteria, then moved in for the kill. The employee divulged the company was using Windows XP service pack three, their antivirus application was McAfee VirusScan 8.7, they use Outlook 2003 for their e-mail client, and they use Internet Explorer version six. The contest and then told the employee to visit a certain website to receive a $25 coupon for participating in the survey, and the employee did so.

As stated by the creator of the contest, “If this was a real security audit that was being performed, every company we called in the contest would not have passed. Even though there were certain employees who did not answer the questions, we were able to make another phone call and locate an employee who was more than happy to assist us.” A lead trainer who is employed with Offensive Security stated, “the main idea of this contest is not to bring shame to anyone but to highlight awareness of how social engineering works and is very successful. It is the easiest method currently used to hack your way into an organization.” Where companies would use sophisticated and technical methods to protect their critical information, they completely ignore the weak link in the chain which is the very individuals they employ. “Employee resources are the fallible area within an organization. They prove to be the easiest path used by hackers.”

There was one woman who decided the questions that were being asked were not appropriate and ended the phone call after 20 seconds. But, another hacker was able to call one employee who provided the answers to practically every question of the 30 to 40 questions on the hackers list including information that had nothing to do with the contest list. “Some employees executed their e-mail clients, their Adobe Reader, or opened up Microsoft Word, opened up the About screen on the Help menu and provided the complete version number of their application. If they had provided this information for a hacker, the complete software version number would have given the hacker a higher success level. This would have allowed a specific hack to be created to take advantage of any vulnerabilities in that software application.”

When the Financial Services and Information Services Analysis Center learned about the contest, they provided warnings to various companies to be aware during the Defcon conference. Those who put the contest together contacted the agency, offering to assist them in the education and training of individuals about how to recognize and mitigate any attempts involving social engineering. Various United States federal government agencies desire an interest in reports that are compiled with this information as they can also learn how to decrease this threat. Contest organizers indicated they are more than happy to share their findings with the law enforcement agencies.

CISSP training courses involving information security brings a very large amount of awareness and knowledge in these critical areas. Social engineering is only a small part of the many areas requiring stronger defenses in order to greatly decrease the loss of critical information. Center for Technology Training provides strong certification training in the realm of information security, including issues such as organizational security, security risk management, access control, cryptography, network security, and many more topics.

About Us: SSC Training is the location you require when IT training, desktop training, and IT certification skills are highly needed. Courses involving Microsoft Office, Microsoft Windows 7, Cisco, Oracle, SharePoint, and many certification training courses including PMP project management training and CISSP information security training courses are readily available. Using up to date technology, online videos are very easy to use and very enjoyable in gaining the supplemental education you need. SSC Training has standard and customized training courses when you need them.