Imagine your office building. Would you class it as secure? Do you think you think it its safe from intruders? Probably not. Almost definitely not from people like Sophie. We interviewed a professional penetration tester. She carries out social engineering assessments on businesses to identify weaknesses before a genuine attack can take place and have devastating consequences. She gets paid to think like a criminal and take advantage of the human condition. Take a look some of her insights.
What exactly is a social engineering attack?
Social engineering attacks target the weakest link in a corporation’s security, which is their people. Social engineering involves using deception to manipulate a group or an individual in order to elicit information or gain access. In short: I lie to people to get into their stuff.
What is the most common way to attack a business?
From a social perspective, phishing and vishing (phone phishing) attacks are the most common and the most devastating.
What do you find are the most widely seen security vulnerabilities in business’s?
Depends on the type of business. Many smaller organizations have physical security flaws within the buildings themselves that are easily taken advantage of. Larger companies with more resources usually have more secure architecture. The problem I see most often in companies like this is that because the building seems so locked-down, the employees inside don’t believe unauthorized users can gain access. The internal security awareness culture is more relaxed.
Can you give us an example of your work?
Normally these stories can be lengthy, but I’ll make this one brief.
I was tasked with breaking into an office building that had a restaurant inside. I had a hunch that there must be a way to get into the office space from the restaurant. So my partner and I created aliases as restaurant safety inspectors. We made badges, business cards, and a website for our fake company. We printed inspection reports for the county and approached the site on a very busy Friday evening. Normally, kitchen staff are supposed to verify the inspectors and tail them through the inspections. They were too busy to bother with us so we went through the kitchen, making notes and taking measurements. I still didn’t see a sure path to the office. In the corner I saw an older woman, arranging flowers to set as centrepieces on the tables. I approached her with a smile, introduced myself and my partner as my inspector-in training. We chatted with her about her experience working for the establishment and after a few minutes of conversation, I asked her if she could show us to a place I could sit down with my trainee and show her how to write up the report. We had built up enough rapport with her that she didn’t hesitate to show us to the back entrance to the office building and unlock the door for us. We had free reign over the office space till long after the restaurant closed.
Are there any industries you think are most prone to social engineering?
Certain groups of people can be more vulnerable to social engineering. In very friendly cultures like those in Southern states or on the West Coast, folks are eager to help, and don’t like feeling rude. So they are less likely to ask too many questions. People who are very active on social media are my most common targets, because they are already predisposed to giving out a good deal of information.
What do you think are the best defences to social engineering?
Always question your assumptions, especially with people you don’t know who are asking for information or access. Security protocols exist for a reason. Know yours and follow them. People who follow the rules make my job as a social engineer much, much harder.
So there it is, no matter what you might believe your business is not always secure from attacks that can devastate your reputation. Educate your staff members on security protocols, encourage them to ask questions and emphasise the importance of following security processes and procedures. Take some time to think about whether you need some extra layers of security in place to protect your business. SmilePass has its own way to protect your business from social engineering using border level security. Contact us to get a find out more about how we can benefit your organisation.
Take a look at Sophie’s Twitter.