Knock, Knock...Do You Know Who’s There?

by Jeff Ahlerich, Director, Professional Services, Coalfire

Imagine that a burglar has targeted your house knowing it contains some valuable loot. You have it well protected by a razor wire fence, a pair of angry Dobermans, and motion detectors wired directly to the cops. What will he do? I’ll tell you this—he’s not going to climb over that fence in the middle of the night wearing a mask. A smart thief will put on his best face and do whatever is necessary to make you invite him in. Are you vulnerable?

Now consider your sensitive business data. You’ve gone to great lengths to keep it safe, but no savvy cyber crook is going to relentlessly pound at your perimeter firewalls until a hole appears. He knows that the weakest link in your data defense is your people; and he’s going to do whatever is necessary to make them unknowing allies in his pursuit to get the goods. This is known as social engineering, and it’s a very real threat to your organization.
Regularly, I’m invited to break into businesses just like yours to discover how vulnerable their data is. With a fresh haircut, a clean shirt, and a fake badge, I can typically walk into most medium/large businesses unchallenged and get an all-access pass by simply looking and acting the part. It’s rarely difficult to find an unoccupied office, cubicle, or community printing station. After that it’s a fairly trivial task to locate an unprotected, active network port I can use to hack into weak systems on the network. Or, maybe I find an unattended computer. Using a special boot disk, I can crack passwords without blinking an eye. Or, I drop a few USB sticks around the office. Then I leave and let unsuspecting employees pick them up and plug them in. And voila! I have what I want and no one suspects a thing.
I don’t even need to go to your office to take what I want. I can put together an effective email phishing scheme from my own living room. Finding a list of your employees and their email addresses is not a challenge. I simply compose an official-sounding letter using a fake email address that appears to be from the Human Resources or the IT department. I slyly lead your people to a cloned website and direct them to update their records. I usually get a 15-30% hit rate that lands me a nice list of user names and passwords. In other words, I’m in without even breaking a sweat.
Social engineering can be incredibly complex and amazingly simple. The very mystery of this “dark art” keeps many organizations from broaching the subject of their own vulnerability. Ultimately, your people are your most valuable asset as well as your greatest risk. Regardless of the technologies you implement or the physical barriers you construct, real security is all about the training, awareness, diligence, and honesty of the company insiders.
Comprehensive, and sometimes covert, testing of your security measures is imperative to the overall safety of your business data. Coalfire helps organizations with a full suite of social engineering assessments. We customize testing programs to meet the needs of unique physical and employee environments. Our services include technical measures such as phishing, staff impersonation, pretext calling, and physical control tests including piggy-backing, lock testing, and other physical entry methods. You should feel confident knowing exactly who’s knocking at your door and assured that the employees who answer it are armed with the knowledge and tools to protect your business.