Original article by IT Governance: here
So a while back I was interviewed by Lewis Morgan from the IT Governance Blog and thought i’d share this on the site. It is a little tongue in cheek reading it back actually! But genuine none the less.
First, let’s quickly cover the basics: what is social engineering?
Well, a good question straight away. Social engineering (SE) has several well-adopted meanings. People might refer to the act of governments engineering societies as social engineering, for some the term is used when you are trying to scam a free item from a company or maybe persuade someone at work to like you more. But for me it only has one meaning:
Social engineering: Obtaining confidential information and/or wealth by manipulating and/or deceiving people.
Why might social engineering be preferable to other means of attack?
It’s simple, it works. There is no other reason why it’s number one on the criminal hacker’s agenda. Corporations can spend thousands on online security and traditional pen tests building a strong defence so not everything is exploitable by teenage kids these days. Compromising a network could take months using traditional methods and attacks – if at all possible! But you can also just walk right up and grab what you need in person. It’s quicker, easier and can reap greater rewards.
When targeting an organisation, what is the social engineer’s most common approach?
A bloody quiet one! You don’t just turn up one day and start sifting through their rubbish. That’s not what it’s about. You identify your attack target, then you want to know everything about them. Usually I target companies, so for a start I want to know everybody that works in that company. I look them up on social media, I interact with them online, building trust and securing a credibility I will abuse later on. From this information I can work out everyone’s email addresses and usernames, and progress to direct interaction with staff. When I have more options, yes, I may then start stealing bins to dig deeper but a fear I have is being caught by a client stealing a bin on day one of an assessment.
Is there a specific approach that has a higher success rate than others? I’ve read that many locations can be compromised simply by wearing a high-vis jacket and a hard hat, carrying a clipboard and adopting a plausible manner. Is this true, or is there more to it?
Yeah, this isn’t untrue, but it’s a funny way of looking at it. If you’re sneaking into a concert, sure, it’s about the right amount of effort you should be doing: a little disguise and a cheeky story and you’re backstage. But what I do is replicate crime. I try very hard to bring the realest attack I can bring to a company, and in a real-life attack with, say, a simple block of gold as the target. Criminals wouldn’t shuffle in with a coffee cup saying they are lost. In crime, there is the real risk of ten years inside for these actions and you have to test on par with that level of preparedness. There are too many people in this industry that think we are defending our companies against bumbling idiots with a clipboard here to service the fire extinguisher. The real risk is a very dark and thriving underground coming to visit your workplace and homes to exploit you. The best approach is all of them. phishing, vishing, SMShing, elicitation, etc. Take them out for a fancy meal and tell them you love them if it works, and you simply crank up the pressure until it does.
Is there a common ‘go-to’ approach for getting into a secure building?
Always follow company sign-in procedure and remember to sign out for fire safety reasons.
When carrying out on-site social engineering, how does a social engineer pick a target? And how does a social engineer pick his target when working remotely?
Whilst on-site, everyone is fair game. Within a few seconds face-to-face I get a feel for someone and what kind of conversation will get the most impact. If they tug at their top or look at the floor – or show any signs of being unconfident – I will instruct them to do what I want, using authority or an assumed power (fake ID, a nice suit, etc.). If they are dominant, I will quickly become a lost insignificant employee struggling to find the nearest toilet. It’s about being on your toes! Working remotely, you can lean heavily on social media to profile a person and assume what their personality is. You can look for what they believe in! Religion I find a strong indicator of gullibility. (Not wanting to cause offence but a little bit of “god bless” on an email gets me results.) Another example is if they are showing narcissistic traits I will pay compliments and build a bit of a bond to help identify a good target.
We often hear about social engineers’ successes, but rarely of their failures. If a social engineer fails to compromise a location or network, do they typically try other targets or just give up?
When I first started this game I did a few jobs and thought I was superman, my ego was up until I realised it’s not even that hard. In traditional pen testing you have a deadline, you have a certain amount of hours to reveal this secret door. Social engineering is a much more laidback kind of test. Like a criminal, I have this large invoice at the end of it – the criminal would have the data or stolen items to sell, etc. And you just do what has to be done to get it. You have bad days but you just go out for the day, do a little shopping and try something new the next day. Social engineers do a lot of things but they are very determined, focused people. My hands are tied a little more by laws. In the wild, you might try to compromise one of their suppliers if it wasn’t working out, or a courier, etc., but I can’t do that as they are not my client and have not signed off on my testing contract.
Can you tell us any examples of someone successfully engineering their way into an organisation by using an impressive array of techniques? Similarly, do you have any examples of someone getting in by doing something very basic?
There are many good stories available on the subject but ‘getting in’ can really be the half of it. I have personally used everything from military grade hacking toys to a jolly good story to get in but keeping it all really natural and blending in is the key part. Whatever tricks you use or do it has to be discreet.
What is the single most effective action that organisations can take to ensure their staff are prepared to deal with social engineering attacks?
A data breach. Just take the hard drives out of the computers and send them to hackers in the mail. It is sadly the only time many companies really pay attention to their security and it’s a shame it always seems to be done in hindsight. The companies that think they are safe are the worst and they have to consider more niche and realistic ways of testing their security.