Is Your Company Vulnerable to Social Engineering?

Thursday, August 05, 2010

Katie Weaver-Johnson

Dd9902bc56a9d85cdc62c00083ea4871

Lessons learned from a recent hacking competition at Defcon revealed yet again that your employees are the biggest threat to your organization.

With just two phone calls, a hacker posing as a Louisiana-based employee handling claims involving the Gulf oil spill was able to trick a computer support employee at BP into divulging sensitive information that could have proved crucial in launching a network attack. 

The employee provided information to the caller including the model of laptops BP used, the specific operating system, browser anti-virus and VPN software.  The hacker also convinced the employee to visit an unknown web site, Social-Engineer.org. 

Other hackers in the competition asked company employees what version of Adobe Reader the company used or who the garbage collector was that hauled their trash.  Employees seemed extra willing to help the hackers who pretended to lack specific information.  

Several large corporations were targeted including BP, Shell, Apple, Google, Microsoft, Cisco Systems, Proctor and Gamble, Pepsi, Coca-Cola and Ford.  Only 3 of the 10 companies passed the test and did not provide any sensitive information. 

Are your employees this gullible?  Is your company vulnerable to social engineering attacks?

By sharing real-world stories like the competition results above, you can help your employees understand risks and potential consequences of revealing sensitive information. 

Managers can help employees become aware of how they can protect their jobs, their organization and your organization’s clients by preventing data breaches, information losses, lawsuits, etc.  

Hackers are continuously developing new tactics and more sophisticated strategies for retrieving information from unsuspecting employees. 

Because we know hackers are getting better at social engineering, it is critical for your organization to develop better awareness training and education to keep up with changing risks, threats and more sophisticated techniques. 

Link: Companies Fail Social Engineering Contest

Possibly Related Articles:
14678
Impersonation
Phishing Social Engineering
Post Rating I Like this!
99edc1997453f90eb5ac1430fd9a7c61
Javvad Malik I think social engineering is one of those things people always assume will happen to someone else. So it's tough to find any one set of educational methods to raise awareness amongst employees.

Also bearing in mind, not all employees are the same. Customer services must maintain customer satisfaction so go out of their way to help. A low-paid dissatisfied office admin will treat information in a different manner. As they say, there's no patch for human behaviour.
1281104082
Dd9902bc56a9d85cdc62c00083ea4871
Katie Weaver-Johnson Thanks for your comments Jawad!

I agree that awareness must be gained through a comprehensive approach, training, policies, posters, exercises, reminders, etc. as there is no one set of educational methods that will reach all of your employees on an ongoing basis.

There is no patch for human behavior, but wouldn't it be great if there was "Anti-Virus Software for People"? Every morning your employees could be scanned and updated with new information, risks and best practices!

1281104820
99edc1997453f90eb5ac1430fd9a7c61
Javvad Malik Oh no, that's an absolutely terrible idea. If all users became perfect we'd be out of a job real quick :)
1281105116
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.