This week on our blog, we have a guest post from Peter Fellini who is Senior Security Consultant at NTT Security.
I know the title of this blog post seems a little weird. Why would we help a social engineer achieve their goal? Well, we might not want to be we all do it in some way and some people do it better than others.
Social engineering is the art of manipulating people to give up information or to perform a task they might not otherwise perform. Social engineers are after the same thing that hackers are after – the crown jewels. Information that otherwise wouldn’t be available to them, like credit card data, financial or PII data. There are a lot of things that motivates a social engineer. They may just want the information to sell or they could want the information to gain an advantage on the competition, but we won’t go into the motivations here.
The question is: how do they do it? They do it by researching a company to find out what they do and how they do it. Next, they start to research the technologies that are in place, vendors that are used, procedures that are in place. They then begin to research the employees, looking for phone numbers, email addresses, Facebook pages, Twitter profiles, Glass Door and other social media. Social media is a big candy store to a social engineer. All this research is called Open-source intelligence (OSINT). It’s free and all you need is an internet browser and Google. All this research is going on and you don’t even know it’s happening – there are no dropped packets, no firewall alerts, no IDS/IPS alerts. It’s silent.
So what information are they looking for? This information may be as innocuous as: what vending company do we use, who does the grounds keeping or pest control, what type of laptops do we use, or even what browser are we using. All this information is used to build a comprehensive profile of a company which can be used for future attacks be it vishing (phishing using the telephone), phishing or physical assessments.
Once the research is complete and the social engineer understands what the crown jewels are and how the company works, they formulate their pre-text. Think of pre-text as a script. These scripts could be emails for a phishing campaign or a script they will call you with and try and elicit information from you. They could also include physical on-site visits. Either way, they are well rehearsed and polished.
What we share on social media may be used by a social engineer. You have shared on your social media account that you work for Company A and recent pictures of your vacation to the Grand Canyon. Those posts by you about your trip to the Grand Canyon can be used by a social engineer to try to establish a connection with you and thus you may be inclined to let your guard down.
The information the social engineer learned about the vending company used by Company A allows the social engineer to locate the uniform used by the company. Should the social engineer show up on-site in the vending company uniform, employees are less likely to confront them or even pay attention to what they are doing even if the actions are not related to vending.
As employees it is our job to help protect the reputation of the companies we work for. No one wants their company on the front page due to a security breach. So what can you do to be less helpful to the social engineers? Be aware of what you are posting on social media. Be careful about what information you provide about the company you work for and your job and with whom you are sharing that information. If someone is calling for a survey and wants to know what technology you use, do not provide any information and not even for a gift card! Be wary of someone that wants your password. No one needs to know your password but you – not even the help desk.