In conversations with CISO’s and others in charge of security, the Pwnies keep hearing the same thing: employees are usually the weakest link.
When people think of hackers, the stereotype is still of some guy in a basement, silently, remotely, and independently accessing the world around them. Of course this is sometimes true, but this ignores the simple fact that sometimes the easiest way to get into a system is to walk (often quite literally) right through the front door (both literally and figuratively).
Lately this threat has become even more visible, many of the recent large breaches used social engineering as the initial attack vector. The now infamous Target and RSA breaches started with targeted phishing emails. A yearly demonstration of social engineering’s effectiveness against even established companies happens every year at DEF CON’s Social Engineering Capture the Flag contest, a competition sponsored by SocialEngineer.org to see how many “flags,” or useful pieces of information, employees at these companies will disclose. 2014’s theme was “retail”, and most of the organizations tested failed with flying colors.
The most effective security audits take this into account, and use social engineering to test the security of the organization – calling for passwords, looking for devices left lying around, and plugging in things that shouldn’t have even been let through the door. Both adversaries and auditors use social engineering to do this, and employees usually don’t know what’s hit them – without knowing how people might take advantage of them, they’ve been left unequipped for the breach.
These problems may be obvious to security professionals, but it can be considerably more difficult to drive the problem home with everyone else – those who feel that security is taken care of through compliance, or that all cyber attacks are divorced from the physical world. Recalling last week’s post “Scare the CEO,” a crucial part of any effective security plan is education. The most effective form of education is hands on. So, show your employees and colleagues what social engineering is… as they say, it “takes one to know one”.
As an example of what can go wrong, Pwnie Express has a video called “Don’t Get Pwned,” showing what it would look like for a pentester to breach an office by exploiting common vulnerabilities.
Check out Social Engineer.org for more.