We often request that our client involve executive management or human resources and provide the necessary approval or revisions of the plan. Compromising a network with social engineering techniques can be accomplished in various ways, but most commonly people or a single person is utilized to achieve the goal. So we ask the client to indemnify the individuals and not put their employment in jeopardy as a result of our successful access through their assistance.
With all of this preparation, our goal is to minimize our failure and to provide the client a real-world example of what could happen. Unfortunately, all of this planning can still result in unforeseeable issues. One failed social engineering attempt occurred at a financial institution that retained our services. Under the direction of its chief information officer, we would communicate only through private email, have meetings off-site, and restrict written communication in case it were to be intercepted. On the day we launched our attack, my two colleagues were thwarted by bank tellers as soon as they entered the front door: The tellers had been tipped off and were waiting for them.
Turns out an internal email was sent to the chairman of the board explaining our services and start date. Unfortunately, the chairman's administrative assistant reads all of his mail and leaked our effort to the staff. Although the tellers portrayed themselves as the victors, they and the bank they worked for actually lost. Whether they are truly susceptible to an attack by a real white-collar criminal might never be known. Another unforeseeable outcome of a social engineering engagement began with a social engineering attempt leveraging company employees who frequented social networking sites. The organization's IT staff was concerned that the users identifying themselves as employees would set themselves up for a targeted phishing attack. The test involved mailing a letter and USB memory stick to the employees on behalf of one of the well-known social networking sites.
Upon completion of the test, the employees banded together and complained to upper management about the social engineering test. The employees expressed their disappointment in having their employer's IT department perform such an assessment. And soon thereafter, the employees turned their aggression against my company. The employees made the argument that they were unfairly tested and that numerous state and federal laws were broken during its execution. Claims were also made that we had performed an "Illegal Human Experiment," comparing our social engineering effort to some of the most heinous atrocities performed against man. Attorneys got involved and we were cleared of all wrongdoing, much to the disappointment of the employees in the client's organization.
About a week after resolving this, one of the largest Facebook phishing attacks hit our nation, impacting our client and its employees who voiced their anger in our testing. Sources indicated they weathered the phish well, with no one falling prey to the real bad guys.
So our security assessment and social engineering tested proved to be of some value in preparing those end users for the real thing. I would hope the real white-collar criminals who crafted that attack would suffer the same aggravation and pain we were just put through, and that my company would receive a thank you for preparing those employees for not becoming a victim. Unfortunately, I don't think either will happen.
Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.