informa
Commentary

When Social Engineering Tests Fail

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.
Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.Before we proceed with any job for a client, we clearly define the effort and how this will involve the company's employees (as well as mine). The plan of how we will enter is agreed on, as is the identity of trusted contractors or vendors who we will pretend to be. In the event we are discovered, the discussion of our "get out of jail letter" is something that always comes up, often provoking a laugh about not vindicating our actions.

We often request that our client involve executive management or human resources and provide the necessary approval or revisions of the plan. Compromising a network with social engineering techniques can be accomplished in various ways, but most commonly people or a single person is utilized to achieve the goal. So we ask the client to indemnify the individuals and not put their employment in jeopardy as a result of our successful access through their assistance.

With all of this preparation, our goal is to minimize our failure and to provide the client a real-world example of what could happen. Unfortunately, all of this planning can still result in unforeseeable issues. One failed social engineering attempt occurred at a financial institution that retained our services. Under the direction of its chief information officer, we would communicate only through private email, have meetings off-site, and restrict written communication in case it were to be intercepted. On the day we launched our attack, my two colleagues were thwarted by bank tellers as soon as they entered the front door: The tellers had been tipped off and were waiting for them.

Turns out an internal email was sent to the chairman of the board explaining our services and start date. Unfortunately, the chairman's administrative assistant reads all of his mail and leaked our effort to the staff. Although the tellers portrayed themselves as the victors, they and the bank they worked for actually lost. Whether they are truly susceptible to an attack by a real white-collar criminal might never be known. Another unforeseeable outcome of a social engineering engagement began with a social engineering attempt leveraging company employees who frequented social networking sites. The organization's IT staff was concerned that the users identifying themselves as employees would set themselves up for a targeted phishing attack. The test involved mailing a letter and USB memory stick to the employees on behalf of one of the well-known social networking sites.

Upon completion of the test, the employees banded together and complained to upper management about the social engineering test. The employees expressed their disappointment in having their employer's IT department perform such an assessment. And soon thereafter, the employees turned their aggression against my company. The employees made the argument that they were unfairly tested and that numerous state and federal laws were broken during its execution. Claims were also made that we had performed an "Illegal Human Experiment," comparing our social engineering effort to some of the most heinous atrocities performed against man. Attorneys got involved and we were cleared of all wrongdoing, much to the disappointment of the employees in the client's organization.

About a week after resolving this, one of the largest Facebook phishing attacks hit our nation, impacting our client and its employees who voiced their anger in our testing. Sources indicated they weathered the phish well, with no one falling prey to the real bad guys.

So our security assessment and social engineering tested proved to be of some value in preparing those end users for the real thing. I would hope the real white-collar criminals who crafted that attack would suffer the same aggravation and pain we were just put through, and that my company would receive a thank you for preparing those employees for not becoming a victim. Unfortunately, I don't think either will happen.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc.

Recommended Reading: