Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/18/2010
03:16 PM
50%
50%

When Social Engineering Tests Fail

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.Before we proceed with any job for a client, we clearly define the effort and how this will involve the company's employees (as well as mine). The plan of how we will enter is agreed on, as is the identity of trusted contractors or vendors who we will pretend to be. In the event we are discovered, the discussion of our "get out of jail letter" is something that always comes up, often provoking a laugh about not vindicating our actions.

We often request that our client involve executive management or human resources and provide the necessary approval or revisions of the plan. Compromising a network with social engineering techniques can be accomplished in various ways, but most commonly people or a single person is utilized to achieve the goal. So we ask the client to indemnify the individuals and not put their employment in jeopardy as a result of our successful access through their assistance.

With all of this preparation, our goal is to minimize our failure and to provide the client a real-world example of what could happen. Unfortunately, all of this planning can still result in unforeseeable issues. One failed social engineering attempt occurred at a financial institution that retained our services. Under the direction of its chief information officer, we would communicate only through private email, have meetings off-site, and restrict written communication in case it were to be intercepted. On the day we launched our attack, my two colleagues were thwarted by bank tellers as soon as they entered the front door: The tellers had been tipped off and were waiting for them.

Turns out an internal email was sent to the chairman of the board explaining our services and start date. Unfortunately, the chairman's administrative assistant reads all of his mail and leaked our effort to the staff. Although the tellers portrayed themselves as the victors, they and the bank they worked for actually lost. Whether they are truly susceptible to an attack by a real white-collar criminal might never be known. Another unforeseeable outcome of a social engineering engagement began with a social engineering attempt leveraging company employees who frequented social networking sites. The organization's IT staff was concerned that the users identifying themselves as employees would set themselves up for a targeted phishing attack. The test involved mailing a letter and USB memory stick to the employees on behalf of one of the well-known social networking sites.

Upon completion of the test, the employees banded together and complained to upper management about the social engineering test. The employees expressed their disappointment in having their employer's IT department perform such an assessment. And soon thereafter, the employees turned their aggression against my company. The employees made the argument that they were unfairly tested and that numerous state and federal laws were broken during its execution. Claims were also made that we had performed an "Illegal Human Experiment," comparing our social engineering effort to some of the most heinous atrocities performed against man. Attorneys got involved and we were cleared of all wrongdoing, much to the disappointment of the employees in the client's organization.

About a week after resolving this, one of the largest Facebook phishing attacks hit our nation, impacting our client and its employees who voiced their anger in our testing. Sources indicated they weathered the phish well, with no one falling prey to the real bad guys.

So our security assessment and social engineering tested proved to be of some value in preparing those end users for the real thing. I would hope the real white-collar criminals who crafted that attack would suffer the same aggravation and pain we were just put through, and that my company would receive a thank you for preparing those employees for not becoming a victim. Unfortunately, I don't think either will happen.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
CVE-2021-31660
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.