Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/18/2010
03:16 PM
50%
50%

When Social Engineering Tests Fail

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.Before we proceed with any job for a client, we clearly define the effort and how this will involve the company's employees (as well as mine). The plan of how we will enter is agreed on, as is the identity of trusted contractors or vendors who we will pretend to be. In the event we are discovered, the discussion of our "get out of jail letter" is something that always comes up, often provoking a laugh about not vindicating our actions.

We often request that our client involve executive management or human resources and provide the necessary approval or revisions of the plan. Compromising a network with social engineering techniques can be accomplished in various ways, but most commonly people or a single person is utilized to achieve the goal. So we ask the client to indemnify the individuals and not put their employment in jeopardy as a result of our successful access through their assistance.

With all of this preparation, our goal is to minimize our failure and to provide the client a real-world example of what could happen. Unfortunately, all of this planning can still result in unforeseeable issues. One failed social engineering attempt occurred at a financial institution that retained our services. Under the direction of its chief information officer, we would communicate only through private email, have meetings off-site, and restrict written communication in case it were to be intercepted. On the day we launched our attack, my two colleagues were thwarted by bank tellers as soon as they entered the front door: The tellers had been tipped off and were waiting for them.

Turns out an internal email was sent to the chairman of the board explaining our services and start date. Unfortunately, the chairman's administrative assistant reads all of his mail and leaked our effort to the staff. Although the tellers portrayed themselves as the victors, they and the bank they worked for actually lost. Whether they are truly susceptible to an attack by a real white-collar criminal might never be known. Another unforeseeable outcome of a social engineering engagement began with a social engineering attempt leveraging company employees who frequented social networking sites. The organization's IT staff was concerned that the users identifying themselves as employees would set themselves up for a targeted phishing attack. The test involved mailing a letter and USB memory stick to the employees on behalf of one of the well-known social networking sites.

Upon completion of the test, the employees banded together and complained to upper management about the social engineering test. The employees expressed their disappointment in having their employer's IT department perform such an assessment. And soon thereafter, the employees turned their aggression against my company. The employees made the argument that they were unfairly tested and that numerous state and federal laws were broken during its execution. Claims were also made that we had performed an "Illegal Human Experiment," comparing our social engineering effort to some of the most heinous atrocities performed against man. Attorneys got involved and we were cleared of all wrongdoing, much to the disappointment of the employees in the client's organization.

About a week after resolving this, one of the largest Facebook phishing attacks hit our nation, impacting our client and its employees who voiced their anger in our testing. Sources indicated they weathered the phish well, with no one falling prey to the real bad guys.

So our security assessment and social engineering tested proved to be of some value in preparing those end users for the real thing. I would hope the real white-collar criminals who crafted that attack would suffer the same aggravation and pain we were just put through, and that my company would receive a thank you for preparing those employees for not becoming a victim. Unfortunately, I don't think either will happen.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...