Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/18/2010
03:16 PM
50%
50%

When Social Engineering Tests Fail

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.

Our company, Secure Network, has performed numerous security assessments and penetration tests, many of which involved social engineering. That's when we test our clients' employees to see if they adhere to security policies. Even with all of the planning that goes on beforehand, these engagements sometimes can go wrong.Before we proceed with any job for a client, we clearly define the effort and how this will involve the company's employees (as well as mine). The plan of how we will enter is agreed on, as is the identity of trusted contractors or vendors who we will pretend to be. In the event we are discovered, the discussion of our "get out of jail letter" is something that always comes up, often provoking a laugh about not vindicating our actions.

We often request that our client involve executive management or human resources and provide the necessary approval or revisions of the plan. Compromising a network with social engineering techniques can be accomplished in various ways, but most commonly people or a single person is utilized to achieve the goal. So we ask the client to indemnify the individuals and not put their employment in jeopardy as a result of our successful access through their assistance.

With all of this preparation, our goal is to minimize our failure and to provide the client a real-world example of what could happen. Unfortunately, all of this planning can still result in unforeseeable issues. One failed social engineering attempt occurred at a financial institution that retained our services. Under the direction of its chief information officer, we would communicate only through private email, have meetings off-site, and restrict written communication in case it were to be intercepted. On the day we launched our attack, my two colleagues were thwarted by bank tellers as soon as they entered the front door: The tellers had been tipped off and were waiting for them.

Turns out an internal email was sent to the chairman of the board explaining our services and start date. Unfortunately, the chairman's administrative assistant reads all of his mail and leaked our effort to the staff. Although the tellers portrayed themselves as the victors, they and the bank they worked for actually lost. Whether they are truly susceptible to an attack by a real white-collar criminal might never be known. Another unforeseeable outcome of a social engineering engagement began with a social engineering attempt leveraging company employees who frequented social networking sites. The organization's IT staff was concerned that the users identifying themselves as employees would set themselves up for a targeted phishing attack. The test involved mailing a letter and USB memory stick to the employees on behalf of one of the well-known social networking sites.

Upon completion of the test, the employees banded together and complained to upper management about the social engineering test. The employees expressed their disappointment in having their employer's IT department perform such an assessment. And soon thereafter, the employees turned their aggression against my company. The employees made the argument that they were unfairly tested and that numerous state and federal laws were broken during its execution. Claims were also made that we had performed an "Illegal Human Experiment," comparing our social engineering effort to some of the most heinous atrocities performed against man. Attorneys got involved and we were cleared of all wrongdoing, much to the disappointment of the employees in the client's organization.

About a week after resolving this, one of the largest Facebook phishing attacks hit our nation, impacting our client and its employees who voiced their anger in our testing. Sources indicated they weathered the phish well, with no one falling prey to the real bad guys.

So our security assessment and social engineering tested proved to be of some value in preparing those end users for the real thing. I would hope the real white-collar criminals who crafted that attack would suffer the same aggravation and pain we were just put through, and that my company would receive a thank you for preparing those employees for not becoming a victim. Unfortunately, I don't think either will happen.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. Steve serves as president of Secure Network, focusing on penetration testing, information security risk assessments, incident response and digital investigations. Steve has worked in the field of information security since 1997. As a part of that experience, Steve is an ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16860
PUBLISHED: 2019-11-19
Code42 app through version 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local machine could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an ele...
CVE-2019-16861
PUBLISHED: 2019-11-19
Code42 server through 7.0.2 for Windows has an Untrusted Search Path. In certain situations, a non-administrative attacker on the local server could create or modify a dynamic-link library (DLL). The Code42 service could then load it at runtime, and potentially execute arbitrary code at an elevated ...
CVE-2014-5118
PUBLISHED: 2019-11-18
A Security Bypass Vulnerability exists in TBOOT before 1.8.2 in the boot loader module when measuring commandline parameters.
CVE-2019-12422
PUBLISHED: 2019-11-18
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
CVE-2012-4441
PUBLISHED: 2019-11-18
Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.