I am often asked about social engi­nee­ring during pene­tra­ti­on tests. This is an attack method in which peo­p­le are unkno­wing­ly enti­ced to dis­c­lo­se infor­ma­ti­on or to sup­port the atta­cker in his plan. In the pre­pa­ra­ti­on pha­se, the company’s web­site and pos­si­bly exis­ting pro­files on various social plat­forms (e.g. XING, Lin­ke­dIn or Face­book) are queried to defi­ne cor­re­spon­ding tar­get per­sons and to deter­mi­ne as much infor­ma­ti­on as pos­si­ble about the­se per­sons (e.g. func­tion, respon­si­bi­li­ties, hob­bies). Sub­se­quent­ly, attempts are made to eli­cit infor­ma­ti­on from the­se per­sons or to indu­ce them to per­form actions in order to gain unaut­ho­ri­zed access to data or IT appli­ca­ti­ons. It is also important to men­ti­on here that the­se tests must be agreed upon with the works council.

How does a social engi­nee­ring attack work?

This can be achie­ved by sen­ding emails that direct to fake web­sites or by direct per­so­nal cont­act. My team also likes to use USB sticks, which are sent by mail to the tar­get per­sons. Of cour­se, the­se are not USB sticks, but spe­cial IT equip­ment desi­gned for such tests. It is enough for a tar­get per­son to plug in this stick to get full con­trol over the computer.

Useful or not?

Howe­ver, I am of the opi­ni­on that such tests should only be car­ri­ed out if the­re are clear rules of con­duct in the com­pa­ny for the defen­se against social engi­nee­ring and the employees are sen­si­ti­zed, trai­ned and regu­lar­ly coa­ched accor­din­gly. Wit­hout trai­ning, the sel­ec­ted tar­get per­sons have hard­ly any chan­ce of reco­gni­zing and defen­ding against the­se attacks, thus fal­ling blind­ly into the trap.

In prac­ti­ce, it has been shown that if tests are nevert­hel­ess car­ri­ed out under the­se con­di­ti­ons, the cli­ma­te bet­ween tho­se respon­si­ble for infor­ma­ti­on secu­ri­ty and the employees dete­rio­ra­tes signi­fi­cant­ly. The lat­ter usual­ly feel “tri­cked” and react accordingly.

Com­pa­nies are the­r­e­fo­re well advi­sed to check whe­ther the abo­ve con­di­ti­ons are met befo­re car­ry­ing out social engi­nee­ring tests. If in doubt, gui­de­lines and secu­ri­ty awa­re­ness cam­paigns based on them should be imple­men­ted first.

Fur­ther infor­ma­ti­on on social engi­nee­ring: Man­fred Scholz, manfred.scholz@sec4you.com