A Blog from QualiTest

Social Engineering: It Takes a Thief

Social engineering involves taking advantage of the kindness of strangers, informally breaking through cyber security.

“I have always depended on the kindness of strangers,” comes from Tennessee Williams’ A Streetcar Named Desire.  Social engineering takes advantage of that advice by revealing a company’s cyber security risks.  Let’s look at social engineering penetration techniques.

Most facilities will let in a delivery person rather easily.  No need to be a cable TV person (“The Italian Job”) or plumber (“Fast Five” and “Beverly Hills Cop 2”).  Or you can find the door where people go out to smoke, and enter that way, especially after offering someone a smoke.  Even if you can only get to use the bathroom (an emergency request few would turn down), a ceiling tile may reveal a handy line to attach a sniffer to.

If the company uses space in an office building where they don’t own the building, then there are building-based ways to fake one’s way in, such as fire marshal (send people out of rooms of your choice), exterminator (“all clear on the floor above you – let’s make sure nothing found its way down”), or tracking down a phone problem (with access to those all-important ceiling tiles where the internet cables are).

If you can get in the building and use a phone (thereby showing an internal extension) adds to your credibility.  Making an inside call with a visible phone extension makes any request more believable, possibly as Dave from IT who just needs to check a few things and help your computer log back in after security updates force a reboot or some such story.  Maybe an outside call is sufficient, if you plead enough about how you should have gotten this information yesterday but you had to leave early to unexpectedly have to pick up your kid who is feeling better now.  If you made it to someone’s office, try to get on the computer – maybe it has not timed out since the person walked away, has no password, or has the password on a sticky note.  Or one can put thumb drives with malware in the lunch room and claim it is a thank you from a client (after doing homework to get a believable client name).  Or you can post a new help desk number on a flyer that points to your confederates.

Even if you don’t make it into the building, you can still call or email from the outside.  Make sure you do a little research first.  The company website or LinkedIn or Facebook or company newsletter can tell you about some of the employees.  Maybe you can spam your way in by email with a spoofed email address or spear phish anonymously with something you should see (“About the new tax changes” to Finance, “About X” to someone about to give a webinar on X, etc.).

If you don’t think your company can be penetrated by this type of social engineering, you may be in need of cyber risk assessment.  Why risk your company secret data?  Why not go with a well-established company that has become the world’s largest pure play software testing company?