For the past few years, the Social Engineering Capture the Flag contest has been a highlight of the Defcon security conference. The report from the 2012 edition of the contest provides some interesting insight into the social engineering threat and what companies need to do to protect themselves.
The targets of this year’s contest were 10 firms in the retail, oil, freight, telecom and technology industries. The oil industry got the highest marks for keeping their information secret, which makes sense to me. Their employees probably have a lot less interaction with the public on a day to day basis, so unusual requests for information would probably stand out from the norm. Retail giants Walmart and Target brought up the rear, giving up the most information.
The theme of this year’s contest was “Battle of the SExes,” pitting male social engineers off against their female counterparts. While the male contestants scored higher than the social engineers of the fairer sex, the small sample size (10 men and 10 women) and the fact that female participants in prior years of the contest were few and far between, makes me wonder if these results are indicative of a trend.
The contest participants were given two weeks to perform “open source intelligence” (the gathering of information about their targets from public sources on the Internet). A number of the companies targeted provided attackers with lots of information during this phase. Some of the more noteworthy information leaks resulted from photos posted on social media, which yielded pictures of employee ID badges and layouts of facilities – either which could help an attacker get physical access to their targets. Other information gathered from social media included ESSIDs of wireless networks and location checkins by employees.
The real fun began when contestants got on the phone. A number of pretexts were used to explain the callers’ requests for information. The trickiest pretext was that the caller was an employee of the targeted organization. Knowing the right jargon and using widely available caller ID spoofing services bolstered these callers in some cases, but maintaining a believable cover story here was difficult. Callers who purported to be “taking a survey” or calling from a vendor did not do too well, since many employees find these types of calls annoying and thus routinely terminate such calls quickly. One more successful pretext was that the caller was a student doing research on the targeted company for a school assignment.
The conclusions in the report were what you would expect:
- Employees need to be better educated against social engineering threats (true, in spite of the report writer’s business in performing such training and social engineering tests).
- Employers need to tighten their social media policies to control the leakage of confidential information to the Internet.
The second finding, while it sounds great, is potentially problematic for US companies. As I have noted in previous posts, US law does not allow companies to place many restrictions which make sense from a corporate security perspective on employees’ personal social media accounts. The regulations are aimed at preventing employers from quashing employees’ rights to discuss their work environment and organize unions, but have the side effect of making it very difficult to write social media policies which both protect the organization and stand up to legal scrutiny. If you haven’t reviewed your social media policies in a while, now is a good time to do so – and include your legal counsel.
The restrictions on social media restrictions make the need for employee education all the more important. The social engineers are out there and they are gunning for your company’s crown jewels. Taking the time to strengthen your Human Firewall is a worthwhile investment.