top of page
Search

Companies are falling like dominos, you can thank Social Engineering

Writer's picture: Kaiju SecurityKaiju Security

You know, you CAN defend against Social Engineering.... so why would you not want to? It's only THE #1 way an attacker gets into your system, company and/or building. 

I'm not sure if its a perceived lack of options, not knowing or not caring, but if anyone has looked at the news lately, companies are falling like dominos with recent hacks.. and the root cause of nearly ALL of them is social engineering.

Sometimes it's a text/SMS, other times its an email, USB drive, or the company simply doesn't know, which usually means, yup... social engineering. 

The way I teach defense against social engineering is HOW to be a social engineer. When you know the how, why and psychology behind it, it makes it SO much easier to spot. 

Think of it this way, when you watch a magic trick and you know nothing about it, you are in awe of the "magic". If that same magician shows you exactly how the magic trick was done, and then shows you the same trick, it's not as impressive, and the next time you see that trick, no matter who does it, you instantly remember how it was done and what they did. Social engineering is the same. 

Of course were going to have to go with one more analogy, because frankly I love them! Defense against Social engineering is also much like being a pilot, you don't pay the pilot loads of money to fly, most airliners now pretty much do that on there own, what you pay the pilot for is for emergencies, to notice and point out safety issues, or make the right call in NOT flying or a delay that saves peoples lives. 

When you train your employees in social engineering you're doing it to prevent a mishap, its an investment in the safety of the company AND your employees. Many social engineering entries begin at home with an employee, clicking on the wrong link on their home computer, or on their personal phone, this can eventually lead to a compromise of a company. And what do you think happens after you do your triage and your incident response team has found the malicious actor? That poor employees home network is probably still compromised, round and around we go. 

I will sit down with a group of people from a company, I'll show them what we as social engineers do, how we do it, who and why we target the people and things we do. I show them just HOW malicious I can be, I don't hold back because it's important that your employees realize just how evil and vindictive a real malicious social engineer can be. Then I'll have them put what they learned into action, they will craft emails, texts, come up with as many ways to "get into a company" as they can think of, I push them to think outside the box. Once your employees know the psychology behind it, once they know how to manipulate a person or situation, their ability to spot it in a defense scenario increases dramatically. 

After that, these "Resident Experts" train those below them, and remain responsible for those people in the event of social engineering attacks. If someone has a question or isn't sure, they simply ask the Resident Expert. Making someone responsible is one of the most important steps. Would you have a division in your company that literally reports to no one, no oversight, no metrics, just nothing? Nope, no one would (except maybe the Government...) Your social engineering should be the same, small unit leadership driving cultural change, teaching and training people in your company. 

Policy and procedure remains absent in most companies. I've tested hundreds, and nearly all of them lack a policy and procedure surrounding Social Engineering. What's worse, those that DO have them in place, simply don't enforce them, or test them to ensure they are working. Imagine everything we have talked about up to this point, except substitute ANY other part of your business and now imagine it being run like your defense is being run right now? No oversight, minimal training, no metrics, no policies or procedures, zero improvement plan, no way to actual know if you even need an improvement plan. It would simply be be a hot mess. 

Make the company the "Bad guy", make your employees KNOW that if they don't follow proper procedures, there is a consequence. Believe it or not, this is for there protection, it allows them to make a stand when something becomes uncomfortable. When the seemingly pregnant women is standing at the back door and asking for some help, your employees will know, if they let her in without her scanning her badge, or if they don't recognize her, they will be held accountable. This allows that employee to handle the situation respectfully and responsibly. Something like "I am so sorry, I'm happy to carry these things and help escort you to the front desk where you can sign in, but unfortunately we have a VERY strict policy about entry. I really wish I could let you in, but the company is just insistent of this policy."

This does two things, If the person IS a social engineer they will most likely find a reason why it's "ok" to subvert this policy. That should be a huge red flag, as anyone at this company should KNOW how serious the company takes this, and a good co-worker should never be so selfish as to put another co-worker in jeopardy. Secondly if the person IS an employee, they should 100% understand and offer to badge in, or would kindly accept the help to go to the front desk. 

There are many ways the above scenario can unfold, but if your employees make YOUR company the "bad guy" and adhere to that policy, that will end with the employee do what they are supposed to (assuming you wrote a good police of course!) 

Lastly let's introduce gamification. I always suggest to constantly test your employees. Leave USB devices around, send random texts to phones, phishing emails. Have strangers walk around the company blatantly doing something against the policy and procedures you have written, then reward the employee that "catches" these issues. It can be a gift certificate, you can collect points for the month and have 1st, 2nd and 3rd prize, anything really. The important part is to make it part of the culture, make your employees comfortable engaging with strange people, reporting a text, or email. Have them be on the lookout for strange devices, or tape in the door all because they might win that trip or gift certificate. 

Once you implement this a very strange thing happens... People talk. Many times the STORY is more rewarding than the gift certificate. 

"Oh did you hear Mary got the golden ticket today? 

"She did?!?"

"Yeah I heard she stopped someone pretending to be pregnant at the back door, she carried all of her stuff to the front desk and low and behold it was one of the Social Engineers!" 

People then will go ask Mary about the incident, and typically they'll say something like, "I could never say no to a pregnant woman". Yet if you've done your training right, Mary will say something like, oh it wasn't that bad at all, I was nice, and I just said how strict the company is! This eventually becomes part of the culture of the company, it's fun, people enjoy it, and it makes every person at your company a security guard. 

I have consulted with many companies that have employed the above techniques and have all been extremely happy with the change in the culture and the increased defense posture of the company. 

To leave you all with a short example:

I received a call from the director of security at a local company that implemented these changes about 3 months prior. They had "gamified" the social engineering in the company and offered gift certificates on the spot when an employee would "catch" someone. Well, and employee did just that, engaged with someone they didn't recognize, played it by the book (as that's how you get the gift). And when the person they engaged with refused to go to the front desk and get a visitor badge, the employee knew that it wasn't a game any longer. They followed their procedures to the letter and security ended up responding and walking that person out of the company. 

Help is out there, come get some!

0 views0 comments

Recent Posts

See All

Commentaires


bottom of page