Social Engineering – Not a plan by the 3rd Reich

So just what is meant by the term ‘Social Engineering’?

In short, think of all those films and TV programs and the way scam/con artists get information from others by convincing them it’s in their best interest to give them the information they want.

Unlike ‘hacking’, it targets people and not computers or systems.

Most companies and governments have built systems which are protected by firewalls and people who are aware of the inherent risks, protecting these systems is a full-time job for some.  But, the actual people in the company are often the weakest link in the chain.

Let’s go to the films for a moment.  Joe Average is going from place A to Place B.  They leave building A, head for their car, get in the car, drive to a location near location B, park the car, exit the car and then enter B.

Now, in the films how many times have you watched some one like Joe Average going about their business totally unaware that some one is watching them?  Think about your last trip anywhere, could you honestly say you would be aware of someone following you?  Assuming the person doing the following was not a complete amateur at it the chances are you wouldn’t have a clue.  People in general make this even easier for the people doing the watching, by often following the same routine.  They leave home around the same time every day for work, and then take the same route to their place of work.

We’ve all seen the bit in the movies, where someone following close behind gains access by ‘tailgating’ someone to just walk through a door that has just opened, in fact the person may even hold the door open for the tailgater as it can be deemed ‘polite’ – side note here; as a kid I was always told it was polite to hold the door open for a lady.  Something I always used to do, right up to the point somewhere back in the ’80s, when I held the door open for a ‘woman in comfortable shoes’ at which point she turned to me and said “I was a sexist misogynist pig and she was quite capable of opening a door herself !”.  So ladies, you only have yourselves to blame, when you say there are no gentlemen around these days. Ummm, never worked out why in the UK and America, women aren’t more like the French, where they believe they can be sexy, good looking and be the equal or better of men.  I digress however….

So, back to people being the weakest link in a company’s security.  Why?  Well, if we look back to our film example, most companies do not provide any security training for staff.  There is often a lack of security policies.  Several different parts of the company that should work together to cover this don’t.

Let’s look at this in more detail.  The first is straight forward enough – what training in a lot of cases.  So let’s look more at the second part.

Policies:

Many, companies have now issued photo id’s and tell their employees to display these whilst at work.  But fail to insist employees remove them as they leave the building.  Result, look round at a coffee bar at lunchtime, or a bar after work and you’ll see people, with the id’s often showing who they are, where they work, and their job title.  Now it wouldn’t take much to photo these to make copies/fakes or just ‘lift’ the id.  This would then give the person access to the building, or just to help identify a person they could then target for information.

Dumpster diving…. Looking at a company’s rubbish.  Yes, people still do this.  Reporters are great at doing this to the famous.   Great source of contact information, financial information, sticky notes, phone messages, operational information and phone bills.  There should be policies for secure shredding/removing rubbish.

There’s many more examples, but for now I would suggest you watch the following films – ‘Catch me if you can’ (2002),  Matchstick Men (2003) or Leverage a TV series running from 2008 to 2012

spacer