A recent hacking contest shows that businesses are still too vulnerable to social engineering attacks.
Social engineering has become more popular among cybercriminals, as sites like Facebook and LinkedIn have made it easier to get in touch with strangers — and extracting data from those folks can often take less work than finding ways around IT’s security controls.
One recent attempt to show just how easy social engineering attacks are to carry out came in the form of a contest involving attendees of this year’s Def Con security conference in Las Vegas.
Contestants were assigned companies in various industries and given two weeks to conduct research on the organizations using web searches and social networks. During the conference, the contestants placed calls to their targeted contacts and had 25 minutes to extract as many pieces of sensitive information as possible.
Of the 14 companies called, all of them surrendered at least one bit of such information. Just three of the contacted employees put up some level of resistance to the contestants’ methods.
Information extracted included what types of security software the company uses, the names of its wireless networks, and any password construction rules employees must follow. Contestants also tried to get contacts to visit a phony URL, and succeeded every time.
Most of the calls were made to customer service and support staff, who were also the most likely to surrender information. The rest of the targeted employees were salespeople or staff in retail locations.
The lesson for IT: While security products and technical controls can go a long way to reducing the risk of cybercrime, it’s important to remember the human element of security.
The contest’s organizers recommend businesses:
- Strengthen social media policies to prevent sensitive information from being disclosed by employees online.
- Train employees – many businesses may be reluctant to spend time and money training employees in high turnover areas such as call centers, but as this contest shows, that’s where a lot of social engineering attacks will take place.
- Measure their own risk by periodically conducting social engineering tests on users.
For more on social engineering and the Def Con contest, download the organizers’ report here.