General discussion

  • Creator
  • #2225811

    Social Engineering self-defense.


    by locrian_lyric ·

    Inspired by the article IRS employees socially engineered. Some of this is reposted.

    I know a few tried and true tricks. I won’t publish them for obvious reasons, but I do tell people what to look out for.

    Included are steps to avoid.

    1)”idiot traps”, these are along the line of a big red button that says “don’t push”. The trick works by playing on basic human curiousity. A variant of that is the ‘forbidden secret’ be it a malicious file labeled ‘HR salary info’ or a secret about a celebrity.

    DEFENSE: set up a few “idiot traps” of your own and catch your own employees. NOTE: this is not to be a tool for disciplinary action, but for instruction. A user falling for one of the idiot traps should have their account disabled, until they call the help desk. When they do, an email should be sent to that user detailing that they fell for a trap and that had it been an actual criminal hacker, severe damage to the company, or identity theft of the user could occur.

    Again, no disciplinary action should result because the goal is to establish a culture of awareness and not a culture of fear.

    2)The “I don’t want to get in trouble” trap. You see this one in the movies all the time when someone bluffs their way past a guard asking them to cut them some slack because they lost their ID for the third time this month or some other sob story. This one works well too. The irony of this one is that the more tightly security clamps down, the more effective this one is. Fellow employees who have been hassled by security for seemingly trivial matters will be VERY sympathetic and hold the door open for that ’employee’ who ‘lost his ID card’.

    DEFENSE: Once again, make security a culture of awareness, not fear. Instruct security to be polite but firm. Have a quick resolution available for the lost/forgotten ID that does not involve management. I.E. employee reports to security, informs them that their ID was forgotten. Security puts a block on that ID and issues a temporary ID until the employee returns to security with his perm ID. This will eliminate the whole fear of getting into trouble. You WANT employees to come forward immediately when security is breached, not try to hide it.

    3)DO THIS OR YOU’RE GOING TO BE IN TROUBLE! Simple intimidation. The scammer pretends to be someone in a position of power and simply damands the information they want.

    DEFENSE: Strict policies and procedures created to discourage this kind of bullying. If it’s allowed from management, someone engaging in social engineering will be able to employ it. Furhtermore, cowed employees will not be good at security as their focus will be to keep their heads down and avoid making waves.

    4)Standard procedures: This one nails bureaucracies every time. When employees are trained to be mindless robots and policies are never explained, someone can just walk in, grab anything they want and leave with it if they simply assert that they are following a new procedure.

    DEFENSE: Communication, infrequent changes in policy, Low turnover and high morale. Employee apathy is the enemy here. If employees are force-fed ’embrace change’ (in other words, don’t ask questions, just do what we tell you) to the point of lunacy, they will not care and they will not question. No amount of precautions will help if the employees don’t care. Get the employees involved. Communicate WHY something is needed in a clear, concise way without insulting their intelligence.

    Any additions/amendments to the ideas above?

All Comments

  • Author
    • #2620181

      Probably, But it looks like…

      by dawgit ·

      In reply to Social Engineering self-defense.

      You covered the subject pretty good to me. It might sound simple to many of us, but some people need to be reminded from time to time.
      Good Post. -d

      • #2620113


        by locrian_lyric ·

        In reply to Probably, But it looks like…

        I’ve seen a bit in my career.

        One firm tried to crack down on security problems, any employee that forgot their badge or lost it would be disciplined.

        Guess what?

        Yep, plenty of people still forgot their badges, but now other employees were holding the doors open for them.

        THAT was bright, eh?

    • #2620095

      Very Well Done!

      by tig2 ·

      In reply to Social Engineering self-defense.

      I hope you don’t mind but I will be taking a copy of your post to our security and compliance meeting and sharing it about. Excellent points and all should be incorporated into awareness training.

      We do quite a bit of that where I work but there is always someone who can get caught.

      Your last point about communicating change sensibly is particularly good. I am in a highly regulated environment and we frequently send change information when the rules change…again. What I am seeing though is a sense of “why bother to learn the rule this week? It will only change again”. I am starting to think that Deep Dive sessions and Lunch and Learns might help us through some of that negative thinking.

      An excellent post!

      Edited for my many thumbs…

      • #2618693

        Thanks tiggertwo

        by locrian_lyric ·

        In reply to Very Well Done!

        and by all means, spread the word.

        I think the failures in securing against social engineering come down to one root cause: Treating the employee as an enemy instead of an ally.

      • #2618552

        Not Bad

        by don ticulate ·

        In reply to Very Well Done!

        for a Ctrl C – Ctrl V, not bad at all!

        • #2617769

          Not Bad?

          by catpro-54 ·

          In reply to Not Bad

          You have a very negative attitude. Give it a rest and give people the credit they are due. N_o_n presented a very well-thought-out article. YOU have presented a very ugly response, and I’ve read some of you other replies, as well. Where are your articles of information/help/insight?

    • #2617724

      Maybe add…

      by Anonymous ·

      In reply to Social Engineering self-defense.

      I don’t know if this fits or not but…

      Badge of authority – The “consultant/contractor/inspector” who is working on ___ project and needs your help with _____. Naturally, people want to help, especially someone as obviously professional and knowledgable.

      Defense – You can probably write a much better one than I, but I would say awareness training, and clear policies on the handling of visitors of any kind.

      I really like the fact that your approaches are based on enablement and empowerment, rather than on policy and punishment. Thanks for the excellent post.

      • #2617709

        And, Don’t Forget …

        by bluemoonsailor ·

        In reply to Maybe add…

        … the ‘name dropper’. I.e. “This is the ‘s hot button this week and I really need this. I’m meeting with tomorrow and I *have* to have this ready by then.”

        Using an executive’s name can either inspire fear and the desire to not be the next scapegoat, or reaching for brownie points and and wanting to be seen as cooperative and a team player. It’s also unlikely that a low-level peon is going to pick up the phone and call the bigwig for verification of the request.

        Steve G.

      • #2617704


        by locrian_lyric ·

        In reply to Maybe add…

        In addition to what you suggested, I would say a two-pronged approch.

        Employee retention and high morale = more people familiar with the policies. In addition, a low turnover limits the amount of unfamiliar faces. If contractors and consultants are used, use them long term so their faces are known to full-time employees. All visitors should have a center to report to with a comfortable waiting room with a bathroom attached and refreshements available. Not only does this give the impression that your company is warm and inviting, it also gives visitors no reason to leave the secure area prior to their escort arriving or business being done.


        Thank you for your comments. I’ve worked for sucessful companies, and companies that were crashing and burning.

        You can not have effective security if you approach it from a punitive approach. Employees resent it, will try to hide mistakes if they know they will be punished for simple human error, or even actively sabatoge security efforts out of anger or revenge.

        In my approach, I attempt to set up the ‘win – win’.

        The company’s end goal is security. The money and resources spent on maintaining high morale will more than be recovered by the reduced cost of formal security precautions.

        • #2617299

          You hit the nail on the head

          by frank.stephens ·

          In reply to Defense:

          Punitive approaches do not work. As a security professional, you must develop trust and a positive relationship to all until they disprove the relationship by their premeditated/criminal actions. Just like my Grandmother used to say, you can catch more flies with honey than with vigager.

        • #2617291

          US vs THEM should be…

          by locrian_lyric ·

          In reply to You hit the nail on the head

          The company VS the social engineers, NOT the company VS the employees.

          Even if you want to be absolutely focussed on the bottom line, the methodology is an effective one.

          A punative approach to security only provides holes for exploitation via social engineering.

          The simple fact is that an employee who is lax on security is lax in other areas as well. If they must go, make sure that the ‘gotcha’ is their job performance and not any issue with security.

    • #2618264

      The more you tighten your grasp….

      by n4aof1 ·

      In reply to Social Engineering self-defense.

      Not quite exactly social engineering but one closely related area where security departments screw up badly in the name of ‘increased’ security is related to passwords.

      We’ve all heard the horror stories from a decade ago about safe combinatiosn that were the wife’s birthday and passwords that are the kid’s names; but today we have something even easier to engineer — every employee needs a dozen or more ‘different’ passwords, each of which must be “eight or more characters, including at least two upper case letters, at least two lower case letters, at least two numbers, and at least two special symbols” – then we see security getting creative with extra password rules such as “no vowels”, or “no repeated or consecutive letters/numbers” or maybe you must type your password while standing on one foot and patting your head with one hand. The more complex the passwords the more likely that employees will write them down where someone else can find them.

Viewing 3 reply threads