In the world of security, social engineering refers to various ways of getting individuals to divulge confidential information which allows an unauthorised individual to gain access to privileged information or systems. It never ceases to amaze me the amount of trust the average Kiwi has, which unfortunately makes them an easy target for those trying to gain unauthorised access to a secure system. For instance, someone ringing up and saying they’re calling from your bank and require your personal details. They have just enough information about you to make you think they’re legitimate. Where did they get the info? Maybe from dumpster diving, looking for discarded documentation which could be innocuous by itself but powerful when coupled with other sources of information or maybe from discarded or lost media files (DVDs, CDs, thumb drives). Have you ever had to ring up the IT helpdesk because you forgot your password and asked for it to be reset? How many companies confirm the individual is who she says she is before resetting her account password?
Rummaging around for information on a company, such as lists of all personnel, job titles & their email addresses, can usually be found on the company’s website or in discarded paperwork that’s not shredded. This can all add up to an advantage for the bad guy.
Kiwis love using EFTPOS – who carries cash these days? Yet the majority of people don’t cover or try to hide their PIN entry. Yes, EFTPOS uses a multi-factor authentication to make it tougher to crack but it’s not impossible. Why provide the temptation? The various authentication technologies fall into three categories: something you know (e.g. PIN), something you have (e.g. bank card) and something you are (e.g. retina scan, fingerprint). Multi-factor authentication uses more than one of these technologies.
In addition, it’s surprisingly easy to gain access to a building by tailgating someone who has legitimate access. People will tend to hold the door open, especially if you look innocent and trustworthy or if you have your hands full. Rarely is someone challenged or asked for proof of identity especially if they look like they belong. This may be particularly lucrative during lunchtime when many employees are out to lunch and have left their workstations unlocked. It’s like manna falling from heaven for someone who’s looking to make trouble and gain access to confidential information and/or secure systems.
I think security testing should not only focus on trying to overflow buffers, SQL injections, cracking passwords & testing password encryption strengths, denial of service, or hacking into the system under test, but should also consider how the system can be compromised by information gained through social engineering. Don’t you agree? In my mind, it’s equally as important to investigate what potential damage could be caused and then what measures can be taken to minimise the impact.