Have you heard of social engineering? If you are worried that it is something complicated and technical, have no fear, it’s not. Social engineering is as old as time itself and doesn’t need fancy technology. Criminals and fraudsters use social engineering techniques to trick people into giving them access to restricted areas. Once the criminal has gained access, they can then use that access to commit whatever crime they wish.
Social engineering relies on the human ability to trust as a way to access these areas. The Infosec Institute details a great example of how a group of pen testers social engineered their way into a secure building without credentials. The story takes place in a high-level governmental institution in an unnamed country, where penetration testers were trying to find holes in the physical security of the building. When they were unable to get in using the front door, the pen testers noticed a fire escape staircase that wasn’t monitored by cameras. They also noticed an ashtray on the landing where employees were sneaking out for a cigarette break. Here’s how the infosec Institute breaks it down.
“The pen testers were not smokers, but here they were, standing on the fourth floor of the fire escape staircase, cigarettes in their mouths, waiting. A dozen or so minutes passed before the first government employees came out to have a smoke. They said “Hi.” Pen testers chatted them up about how they were going to spend the whole day in meetings. Usual office water-cooler talk. A couple of minutes later, they were done with the smokes and employees let the pen testers inside, wished each other a nice day and went on their separate ways. Within minutes, the pen testers had found a printer with admin-level network access to one of the most important networks in the country.”
The security failing in this instance is the fact that employees are human. Even though staff knew they were not supposed to smoke on the fire escape, they still did it. It also didn’t occur to anyone that someone would use that fire escape to try and breach the organization. Better monitoring of the fire escape and making it difficult to access the fire escape would have also helped, but it is the human element that let them in.
When you are thinking of what is going to give you the best bang for your security dollar spent, employee training in security awareness can go a long way. Cyber awareness isn’t just about spotting a phishing email but can also teach staff about the different types of social engineering tricks they may run into. Your employees could be the difference between being breached and helping to prevent a breach. Make your staff part of the solution. Contact Quick Intelligence about our cyber awareness programs.