Social Engineering – A Penetrating Politeness

Imagine the scene. You’re walking from the car to the side entrance of the third hotel this week, last stop on a sales junket that has raised more cholesterol than warm leads. You switch suitcase hands and struggle to fish the key card out of your pocket. You slide the card and hear the click, then you hear from behind you a request to hold the door. You look back to see a fellow traveler wrestling a large duffle up the walk. You hold the door to save him the trouble of fishing out his key. He offers an appreciative smile and thanks and returns the favor by holding the elevator door for you. You get off on the second floor and he rides to the third where, later that night, he pulls assorted weapons from the heavy duffle bag and kills eleven people before taking his own life. They find the duffle in the third-floor vending room because the killer was not a registered guest. You learn this when the investigator asks why you held the door for him. You were just trying to be polite.

A Paralyzing Sense of Purpose

Now imagine your reception area, Monica regulating the flow of foot and phone traffic while multi-tasking for several departments with looming deadlines. Activity is harried because business has been good, staff is growing, and there is talk of new office space. Between calls, Monica greets Jeff with the warm smile that landed her the job. Jeff’s name badge suggests that he is an IT contractor, and Monica recognizes the logo. While Monica answers and directs three more calls, Jeff explains that Mike, your company’s IT Director, has sent him to upgrade the operating system on Monica’s terminal, to speed the processor up a bit. The pieces all fit. The badge looks real. She knows the IT Guy’s name is Mike. Her computer is slow from time to time, and she might have even mentioned that to her supervisor. Monica steps aside to answer the next call and smiles at Jeff as she points to her PC. Nobody dies in this scenario, but Jeff plants a bug that enables him to penetrate your firm’s network from anywhere. He leaves with a smile as Monica directs traffic, and he tosses the fake credential in the trash at the gas station next door.

Engineered to be Social

In both scenarios, human cognitive biases affect decision making in ways that are readily exploited. The first is called tailgating, and it is tough to be impolite when someone confidently asserts their position or request with a sense of purpose. We are engineered to be social. The second involves pretexting, the creation of a scenario that seems real to the victim, almost a face-to-face phishing scam. These are just a couple of the levers of social engineering.

The Meek Shall Inherit the Wrath

Constant vigilance is required to protect your operation from social engineering. You must always be assessing, developing, and educating. ICS can perform a Vulnerability Assessment that will evaluate your existing procedures and exposures and, further, work with you and your staff on Policy Development to safeguard your people and your data. These two steps are only as good as the third, the ongoing and dynamic education of your staff on how to anticipate and handle social engineering threats. This should include periodic testing of your security framework.
Social Engineering is a quiet killer that preys on the ill-prepared and the congenial. Let ICS help your staff meet the threat with a confident smile and a no-can-do attitude, so that they are empowered to protect your network from the bad guys while using your data to find more good guys.