Social engineering is all about manipulation, misdirection, and, above all, opportunity. I was lucky to be mentored and introduced to social engineering and physical security assessments early in my professional career. While I recommend consulting with an experienced professional before performing this type of assessment on your own, I would like to walk you through the basics of learning this skill set.
I would also like to point out that I am not a lawyer, and you should not attempt to perform onsite social engineering without first consulting with an attorney.
Before addressing how to perform social engineering, I would like to address why it needs to be performed as a part of any thorough security evaluation. Like any security assessment, it should be viewed as an activity to give insight into the application, deficiencies, and limitations of corporate security policies.
In my professional opinion, some of the more important reasons to conduct this type of testing are for the following reasons:
- To determine how well your organization’s policies are being followed.
- To test physical controls and monitoring.
- To identify potential training opportunities.
The results of social engineering engagements should not be used for punitive purposes, which social engineering companies commonly specify in their engagement contracts. Instead, social engineering engagements should be used as eye-openers and training opportunities for employees. The results of social engineering engagements can be leveraged to convey upper management’s support of security policies and challenge employees to follow those policies without fear of repercussions. Engagements can be used to instill the notion that policies regarding security have received executive approval and should be followed as if executive management is conveying them. These engagements present the unique opportunity to show that upper management expects employees to challenge visitors without fear of threats or repercussions.
Important topics to address before entering a client location include the following:
Safety should always be your first concern when performing onsite social engineering. Posing as someone else in order to gain physical access to restricted areas is inherently dangerous. You must be aware of your environment at all times, including the both the physical environment and the demeanor of those around you. This is crucial for your safety and the success of the engagement.
I strongly advise performing social engineering in pairs. Your partner can monitor you from a vehicle and alert you of any problems or situations that are developing. A partner can also help you out of tight situations be radioing you and saying you are needed elsewhere.
Closely tied to—and almost as important as—safety is authorization. Before performing any actions related to any form of social engineering, you should have proper signed consent from an authorized party at the organization initiating the engagement. You should have clearly defined rules of engagement in writing prior to performing any testing. These rules of engagement should not be changed upon the start of the engagement. These rules should be static; any significant last-minute alterations of the rules of engagement could negatively alter your plans and impact your safety.
A major piece of documentation that is required before beginning any sort of testing is the “get out of jail free card.” This is a document that is signed and dated by an authorized client party at the client stating information that includes, but is not limited to, at least two client points of contact, their phone numbers, and the party you will be impersonating. I highly recommend that the “get out of jail free card” be reviewed by an attorney, and social engineers should keep in mind the fact that that this may be a “gray area” that varies by state, county, or municipal area.
Preparation is essential when performing social engineering. You should know details about your client, the environment you are entering, and the role you will be impersonating.
It cannot be stressed enough how important appearance is when performing onsite social engineering. You don’t need to look identical to your cover position down to the last detail, but you should look believable. This could mean using a realistic uniform with generic pins and patches that were ordered online to decorate your uniform. Generic props unrelated to your cover can also accent your disguise.
Attention to detail is critical, and it is also important to know which details matter more than others. A perfect example of this is if you are making use of a badge and ID combination to impersonate an official of some sort (never law enforcement). In this situation, it is much more important to use a realistic badge than it is to have a well-made ID card. The trick is to show your target the ID just long enough for the target’s eyes to look at the badge (which targets always look at first), then take it away before the target can inspect the fake ID. This also serves the purpose of testing how well employees inspect the identification of visitors before granting them access to non-public areas of a location.
Possibly second only to appearance, a confident attitude is one of the best traits a social engineer can possess. Preparation helps improve your confidence, demeanor, and ability to act under pressure. A quote attributed to former president Dwight D. Eisenhower summarizes the importance of preparation perfectly:
“Plans are worthless, but planning is everything.”
Constant communication with your points of contact is another extremely important factor, both for safety reasons and to ensure that there are no issues on their end. Ideally, you want to speak with one of your points of contact both before and after entering a physical location. You want to keep them abreast of your plans and location, and you want to ensure that you can reach them if something goes wrong.
Communication between you and your partner or home office is also key. Your partner is there to monitor the situation and act as your safety net if something goes wrong. For example, a partner could help you out of a situation through contacting you about an “emergency” needing your attention or to warn you about a problematic situation developing outside of the building.
Social engineering is an exciting and rewarding profession, but it does come with risks, so it is critical that you prepare and follow the guidelines listed above.
Until my next blog entry, keep in mind that the best lies are at least half truth.
Readers interested in further details about this topic can reach us at: firstname.lastname@example.org