Onsite Social Engineering Part II

I'd rather lie to your face.

The average corporate security training program might be useful when it comes to thwarting remote attackers, but does it adequately prepare employees for face-to-face encounters? How are these situations different from one another? Why do physical attacks often succeed when remote attacks fail?

When I approach someone in person, my story doesn't have to be as complex. I don't have to explain every little detail about why I'm calling, who told me to call you, who authorized me, or why I need sensitive information from you. I can make my appearance lie for me. Combine the right look with confident body language, and you have instant credibility before saying a word.

My story doesn't need to be as elaborate as it would need to be to work on the phone. It's easier to pull a slight of hand than it is to string together a long story about why I'm not the scam artist equivalent of a telemarketer. It's easier for someone to say no to a faceless intruder than it is to turn down someone dressed in a uniform a few feet away.

I don't need to convince you to give me your password, I only want in the door. After that, it's generally downhill.

"Would you mind getting me some water? Sorry, I didn't think to ask when we were near the third floor break room. Please? Thanks."

Ask anyone you know who has worked in Sales if he/she has experience with "cold calling." Did they like it? Most people will probably respond “no” to this question. It's hard to call someone you have no relationship with and try to convince them to buy or do something. It's also much easier to reject someone over the phone.

Think about the uncomfortable feeling you get when about to enter a store and someone tries to sell you something. If you’re not interested, you might murmur "no thank you" and try to avoid eye contact. Now, combine that discomfort with the confused feeling of being in a high-pressure situation that you aren't sure how to properly handle. There’s a reason Girl Scout cookies aren’t sold by telemarketers.

It's much easier to challenge someone on the phone. If you're suspicious, you can just hang up. However, it's not as simple when that person is standing an arm's length away.

Most people try to avoid confrontation whenever possible. From an early age, we are conditioned to trust that authority figures have our best interests at heart (and some do). While some level of trust is required to exist in modern society, this trust can also be abused for malicious purposes. People never expect a con man to casually enter through the front door with a uniform and fake ID.

While people tend to be suspicious of someone asking for their password over the phone, it does not take too much effort to get someone to show you around sensitive areas. It's much harder to tell someone "no" who is right in front of you. Besides, who’s crazy enough to walk in the front door? These attitudes and behaviors are used by social engineers to manipulate unsuspecting victims into violating company security policies under the guise that they are just following orders and respecting the chain of command.

I'm not saying onsite social engineering is less stressful than performing it via phone, but more people fall for it. It's difficult to teach employees that they should challenge the authority of every visitor that walks through the front door. Security awareness training doesn’t always prepare employees to deal with a pushy would-be intruder in uniform. People often think of this situation as one of those "It could never happen to me" scenarios.

Onsite social engineering exercises are a good way to deliver a shock to employees' systems. Social engineering engagements can provide excellent opportunities for an organization to stress its security policies—especially in reference to visitor access and physical security.

A single successful social engineering engagement can create more employee awareness and leave a longer lasting imprint on employees than dozens of policy and awareness training sessions. In fact, directly after a social engineering engagement is the perfect time to review those policies and really drive them home.

The results of a social engineering engagement should not be used for punitive actions or to single out employees for embarrassment. It should instead be something to identify potential areas for improvement and reinforce organizational policies and procedures. The goal of social engineering is to raise awareness, but not to spread outright paranoia.

Employees must be taught that not only should they question the authority of visitors, they are expected and obligated to do so. This starts with training and showing employees why their organization’s policies must be followed at all times. Social engineering is not just a "what if," it is something that could happen at any organization, and all employees need to be aware and trained to deal with these situations.

Additional Information

Readers interested in further details about this topic can reach us at: contact@www.ise.io