Upright and under cover: getting your own hacker beats letting outsiders in

Article was published in SC Magazine: Upright and under cover; getting your own hacker beats letting outsiders in

What is social engineering?

A social engineer will start by gathering Open Source Intelligence (OSINT) and the sleuthing continues using social media, finally giving the company an overview of their security posture without losing any of the data taken on the job.

Organisations worldwide invest billions of dollars in cyber-security technology each year. The latest estimations by Gartner predict that US$ 93 billion (£68 billion) will be spent on solutions in 2018, and for good reason. Those looking to protect sensitive data and prevent costly downtime need technology. According to estimates by Accenture, cyber-crime cost US businesses an average of US$ 11.7 million (£8.5 million) in 2017, when organisations suffered an average of 130 successful data breaches per company; 27 percent more than the previous year. Cyber-security software is an essential weapon in the ongoing fight against insidious cyber-criminals, but it's not the only unit that can be deployed.

While we face this onslaught of cyber-threats, we are held more accountable for our security posture. On May 25, 2018, the EU will enforce the General Data Protection Regulation (GDPR). From then, regulators can apply hefty fines to businesses failing to safeguard EU citizens' data. In today's increasingly regulated world, cyber-security software provides an essential layer of protection against a breach and the potential fine that could come with it.

However, what's often overlooked are the physical access points, where criminals can steal data and information in person. If you can see something, you can look after it, right? Not necessarily – just ask one of our social engineers, who shows companies how easy it could be for a cyber-criminal to walk in and escape with their most precious assets.

Using cybersecurity experts who are on the front lines of prevention daily, social engineering emulates a targeted attack using the same sophisticated tactics of genuine threat actors. Companies from every sector use the results to raise awareness throughout the company and transform their employees into their best defence.

It's the job of social engineers to think like a hacker. They blag their way into buildings, access confidential documents, and walk out with laptops. This sneaking around tests the limits of our customer's security and demonstrates how easy it would be for a cyber-criminal to gain access to sensitive information and expensive hardware.

Social engineers are successful because they blend in. Just like a potential cyber-criminal, they don't look dangerous, malicious or suspicious. They dress like any other office worker and engage in friendly chat with their “colleagues,” often pretending they're a visitor from another office or partner company.

What can social engineers get away with?

On a typical mission, social engineers will walk in with a list of questions. They aim to get away with anything a malicious hacker would try.

They get past card readers without a card to swipe and have staff open doors to offices and staff-only areas. They manipulate people into believing a made-up pretext, and even to hand over sensitive information.

Once they're trusted, the social engineer will plug into the network and attempt to compromise information. They access confidential documents left at printers and have been known to walk out with laptops easily. Staff leave them alone in server rooms, where they're trusted with the office's data like any reliable employee.

How do they do it?

At the beginning of a typical engagement, a social engineer will try to find out anything they can about the target. They start by gathering Open Source Intelligence (OSINT). Using a fake LinkedIn profile, they hunt for anything from which they can build their pretext. The organisation might list their partner companies or suppliers, so they could say they have come as a representative of one of those third parties.

The sleuthing continues using social media, where social engineers can find out which employees are on holiday, what staff wear to work, and if they're lucky, find a picture with a staff pass on view that they can replicate.

Nobody usually challenges them; once they make their way into the offices, their pretext works. As “someone from head office,” they have an air of authority. When inside, they give a plausible story. They might be coming to gather asset IDs of all laptops, printers, servers and phones, for example.

The chances are, their polite and personable employees don't like to see a fellow member of staff struggling, so when our social engineers hold on to a coffee cup and a clipboard and stand helplessly by secure entrances, doors are politely held for them and the company's staff will swipe them in. Sometimes though, they just walk straight in and over to the staff-only areas. They make it look like they know exactly what they're doing, and nobody asks any questions. Social engineers know how to read people, and they know how to blend in using the same skills as cyber-criminals.

These techniques are employed in certain circumstances, depending on the possible points of compromise. They're not always used.

Lessons Learned

While all this sneaking around might sound intrusive, it's done for a very important reason. The client has asked to be targeted, and at the end of the invasion they get an overview of their security posture without losing any of the data taken on the job.

When each mission ends, the client will get some good news and some bad news. Maybe they've done some good things by placing their data centre behind security doors, but these can be bypassed. Maybe they're locking confidential documents in filing cabinets, but an artfully twisted hairpin could open these easily. The client is taught exactly how important security awareness is within the company, and how much needs to change.

This isn't about telling your employees they shouldn't be nice or helpful. We work through all the information gathered to raise awareness across the entire organisation. Maybe it will encourage them to raise concerns if someone with no proof of identity other than a printed piece of paper in a badge holder is hanging around.

It's an important lesson, and it's only through a realistic, rigorous simulated attack that the limits of your organisation's physical security can be truly tested.