Social Engineering Attacks - A Pen Test with Brain Hack
Social Engineering is one of the most valuable, yet underutilized, assessment tools for both Internal and External Pen Testing. We are a company of social engineering and network security experts. Our Social Engineering Assessment is typically a part of a larger penetration test that emulates a real attack. This simulated attack is lead and executed by a team of ethical hackers, social engineers, and auditors. Standalone social engineering can also be very valuable and provide great insight into your real world security posture.
The actual origins of social engineering date back to the industrial revolution, in an essay by J.C. Van Marken. Marken was a Dutch Industrialist who’s premise was that Mechanical Engineers kept a factory’s machinery running and Social Ingenieurs (social engineers) enticed or motivated workers even though the conditions were horrible.
Today, the value of a Social Engineering Attack Assessment comes from the insight gathered about the user’s security mindset, the company or organizational culture as it relates to security, and the implemented security policies and procedures.
Do your employees take security and their role seriously, or do they mock it privately and see training as a mandatory waste of time?
The best technical security measures provide no protection if VPN or Wireless Access can be gained through a simple phone call asking for a username and password. Alternatively, hackers can create a reverse website by send emails asking employees to vote for their favorite secretary or bikini model on a fake or hijacked website. These Phishing or Spear Phishing email attacks are current, relevant, effective and in all over the news (see bottom of page).
Social Engineering Attacks Target the Mind of the User
The objective of a Social Engineering Attack is to hack a user's brain. A hacker can circumvent an organization's technical security safeguards by tricking users into ignoring organization policies, procedures, and training. There are two major types of social engineering assessments: remote social engineering tests and local/onsite social engineering tests.
Remote Social Engineering Attacks
Our social engineers’ primary tactics used for remote social engineering are phone calls and email attacks (phishing attacks). Both attacks are customized to test your specific company environment. This includes training, policies, and procedures, as well as your target audience– IT, help desk, administrative assistance, etc.. We can also customize these tests to meet specific regulatory requirements such as NERC or HIPAA/HITECH.
- Phone Attacks: The target employee group is contacted by our team of security consultants who attempt to obtain passwords, usernames, names of network administrators, or sensitive and proprietary information. Normally we try to get small pieces of information, but sometimes a call from "IT" requesting their user ID and last 6 characters of their password is effective.
- Email Attacks: The most effective email attacks target a few of the less technically inclined employees or financially motivated individuals. Email social engineering usually comes in two types. The first tries to get a user to provide targeted information – usually the same information used in the phone type attack. The second type of attack contains an attached file with a payload attached, or a message leading the user to a fake website where a reverse tunnel is created before redirecting to the real site.
Onsite/Local Social Engineering Engagement
There are numerous social engineering types and methodologies used during on an onsite assessment. Our social engineers require informed consent from management, but these engagements are most effective if only a few individuals are aware. These attacks include:
- Shoulder Surfing: Engaging someone in conversation and asking them a question that requires them to access the network. Hackers steal the username and password as they are typed. This tests a user’s security awareness or mindset and their physical environment (i.e. monitor placement).
- Hold the Door: This simple technique works well to gain physical access to secured buildings or secured areas of a building. This is especially effective around “designated smoking” areas where you can immediately become part of a social clique forced to endure smoker discrimination. This often opens more than just physical barriers.
- Key Loggers: Hackers walk around with a clipboard, or “Notepad Access Device”, pretending to do inventory while installing USB key loggers on common use/shared systems.
- Portable Media: Placing DVDs, CDs or USB drives with an appealing theme or title in common use areas, hackers entice employees to insert bugged devices into their computers. Likewise, dropping off a box of USB drives with the company logo is equally effective. For example: "Hi I’m Bob from Marketing! We ordered way too many of these thumb drives – can I leave a few boxes here so that anyone that wants or needs one can get them? Only one each please." These devices all “call home” with the local username, password, IP address, computer name, and MAC address. No harm is done to the PC, but hackers have access to all sorts of information.
You must take the time and effort to build layers of technical safeguards into your network infrastructure. But the only true security antivirus software for the human brain are education, training, and testing.
Social Engineering Attacks In The News:
US Nuclear Regulatory Commission Computers Infiltrated, August 18, 2014
Computers at the US Nuclear Regulatory Commission (NRC) were infiltrated several times in the past three years, according to the findings of an internal investigation. One attack was perpetrated through spear-phishing – an email message sent to just over 200 NRC employees attempted to get the recipients to provide their logon credentials. About a dozen employees clicked the provided link. A second spear phishing attack attempted to infect recipients’ computers with malware. A third incident involved someone breaking into an employee’s email account and sending malware to a handful of other employees.
The Social Engineering Tool Kit (SET) is a Free Open Source Collection of Tools
The Social Engineering Tool Kit (SET) an open source set of tools designed to easily craft, deploy and exploit social medial vulnerabilities as well as leverages the power of Metasploit framework is readily available. The SET is distributed as part of Kali Linux. Kali is a free Debian distribution widely used for Penetration Testing. The only way to verify you have the correct type and distribution of security antivirus for your network of human brains is a controlled social engineering attack. The SET aside – it is very easy to craft an attack leveraging the popularity of social media. Social media lends credibility to phishing or spear phishing attacks; this requires no technical skills or training and has achieved target compromise rates as high as 33 percent! We only need to compromise 1 system or 1 user to bypass all of your expensive technical safeguards.