In Depth
Social Engineering: Anatomy of a Hack
How a social engineering expert gained access to extremely sensitive information with little more than a thrift-shop shirt, a plate of cookies and a Linksys box
By Joan Goodchild, Senior Editor
A short time later, a full team of people came in. A lot of the work that was done at this facility was shift work, and it was shift change time. Because we did our homework right, we were at the two of three cubes that were vacant so there were no conflicts or questions.
Everyone sat down around us. I announced myself as the Cisco engineer who was working on the phone system. Many of them responded with jokes and said things like "Honey, please don't fix it. I don't want to take any calls today."
One thing I have learned is that cookies are the keys to everyone's heart. When I'm doing the type of exercise where I'm posing as a tech, or a VAR, I like to bring cookies. I did for this exercise and I started passing out cookies to everyone in the area. We were all laughing, having a great time. Meanwhile, we were in the middle of hacking their entire network.
In the end, what we exposed for the client was the vulnerability of their physical access and we showed them some of the blended techniques we used to get in. We were able to demonstrate how, with social engineering, we were able to hack the SQL Server and dump the whole data base of everybody's account information. This kind of breach could have cost them multiple billions of dollars. And we had access to all of it because of these vulnerabilities. We wore button cams and hat cams so they could watch how it was done.
Companies need to run a general social engineering awareness campaign. You need to tell employees what to look for and how to look for it. Companies need to teach employees that it's not that the company doesn't trust the people within the organization, it's that there are people out there trying to do this every day. It is just a good awareness technique to do it.
If someone is coming to work on your environment, you should probably know who they are. If you think of your company like your home, you do things differently. You are not going to just let someone walk into your house. That is the kind of philosophy companies need to inject into corporate culture.
Other stories by Joan Goodchild
social engineering
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
