This year's Defcon event will feature a contest that asks social engineers to infiltrate target companies. But the challenge is only one part of a large mission to get people thinking about social engineering. How strong is your schmooze? That is the question participants in an upcoming contest at this year’s Defcon event will attempt to answer at the end of July. The Social Engineering CTF (capture-the-flag contest) is sponsored by the group that runs the website social-engineer.org and will ask contestants to gather information and then plan a realistic and appropriate attack vector, according to Chris Hadnagy, one of the site’s founders. “We thought ‘How can we showcase social engineering skills and not go over that line of what is ethical and moral?'” explained Hadnagy. Also see “9 dirty tricks: Social engineers’ favorite pickup lines”According to the rules of the contest, each social engineer/contestant is emailed a dossier with the name and URL of a “target” company. Before the conference, the contestants are allowed to gather any type of information they can get from the internet. No phone calls, emailing or contacting the company in any way before the Defcon event is allowed. Contestants will then store their information in a professional looking report and a judging panel will review it. At the conference, they will be given 5 minutes to explain to the crowd what they did and what their attack vector is, and then they will have 25 minutes to perform their attack. Points will be awarded for information gathered as well as goals successfully accomplished during the process. A list of approved “flags” will be given to each contestant that will not contain personal or financial data and will encourage the contestant to think out of the box, while avoiding anything illegal. The idea is to raise awareness and highlight social engineering techniques without leaving the targets feeling violated, said Hadnagy. And the contest is only one of several efforts aimed at pumping up the awareness of social engineering dangers by Hadnagy and his team. CSO caught up with him for an overview of what social-engineering.org is all about, and the audience it serves. CSO: Who should read the information on social-engineer.org? Chris Hadnagy: The idea was originally geared to security professionals and industry professionals that want to secure their company from social engineering attacks. It was a framework developed to say ‘Here is how a social engineer works.’ The framework is designed to go through a literal social engineering attack and all the techniques that might be used and then analyze them from a psychological and physical viewpoint. Now that the site has evolved, I would say anyone interested in securing themselves at all should read us. We have branched out into personal security, identity theft, and even how to protect your families from these threats. On our podcast, we interviewed a guy that had intimate knowledge of how identity thieves steal someone’s ID, social security numbers, credit scores and then use them maliciously. He told us, step by step, how these guys do their evil deeds. We released that publicly, to help educate people to these threats and help them see how to protect themselves. What is your mission? To raise awareness about what social engineering is and also to raise the bar, so to speak, for what social engineering auditors should be doing as part of their practices. What prompted this was as I myself am a social engineering auditor, I found there was not much useful information on social engineering on the Internet. There was no conglomeration of information that said ‘Here are some skills you can practice if you are interested in becoming a social engineering auditor’ or ‘Here are things to look out for if you are a company concerned about social engineering.’You can find many, many resources about protecting yourself against hackers and the types of attacks they launch. But even though social engineering has been used for much longer than software hacking has as an attack vector, there were very few resources out there about it. Our mission statement was to make a site with all of this information compiled in an easy to read and use format; all the parts of social engineering, how they are used, examples of how they have been used in the past. We wanted to eventually branch out into education courses, which we are still developing, that will help educate people about how the malicious guys think and what tools they use, so they can defend against it. Our motto is: “Security through education” and we feel this is the best way to be protected. How do you communicate the magnitude of the social engineering threat?There were two things I read recently that scared me to death. The first was more personal, since I have children myself. There was a case of people who were using video game systems to manipulate children into taking naked pictures of themselves and then sharing these pictures. The con was to get these kids to think if they want to be part of this club, or this group, they need to do this. Having kids myself, this was a scary piece of news. Parents may not realize that something like that is a malicious form of social engineering that is happening all the time, and, in this instance, they were using something not really expected or monitored by many parents, like a gaming system. See more social engineering examples on CSOonline.comThe second thing I read recently was a report that stated in 2009 the average cost of a data breach was up to $6.75 million dollars per breach! Related to that another report said that from their research over 80 percent of all breaches involve social engineering. These facts where staggering to us and helped us to see why awareness was even more necessary. The problem is, these stats only come after the fact. Security professionals talk to companies left and right and ask ‘How many of you would open a malicious pdf?’ The typical reaction from a company is ‘Of course we wouldn’t fall for that. We have these procedures in place to prevent that sort of thing from happening.’But then I present the scenario of what if were to call you as a guy who wants to buy something from the sales department? I call your lead sales guy and say I have all my specifications laid out in this pdf. What sales guy is not going to open that? All I do is embed some malicious code into the pdf using Metasploit or the popular tool on our site called S.E.T, do a little research about what version of Adobe he has installed and Bam! He opens it and it’s game over. I own your company. These things are happening every day and the little bits of information that are tossed in the trash or given out over the phone lead to some of these $3 million dollar breaches. Our mission with both the site and the contest is hopefully to raise awareness that these threats are real and being used daily. By raising the awareness we also hope to encourage people to seek out education on these things so they can learn how to protect themselves and their companies. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe