This series focuses on how small to mid-sized enterprises manage common threats within a 24-hour period. In this installment we learn how one SME deals with its social engineering attack crisis and prevents future ones from happening.
Julian Elko seemed to be having a bad day. He was going to his first day on the job and he had forgotten his key card and misplaced his manager’s phone number…
Julian arrived at the Velocitech Office and explained his predicament to the receptionist with equal parts charm and apology. She was able to give him a temporary card, and said that he would have to deal with the manager on his own. Using the card, Julian made his way to his manager’s office; but, it just so happened that his manager was on vacation for the week, so he didn’t get to shake hands with the new boss man.
Because he was new and hadn’t met anyone yet who could show him around, Julian was unsure of which cubicle was his so he wandered about checking in with his co-workers, striking up conversations and basically figuring out what was expected of him in his new position.
The manager had apparently forgotten to tell anyone that Julian was starting, so he didn’t have a user account created. Luckily, a helpful employee logged in with her credentials so he could get to work. Although he had access now, Julian didn’t have any job assignments yet. So, he decided to get busy by cleaning up the office. He went around to every cubicle and room, including the boardroom, gathering up trash and taking it to the compactor.
Julian’s first day on the job had gone much better than expected—but the reality was he didn’t work for Velocitech. If anything, you might say that Julian was "self-employed." Despite not being a true employee, between the information he grabbed from the trash and the passwords he learned from watching over employees’ shoulders, Julian gained unrestricted access to Velocitech’s systems.
He snuck into Velocitech’s computer network without any hacking skills whatsoever; he depended upon good old-fashioned social engineering. In other words: He ran a con. He relied on the employees’ human nature to ingratiate himself with them and gather bits and pieces of information through a variety of methods.
If these methods had not worked, Julian had a fall back plan.
The best part about reverse social engineering is that if it goes well, victims often don’t even know they have been compromised. (Julian initially planned to show up as pest control after releasing a couple of rats on the complex.)
There’s a twist to Velocitech’s story, though… fortunately for the company, its manager had secretly hired Julian for a specific job—to find out how secure the business really was.
After the manager returned from "vacation," the undercover operative had a chance to meet with Velocitech’s manager and share his findings. The manager was understandably concerned that Julian could infiltrate his network and abscond with so much information so easily; so, he asked Julian to help him create a defense plan.
Julian pointed out that a solid and enforced company policy would have made things much more difficult for him. Policies should cover areas like information access controls, escorting visitors, account setup, ID loss and creation, and password changes. Here are some additional examples:
The best policy system exists as a multi-layered, tiered structure. If a criminal breaches one level of access, there needs to be several more ahead of it that can ultimately stop him or her from stealing data. Additionally, the intensity of training should match the employee’s position within the organization. Key personnel will obviously need to follow a stricter line than employees who have limited access to valuable information.
Finally, policy implementation isn’t enough. Measures must be taken to make sure employees are following the new rules. Supervisors should follow up with their co-workers and ensure they not only recognize the warning signs but document and report them appropriately. Creating a climate of caution amongst staff will carry a long way to preventing folks like Julian from accessing precious data.
By Nathan Darling