Social engineering and company security

All you have to do is ask

This is an article from CA Magazine regarding social engineering and company security.

“Fraudsters are increasingly using social engineering to breach a company’s security and it’s amazing how easy it is to do.

…A few years ago Lares founder Chris Nickerson explained how easily he infiltrated a retail company with a large call centre. He told CSO Newsletter that on-site security vulnerability testing requires his team to acquire information about the target prior to the exercise. “I like to find holidays or time-relative events,” he said. “In this particular exercise, there was a horse race going on in the area. Everyone in the city and around it geared up and left the office to go to it. That was a perfect time for me to come in and say I have an appointment with someone we’ll call Nancy. I knew Nancy wasn’t going to be in the office because on her MySpace profile it said she was getting ready to go to the race. Then her Twitter profile said she was getting dressed to go to the event. So I knew she wasn’t in the office. Before I went to the office, I went to a thrift shop and got a Cisco shirt for $4. Then I went in and said, ‘Hi. I’m the new rep from Cisco. I’m here to see Nancy.’ The front desk attendant in this situation said, ‘She’s not at her desk.’”…. Read the full article to see how this scam was carried out.

Clever and confident con artists know how to beat systems and it’s impossible to keep all fraudsters at bay. But many companies don’t even try. Employees need to be trained on social-engineering techniques and given clear rules about what information, such as passwords, should never be given out to anyone they don’t know. Fear of insulting or angering a senior person who demands such information over the phone is one of the primary ways social engineers obtain their information.

In other words, make sure everyone knows that not being social at times is the best way to protect against being conned.”

Full article can be read here.