Cyber Security Articles & News

Social Engineering Schemes Target Humans, Not Technology

In the world of cybersecurity, it’s a well-known secret that the weakest links in every cyber defense strategy are humans, not technology. Many times, it’s simpler to blame technology, and then to look to technology to solve the problem. 

Arguably, the most (in)famous hacker is probably Kevin Mitnick, who used a wide variety of scams and cons to get the information he was after. Using only his acting skills, Mitnick was able to obtain passwords and access dozens of computer networks.     

It’s all about efficiency for hackers. Why spend hours breaking into a network when you can convince someone to give you a password?

Tactics of penetration testers

For penetration testers, an on-site visit is often used to test security processes and procedures. After obtaining written permission, penetration testers will try to “tailgate” into a building following legitimate employees through secure doors. Other times, they will talk to the receptionist (e.g. the “casual” security guard) to try to gain access. They will need a cover story, but that is easily concocted with a hi-visibility vest, hard hat and clipboard.  

More diligent companies will require that the receptionist or guard record the ID of the person entering. That is also no problem for a penetration tester. Thanks to the internet, there are dozens of websites that sell fake drivers licenses. 

Customers of these sites are typically teenagers trying to obtain a fake ID to purchase alcohol underage. However, the fake IDs they produce are quite good. They even show the proper markings under a black light. Without formal training, most receptionists and guards would probably accept the fake IDs, especially if they are from another state.

Verify the story, not the ID

So what can we do? First, training to detect false IDs is important. More importantly, employees should be taught that an ID is only part of the story. If the visitor doesn’t have an appointment, or their story seems vague, a valid-looking ID won’t overcome that. You have to take into account the whole situation, and verify the story, not the ID. That means checking to see if maintenance really called for someone to come in and help with a malfunctioning air conditioner or smoke alarm. For example, you can ask for the name of someone who contacted the service and then actually call that person for verification.

Your first line of defense is the front desk

The fake ID example above highlights a common target of social engineering: receptionists.

Read the full interesting article at the source.

Source: Global Knowledge

Topics: penetration testing, social engineeering, World's Most Famous Hacker, cybersecurity, fake IDs, keynote speaker, PIN numbers, security awareness training, password theft, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

What is External Network Pentesting?

If your organization has conducted a penetration test in the past, it was likely one of six main types of pentests. 

Read more ›

6 FAQs From CISOs About the Pentesting Process

As a Chief Information Security Officer (CISO), you have the responsibility of not only directing your organization’s security but also conveying your..

Read more ›

How Technology is Changing the Future of Social Engineering

Social engineering is not a new concept; in fact, it was said to have originated in 1184 BC with the legendary tale of the Trojan Horse. But since the..

Read more ›