Cyber Security Articles & News

Social Engineering Schemes Target Humans, Not Technology

Posted by Mitnick Security on Jul 30, 2018 5:00:00 PM

In the world of cybersecurity, it’s a well-known secret that the weakest links in every cyber defense strategy are humans, not technology. Many times, it’s simpler to blame technology, and then to look to technology to solve the problem. 

Arguably, the most (in)famous hacker is probably Kevin Mitnick, who used a wide variety of scams and cons to get the information he was after. Using only his acting skills, Mitnick was able to obtain passwords and access dozens of computer networks.     

It’s all about efficiency for hackers. Why spend hours breaking into a network when you can convince someone to give you a password?

Tactics of penetration testers

For penetration testers, an on-site visit is often used to test security processes and procedures. After obtaining written permission, penetration testers will try to “tailgate” into a building following legitimate employees through secure doors. Other times, they will talk to the receptionist (e.g. the “casual” security guard) to try to gain access. They will need a cover story, but that is easily concocted with a hi-visibility vest, hard hat and clipboard.  

More diligent companies will require that the receptionist or guard record the ID of the person entering. That is also no problem for a penetration tester. Thanks to the internet, there are dozens of websites that sell fake drivers licenses. 

Customers of these sites are typically teenagers trying to obtain a fake ID to purchase alcohol underage. However, the fake IDs they produce are quite good. They even show the proper markings under a black light. Without formal training, most receptionists and guards would probably accept the fake IDs, especially if they are from another state.

Verify the story, not the ID

So what can we do? First, training to detect false IDs is important. More importantly, employees should be taught that an ID is only part of the story. If the visitor doesn’t have an appointment, or their story seems vague, a valid-looking ID won’t overcome that. You have to take into account the whole situation, and verify the story, not the ID. That means checking to see if maintenance really called for someone to come in and help with a malfunctioning air conditioner or smoke alarm. For example, you can ask for the name of someone who contacted the service and then actually call that person for verification.

Your first line of defense is the front desk

The fake ID example above highlights a common target of social engineering: receptionists.

Read the full interesting article at the source.

Source: Global Knowledge

Topics: penetration testing, social engineeering, World's Most Famous Hacker, cybersecurity, fake IDs, keynote speaker, PIN numbers, security awareness training, password theft, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

What is a Penetration Testing Framework?

Penetration testing services are performed by cybersecurity companies to help find weaknesses in an organization's network, internal systems, and show..

Read more ›

What To Expect During Red Team Operations

Companies are producing an exponential amount of data every day and by 2025, it’s estimated that there will be about 181 zettabytes of data. As your o..

Read more ›

4 Considerations When Choosing Between Pentesting Companies

As business models continue to evolve the need for cybersecurity measures is more necessary than ever before.

Read more ›
tech-texture-bg

© Copyright 2004 - 2023 Mitnick Security Consulting LLC. All rights Reserved. | Privacy Policy