Social Engineering Schemes Target Humans, Not Technology

In the world of cybersecurity, it’s a well-known secret that the weakest links in every cyber defense strategy are humans, not technology. Many times, it’s simpler to blame technology, and then to look to technology to solve the problem. 

Arguably, the most (in)famous hacker is probably Kevin Mitnick, who used a wide variety of scams and cons to get the information he was after. Using only his acting skills, Mitnick was able to obtain passwords and access dozens of computer networks.     

It’s all about efficiency for hackers. Why spend hours breaking into a network when you can convince someone to give you a password?

Tactics of penetration testers

For penetration testers, an on-site visit is often used to test security processes and procedures. After obtaining written permission, penetration testers will try to “tailgate” into a building following legitimate employees through secure doors. Other times, they will talk to the receptionist (e.g. the “casual” security guard) to try to gain access. They will need a cover story, but that is easily concocted with a hi-visibility vest, hard hat and clipboard.  

More diligent companies will require that the receptionist or guard record the ID of the person entering. That is also no problem for a penetration tester. Thanks to the internet, there are dozens of websites that sell fake drivers licenses. 

Customers of these sites are typically teenagers trying to obtain a fake ID to purchase alcohol underage. However, the fake IDs they produce are quite good. They even show the proper markings under a black light. Without formal training, most receptionists and guards would probably accept the fake IDs, especially if they are from another state.

Verify the story, not the ID

So what can we do? First, training to detect false IDs is important. More importantly, employees should be taught that an ID is only part of the story. If the visitor doesn’t have an appointment, or their story seems vague, a valid-looking ID won’t overcome that. You have to take into account the whole situation, and verify the story, not the ID. That means checking to see if maintenance really called for someone to come in and help with a malfunctioning air conditioner or smoke alarm. For example, you can ask for the name of someone who contacted the service and then actually call that person for verification.

Your first line of defense is the front desk

The fake ID example above highlights a common target of social engineering: receptionists.

Read the full interesting article at the source.

Source: Global Knowledge

Topics: penetration testing, social engineeering, World's Most Famous Hacker, cybersecurity, fake IDs, keynote speaker, PIN numbers, security awareness training, password theft, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

PCI Testing: Everything You Need To Know

Penetration testing is crucial for businesses to help ensure that their security posture will stand against threat actors. For businesses that handle ..

Read more ›

The 4 Phases of Penetration Testing

So, you’ve done your research on penetration testing and are ready for the pentest engagement. But before you choose just any pentesting vendor, it’s ..

Read more ›

What is Web Application Penetration Testing?

Is your company in the process of developing a new application? There are a lot of moving parts involved in developing and deploying cutting-edge appl..

Read more ›