Social Engineering Schemes Target Humans, Not Technology

In the world of cybersecurity, it’s a well-known secret that the weakest links in every cyber defense strategy are humans, not technology. Many times, it’s simpler to blame technology, and then to look to technology to solve the problem. 

Arguably, the most (in)famous hacker is probably Kevin Mitnick, who used a wide variety of scams and cons to get the information he was after. Using only his acting skills, Mitnick was able to obtain passwords and access dozens of computer networks.     

It’s all about efficiency for hackers. Why spend hours breaking into a network when you can convince someone to give you a password?

Tactics of penetration testers

For penetration testers, an on-site visit is often used to test security processes and procedures. After obtaining written permission, penetration testers will try to “tailgate” into a building following legitimate employees through secure doors. Other times, they will talk to the receptionist (e.g. the “casual” security guard) to try to gain access. They will need a cover story, but that is easily concocted with a hi-visibility vest, hard hat and clipboard.  

More diligent companies will require that the receptionist or guard record the ID of the person entering. That is also no problem for a penetration tester. Thanks to the internet, there are dozens of websites that sell fake drivers licenses. 

Customers of these sites are typically teenagers trying to obtain a fake ID to purchase alcohol underage. However, the fake IDs they produce are quite good. They even show the proper markings under a black light. Without formal training, most receptionists and guards would probably accept the fake IDs, especially if they are from another state.

Verify the story, not the ID

So what can we do? First, training to detect false IDs is important. More importantly, employees should be taught that an ID is only part of the story. If the visitor doesn’t have an appointment, or their story seems vague, a valid-looking ID won’t overcome that. You have to take into account the whole situation, and verify the story, not the ID. That means checking to see if maintenance really called for someone to come in and help with a malfunctioning air conditioner or smoke alarm. For example, you can ask for the name of someone who contacted the service and then actually call that person for verification.

Your first line of defense is the front desk

The fake ID example above highlights a common target of social engineering: receptionists.

Read the full interesting article at the source.

Source: Global Knowledge

Topics: Speaking Engagements, penetration testing, social engineeering, cyber security, fake IDs, PIN numbers, security awareness training, password theft, Kevin Mitnick

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

The Growth of Third-Party Software Supply Chain Cyber Attacks

When testing your employees' social engineering readiness, your teams need simulated attacks that feel as if they’re coming from a nefarious engineer...

Read more ›

Bypassing Key Card Access: Shoring Up Your Physical Security

As you build additional layers of defense into your cybersecurity framework, it's important to implement physical security strategies as well.

Read more ›

How to Prioritize Your Pentesting Report’s Remediation Recommendations

If you recently received a penetration test, you’re on the right track to improving your cybersecurity posture. However, you may be wondering what the..

Read more ›