Social engineers may not drive a train, but they will be very friendly to you until they get what they want from you. What they want can vary from access to your building or a restricted area to stealing sensitive information regarding a project or proprietary company secrets. These are just a few of the reasons a social engineer might target you, there are many more based on where you work and what you do. Even if these reasons do not seem to apply to you, you have more usable information than you might think. A corporate spy looking for information about a certain project may target someone farther away from the project and use social engineering techniques on them. They may strike up a conversation with you and steer it towards what they want to find out about. For example, even though you may not be working on a particular project or just working on a low level of it, a crafty social engineer will count on you being friendly and chatty about work. You could say something that you think is harmless such as being ticked off that your boss or the project manager leaves at the same time every day while you have to stay later, or that your friend who works on that project said that she got yelled at for leaving her computer unlocked or files out when her boss does the same thing all the time. In these two examples, you just told the corporate spy that an office is left unattended at a certain time or that computers are left unsecure and files are left out in the open. It’s all right to be friendly, just watch the “over share.” I know it’s hard to not talk about work because it is such a big part of all of our lives, but just be careful how friendly you are and with whom. This also applies for friends (or people who you think are your friends) within the company. One small slip to a friend in another department and now two departments know about a situation, and so on and so on. Don’t be afraid to sound like a jerk and tell people you can’t talk about that topic.
Since the social engineer is counting on you to be friendly and polite, an effective technique that they might use to gain entry to your building or sensitive area is by pretending they have misplaced their ID badge. ID badge security is a subject I approached in an earlier blog, but I didn’t really touch on this aspect of it. If someone is hanging out around a secure door and asks you to get them in because they forgot their badge, please be a jerk and don’t let them in. Follow your building’s or company’s security policy on forgotten badges. Even if you recognize the person as an employee, don’t let them in; make them follow the policy. It’s not your fault or your problem that they forgot their badge. You may feel bad about making them go out of their way to gain proper entry into the building, but think of how much worse you would feel if you were the one to let in a thief or even worse someone who hurts or kills someone. The reason I mention not to let someone in even if you know them to be an employee is because chances are you wouldn’t know the current status of their employment. They could have been fired very recently and are trying to get back into the building to seek revenge on the person they feel is responsible or to steal sensitive information or property. They are counting on you being friendly. Be a jerk – don’t let any one in without proper identification.
Another example of a social engineering technique that relies on you being friendly and polite is a tech person saying they need to do upgrades on your computer that you know nothing about. The social engineer that uses this technique is counting on you not being a jerk by checking up on the legitimacy of the upgrade. They are hoping that you will figure you just missed the email and let them at your computer. Even if the tech gives you a sob story, be a jerk and check it out before you let them any where near your computer. Even if you don’t have sensitive information on that particular machine, malware, worms, viruses, key logging software, or back doors can be loaded on to your machine to seek out other machines or servers that may have more sensitive information on it.
I guess you could say that the lessons behind this blog are be friendly, but not to friendly. Being to friendly could cost a lot more than you could ever imagine. Watch the “over share.” Oversharing is rarely a good thing. Just think of all the Facebook and Twitter posts that you have read that have had way to much information in them. A social engineer is counting on you to overshare. But above all else – it’s okay to be a jerk sometimes! Think of it this way; would you rather be seen as an occasional jerk because you followed policy, or the person responsible for the theft of sensitive information, property, assets, or even worse; the loss of a life.
Stay Secure!
Deborah Burns 