I was struck by the lead of Kelly Jackson Higgins’ article on the Defcon Social Engineering Contest:
Walmart was the toughest nut to crack in last year’s social engineering competition at the DefCon hacker conference in Las Vegas, but what a difference a year makes: this year, the mega retailer scored the worst among the 10 major U.S. corporations unknowingly targeted in the contest.
So time is a fascinating place to put the credit.
“Last year, the retailers just shut us down big-time, but this year, retail was the most forthcoming,” says Chris “Logan” Hadnagy, a professional social engineer with social-engineer.org who heads up the contest. Walmart and Target ended up with the highest scores, which means they did the worst, he says, with Walmart gaining the dubious distinction of performing the worst by exposing the most information both online and when its employees were cold-called by the social engineering contestants.
It’s almost enough to make me question if a social engineering contest is a replicatable test.
Don’t get me wrong. I don’t mean that the lack of rigor as a condemnation: real world social engineers will fluidly shift tactics to what they think will work, and if you don’t have good technology and processes in place, you’re likely to lose to an APT (amateur persistent talker). But it does raise questions of what we can learn from a contest.
At the same time, I don’t think that a contest structured like this is intended to compare year-on-year performance of an organization.
So what can we learn from the contest?
- Social engineering works. This may appear to be a “duh”, but we need to start from there because:
- Our defenses often don’t work. As I discussed at Black Hat, and blogged recently, we need to go beyond the computer and think about the set of attacks that work, not the set of attacks we’re interested in addressing.
- We should fix that. Even though it’s hard. It’s part of the job your management expects of the security team. Exposing offensive and defensive techniques might create a feedback loop and let us learn to do better.
So let’s look at one of the elements exposed in the contest, and think about how to address it. Let’s start with the “who’s your cleaning company” questions. These are classic. You find out who the cleaning company is, ebay yourself a uniform, and boom, walk through the door to collect circular filing data. Frank Abagnale did it in the 60s, except he used uniform supply companies. And we still, 40 years later, fall for the same sorts of tricks, because we focus too much on the computers and don’t think well about these attacks and the defenses.
Obviously, the uniform attacks matter more if you don’t have badges and strong issuance processes. But even with those, you also need to motivate your cleaning company employees to question someone who shows up without a badge and tries to work. That’s tricky, because it’s un-natural and feels confrontational and suspicious. What’s more, sending a new team member home means each of the cleaners will work that much harder. But they’re part of your security perimeter, so what do you do? You motivate them. Give them a carrot for asking good questions. How? Let’s say someone shows up without a badge. Have a checklist for your receptionist and cleaning crew. Have them call security or a manager. When they do, reward them. Give them a $25 gift card or some other pat on the back. That way, when the social engineer shows up, they get questioned. Maybe it’s apologetic. But you’re aligning their interest with yours, and giving them social reasons to overcome the awkwardness that a question can entail.
In my day job, I’ve spent some time thinking about how to make effective training, and some of this thinking has gone into, and come out of that. For more, including properties of good advice, see “Zeroing in on Malware Propagation Methods,” starting on page 29.