Smart criminals understand their success hinges on choosing the right opportunity to exploit a specific weakness. That's why burglars avoid homes with alarm systems, car thieves look for unlocked vehicles and muggers don't attack anyone coming out of a dojo wearing a white robe and a black belt. In other words, they go after the "lowest hanging fruit".

Similarly, criminals who use social engineering tactics seek opportunities where they can employ their unique methods of manipulation and deception to exploit the weakest link of the security chain. For the social engineer, that weak link is usually the organization's own people and procedures.

Unlike traditional security threats that can be thwarted by physical or electronic security precautions, social engineering tactics exploit the fundamentals of human nature. Our natural tendency to help others, our desire to avoid conflict, our fear of making mistakes and our fear of getting ourselves or getting others in trouble are all elements of human nature that social engineers consider to be vulnerabilities. In fact, professional social engineers are literally betting that their natural ability to manipulate basic human traits will create an opportunity in which the target can be turned into an unwitting accomplice.

And a seasoned social engineer knows exactly who to target. Although top executives may have direct access to the most valuable information within the organization, social engineers realize it is much more complex and time-consuming to directly compromise executives. Instead they set their sites on low and mid-level employees. Receptionists, cleaning crews, tellers and even managers of remote locations are all attractive targets to a smart social engineer. After all, these are the employees that typically have limited security awareness training and would be more susceptible to manipulation and deception. These staff positions could also provide the criminal with access to sensitive areas during off-peak hours when the chance of being exposed is significantly lower.

Characteristics of a Weak Security Chain

Industry experts and government regulators agree that institutions most at risk of succumbing to social engineering tactics tend to lack (1) adequate policies and procedures pertaining to physical security, (2) a security awareness program that allows for training of employees at all levels, or (3) an established system of vendor and visitor tracking. These three elements are dependent on each another to properly defend against the threat of social engineering schemes. A deficiency in one area creates a significant vulnerability in the others, thus allowing an easy entry-point for a savvy criminal to exploit.

Of course, professional social engineers know this information too. That is why tactics like the "Trusted Vendor" scenario - which have the ability to exploit numerous vulnerabilities simultaneously - tend to be highly successful at organizations that have inadequate polices & procedures, limited security awareness training and no formal system of tracking authorized vendors.

A Case Study in Social Engineering

Using only basic information-gathering techniques, it is not difficult to devise a plausible "Trusted Vendor" scenario that seems completely believable to an unsuspecting target.

For example, if a criminal's intent was to covertly gain access to sensitive areas inside and financial institution, he may choose to pose as a pest inspector. First, the social engineer would need to find out which pest control company the institution currently uses. Setting up surveillance outside a location waiting for the pest control technician to show up would take way too long. However, contacting the institution under the guise of a new pest control company looking to submit a competing bid may reveal the name of the current service provider. If so, the next step would be to get the actual pest control company's logo off the web to create a believable uniform using a "do-it-yourself" iron on kit.

The social engineer could then use various social networks to find the names of some of the organization's managers and, if lucky, the days those managers will be out on vacation. A call could then be made to the branch receptionist late in the day under the guise that the manager requested he come treat the office immediately. The criminal could probably weave a convincing tale that created a sense of urgency plus generate a reason for keeping staff members away while he is "working". One believable reason would be to claim management reported a rat infestation, but wants to keep it secret to avoid alarming the rest of the staff. Upon hearing that type of disturbing news, any suspicions that may have existed toward the pest control technician are probably replaced with anxiety over the nearby rat infestation. The criminal could further increase his chances of avoiding exposure by scheduling an after-hours appointment when he'd be free of prying eyes and have more time to snoop for sensitive information.

This scenario also offers a perfect opportunity to perform another favorite social engineering technique, dumpster diving, without raising any suspicions. After all, who is going to suspect a uniformed pest control technician is doing anything but killing rats inside a dumpster?

You may think this is only a worst case scenario, but companies who specialize in social engineering testing can attest that this type of situation happens with alarming frequency.

This example illustrates that without adequate safeguards in place to combat social engineering threats, several weak links can exist along the security chain. But it also demonstrates that strong policies and procedures along with adequate training could have thwarted the social engineer's efforts.

Reinforcing the Chain

Employees are the first line of defense against social engineering schemes. Therefore it is imperative that management provide them adequate tools to combat would-be scammers, including;

1. Comprehensive policies and procedures that go beyond the obvious threats and address scenarios unique to the organization
2. Security awareness training that includes custom role-based training for positions most vulnerable to social engineering tactics
3. Systematic controls like a shared vendor/visitor tracking system that accounts for local vendors at remote branches
4. Frequent reminders (emails, posters, tip of the week) to staff about the organization's commitment to security

The most advanced firewalls, intrusion detection systems, and video surveillance can not offer much protection against social engineers who use unsuspecting employees to breach security and access sensitive information. The best defense is a well-trained and well-equipped staff that understands their role in protecting the interests of the organization. And it is up to the organization's management to provide their staff with the training, guidance and tools to effectively combat this growing threat.

By David Blazier