After making a few phone calls and obtaining a few seemingly innocuous pieces of information (we call them “building blocks”), we decided to make an attempt to obtain VPN access to their network. Through their audit, we had already obtained the Cisco VPN client and had numerous usernames and passwords. All we needed was a host name.
A Classic Pretexting Ploy
We tried a few different things, but it became clear pretty quickly that the most effective tactic was calling “work at home” employees and folks in the field. It’s been our experience that the further an employee is from the office, the less likely he or she is to adopt secure phone and email practices.
It was the standard spiel: we pretended to be calling from the IT support center at the home office, saying that we’ve noticed some anomalies on VPN access.
“It looks like people are not shutting down their connections properly and we need to check your settings,” we’d say.
Blah, blah, blah.
And as always, this caused a good deal of concern, since people wanted to make sure they were not the problem (i.e. in trouble). Everyone was very helpful. Incidentally, we also wound up answering a lot of tech support questions, like why their printer isn’t working or why their WiFi is so slow. We’re nice like that.
After a several calls, we reached “Bob” and dove into the standard story. He seemed especially helpful throughout the troubleshooting process, so we went in for the kill. We thought we’d see if he would just read the host name to us. We quickly reached the moment of truth.
Us: ”Bob, are you on the configuration screen? Do you see where it says host name or IP address? Ok, can you tell us what it says?
Bob...“Um…I’m not really sure if I’m supposed to tell you that. How do I know you are who you say you are? Wait…do you really work for ABC Company?”
Us: “Um….yes. Yes, we do.”
Bob: “Ok! I had just had to be sure.”
And just like that, he read us the host name, giving us everything we needed to connect to their VPN.
The Takeaway: Empower Your Employees to Say "No."
Though Bob made a (feeble) attempt at authentication, he failed because he didn’t know how to proceed once he’d reached that point. He was clearly suspicious, but had no real recourse.
It isn’t enough to just make your employees suspicious. You have to empower them to take action on their suspicion and give them tools and clear escalation processes. Let them know that they can say no. Give them steps to take or just good questions to use for authentication.
Otherwise, you may find your own “Bob” has handed over the keys to your kingdom.
Take Action: Training, Audits, and Security Awareness Campaigns
Perhaps this story hit home. Maybe you see a problem in your own organization—or maybe you just realized that your people don't know much about this type of social engineering threat. Don't panic. There's a lot you can do. Here are few steps toward a safer (and more suspicious) employee culture.
- Develop clear policies and procedures for phone authentication.
- Engage your employees with interactive training that is customized for your industry and puts themselves in a victim's shoes.
- Keep security at the forefront with security awareness posters, newsletters, and campaigns.
And if you aren't sure where the problems really lie, begin the process with the most comprehensive security and social engineering audit in the industry. If sensitive information is slipping out of your company, find the holes and plug them before a security breach causes damage.
More on Training