bill's blog

Just another WordPress weblog

Browsing Posts tagged cold calls

Social Engineering… the term always brings up my reading of Ken Metnick’s books. They are a true study of the art form. We as human want to be seen as helpful and trusting. However the reality is the world back be a not so nice place. People can and will take advantage of us. Really… social engineering is about convincing people to willingly hand over information. Often times the social engineer will use… impersonation, bribery, deception, conformity and reverse social engineering. to get what they are looking for. They will use small pieces of information to get more valuable information. Very often the victim does not know that they are helping a “bad” guy.

Sales people use social engineering all the time. I get hundreds of cold calls a week. Often I tell the sales person they have reached the wrong place. That same sales person will call one of my colleagues and say they spoke with Bill in the XYZ department. This gives the illusion that the sales person actually knows me. My colleague may be tempted to give out more information based of the fact that the sales person know me. Unbeknownst to the sales person when when say “Yeah I spoke to Bill in XYZ department” It’s a signal to my colleague that I actually do not know this person.

Lying… trickery… duping… all words for the same thing. Words that have taken on a new meaning in the world of the on-line… connected… human! Words that have evolved into high stakes games on misinformation, fraud and identity theft. Words that have taken on the new moniker of social engineering!

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying (wikipedia.org, 2010). So what does this all mean? Well how many times have you answered the phone and the person on the other end of the line starts asking you questions about your mortgage? Wanting to help you reduce your rates! They start by asking benign questions and then move onto more personal information… such as your date of birth or heaven forbid your social security number. You’re happy to give away that information in exchange for $200 dollars off your monthly expenditures!

Or how about that cold call asking if you’re in charge of the network infrastructure at your place of employment? Or perhaps they want to know about what routers you use or the brand of toner purchase. Sure they may be mere cold calls… BUT they could be so much more. Social engineering in not about knocking at one door to see who answers but rather it’s about gathering as much information and using the information gathered in previous calls to further the manipulators efforts to make inroads into an organization.

In his book the Art of Deception, Kevin Metnick goes to great lengths to illustrate the ways in which we can be tricked into revealing information that may be common place within an organization but to an outsider can be very damaging if used inappropriately. In an interview in 2006 with Tom Espiner, Kevin Metnick shared his thoughts on what signs to looks for in a possible social-engineering attack.

Mostly, it’s gut instinct–if something doesn’t look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that’s a red flag. If they make a request that’s out of the ordinary, that’s a red flag. If they make a request for something sensitive, that’s when verification is necessary, depending on company policy (Espiner, 2006).

Honestly, the Art of Deception should be required reading for anyone responsible for security in any kind of organization… especially IT and HR departments! Social engineering needs to be addressed. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions (Coffee, 2006). Employees need to be educated to the various forms phishing another social engineering practices both when using the Internet as well as answering the phones (Heese, 2007).

At the end of the day, humans have a need to help others. It ingrained within each of us. We have to get in touch with our inner selves… That part of us the screams out that something is wrong. We need to listen to that voice and heed its warning.

Resources:

Coffee, Peter (2006, August 14). Security Success Depends on Good Management, Retrieved on July, 6th, 2010, http://www.eweek.com/article2/0,1895,2001478,00.asp

Espiner, T., (2006, June 14th), Kevin Mitnick, the great pretender, Retrieved on July, 6th, 2010 from http://news.cnet.com/Kevin-Mitnick,-the-great-pretender/2008-1029_3-6083668.html

Heese, W., (2007, February 21), Computer system security policies – key trends, Retrieved on July 6th, 2010 from http://weblog.randomdog.net/?p=942

Various, (2010, July 4th), Social Engineering (security), Retrieved on July6th, 2010 from http://en.wikipedia.org/wiki/Social_engineering_(security)