Humans, divulging details over the phone to social engineers, were not necessarily the weakest link; "information gathered on the internet allowed contestants to capture more than two times the amount of points gathered in the live call portion of the contest." The findings illustrate that:
While there continues to be improvements in the quality and preparation of the contestants, there have not been any significant improvements by companies to secure information available on the internet and educate and prepare employees against a disciplined social engineer. For example, one contestant was able to find an improperly secured help desk document that provided log in credentials for the target company's employee-only online portal. It's disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited.
According to the report [pdf], the top flags gathered in the 2013 SECTF competition were:
- Specific Internet browser
- Operating system information
- Information on corporate wireless access
- Confirmation of a corporate Virtual Private Network (VPN)
- Presence of an onsite cafeteria
"The two most commonly obtained flags were the browser and OS of the target companies," the report explains. "With these two pieces of information, the simplest way for an attacker to breach network security would be through a targeted phishing email containing files that would either release malware or lead the target into clicking to a malicious website targeting vulnerabilities specific to their browser or OS."
If you are curious why something like a company having a cafeteria is important, then that is because a malicious attacker would use any helpful tidbit to penetrate a company; learning about a cafeteria opens the possibility for an attacker to physically enter the building by impersonating a canteen employee or delivery person and collecting "information that may be improperly secured."
Any "privileged" info helps an attacker develop elaborate lies, pretexting, that could trick company employees into giving out more info. It also opens to way for an attacker with "insider" knowledge to wield the power of it during a call, the "tribe mentality," such as pretending to be an IT person at the company with the rights to ask software and network-related questions. In fact, "targets surrendered every one of the predefined flags at least once during the competition."
Hadnagy pointed out, "Even though social engineering has received major press, as well as been the topic for discussions amongst the security community and corporate America, it still proves to be a major threat and the easiest way in to most companies."
And these were the good guys simply competing in a contest. In the real world, an attacker will attempt any dirty trick to achieve his or her "treat."
Sign up for CIO Asia eNewsletters.