Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Fake social media ID duped security-aware IT guys

Lucian Constantin | Nov. 1, 2013
Penetration testers used a faked woman's identity on social networks to break into a U.S. government agency with strong cybersecurity defenses

According to Lakhani, the fundamental problem is that people are trusting and willing to help others. Many also don't think it could happen to them because they don't have an important enough position within an organization, but they don't realize how their actions could help an attacker gain credibility.

The Emily Williams attack started by targeting low-level employees like sales and accounting staff, but as the social network around her grew, the attack team was able to target more technical people, security people and even executives.

The experiment also shows that attractive women get special treatment in the male-dominated IT industry. The majority of individuals who went out of their way to help Emily Williams were men. The team actually tried a similar test in parallel with a fake male social media profile and got no useful connections.

According to Lakhani, social engineering awareness training can help, but it's not going to work if it's done on an annual basis. It needs to be constant training, so that employees develop instincts. In fact, the organization targeted in this attack was doing security awareness training for their employees.

"In the military it's called situational awareness," Lakhani said. "We need to develop situational awareness for this type of attack."

Other recommendations that Lakhani made during the talk include: questioning suspicious behavior and reporting it to the human relations department, not sharing work-related details on social networks, not using work devices for personal activities, protecting access to different types of data with strong and separate passwords, and segmenting the network so that if attackers compromise an employee with access to one network segment they can't access more sensitive ones.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.