During the day that CSO watched the SECTF contestants in action, participants confirmed things such as names, OS versions, browser usage and preference, and what types of third-party software was being used. The people on the other end of the line freely offered other information as well, including personal histories and insider data as to development plans and pending projects. Break schedules were also discussed, offering a map of when the employee would be at their desk or away from the office.
On their own, none of the flags obtained during the calls were all that valuable, but when combined, they're a wealth of information to an attacker. Knowing that a company has Windows XP, and that their employees are either forced or prefer to use Internet Explorer, creates a clear attack surface to target. Follow that with the knowledge that the company uses Adobe 9.x for accessing PDF files, and things start to look grim.
Posing as a corporate compliance officer, Christina spoke to a person working for a subsidiary of her target company, which was the only option as the company was so large, all of its business runs through the satellite firms. She obtained all of the aforementioned flags, in addition to getting the person on the other end of the phone to visit a website of her choosing. Had her call been a legit attack, the game would have ended the moment the person on the phone loaded webpage. The flags were obtained, and the website loaded, in less than twenty minutes.
There's light at the end of the tunnel though, because some of the targets in the SECTF event refused to share information, and at one point the person at the other end of the phone told the contestant that they couldn't share a phone number, because company policy prohibited it -- eluding to the fact that there was some type of awareness program in place.
The problem is, while a contestant would give up (and did give up), a real attacker would press forward. Eventually, there will be a crack in the company's armor, someone will ignore policy and help the person calling, and that's exactly what a social engineer is looking for.
The point of all of this, and why the SECTF event is so controversial to some, is because it highlights a fundamental weakness in the security chain that is forged in policies, products and services; people. Humans are helpful, they thrive on communication, skilled attackers know this, and they exploit it constantly.
Sign up for CIO Asia eNewsletters.