Major corporations fail to defend against social engineering

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://threatpost.com/major-corporations-fail-to-defend-against-social-engineering

The annual Social Engineering Capture the Flag contest held during DEF CON
may seem on the surface to be just an opportunity for pen-testers and
hackers to flex their pretexting muscles. But if you’re one of the 10 major
technology, manufacturing and critical infrastructure organizations
targeted by this year’s contestants, you might want to re-evaluate how
well-equipped your staff is to ward off sneaky people.

Social engineering is the linchpin and launching pad for just about every
targeted attack that’s been made public. Hackers comb social media sites,
online forums, company directories and any other source of intelligence
available looking for an edge that will help them get  through the front
door, or at least through the network perimeter.

The end result ranges from identity theft, to the loss of customer data, to
the loss of intellectual property or military/government secrets.

This year, a team of 10 men competed against 10 women, turning their skills
against the likes of Apple, Boeing, Chevron, Exxon, General Dynamics,
General Electric, General Motors, Home Depot, Johnson & Johnson and Walt
Disney Corp., targeting “flags” such as learning which Internet browser(s)
is in use at a company, operating system information, wireless access
information, whether a virtual private network is used by remote employees
and whether there is an onsite cafeteria.

Competitors had two weeks to gather open source intelligence data prior to
DEF CON, excluding onsite visits or phishing attempts; they were able to
use only Web-based tools in order to prepare a report on their targets. And
then during DEF CON, the competitors would use that data during a live-call
session that took place during the annual hacker conference in Las Vegas.

“What was notable was the huge amount of information gathered during the
OSI portion,” said Chris Hadnagy, founder of Social-Engineer.com, and
organizer of the SECTF. “Previously, we’d see a handful of reports with
monster amounts of information. This year, there was an unbelievable amount
of information. One contestant found an Internet log-in page with a link to
a help document that did not require credentials. In that document, they
gave you an example of a log-in with a picture of a corporate ID that
worked and we were able to log in. Things like that are shocking in 2013 to
see.”

Perhaps as shocking is the volume and quality of information given up by
the target organizations. Regardless of industry category—be it
manufacturing, technology, retail, or energy, oil and gas—the contestants
were able to walk off with details on the browser being used in that
company, and version number; that was the top flag obtained throughout the
competition. Operating system information was also coveted and snared by
the competitors, as was whether a VPN was in use.

“Companies are still using browsers like IE 7, the majority are on IE 7.
That’s a major blunder in my opinion,” Hadnagy said. “They’re still using a
vulnerable browser and people were willing to give that information out to
strangers on the phone. It opens them up to a plethora of phishing, phone
and onsite impersonation.”

Knowing such information as browser, OS or even VPN details can give a
hacker a measure of trust on a call to internal support looking for system
access.

The competitors also were able to gain details that could enable physical
access such as the food service used by the organization and whether there
is an onsite cafeteria; these two details were among the top five sought
after and given up by critical infrastructure such as oil and gas utilities.

“How hard is it to obtain a t-shirt, ballcap or clipboard for the company
that does food service? How many times are you going to get stopped
carrying food into a building? No one stops you,” Hadnagy said. “You don’t
need a corporate badge to be invisible. This opens you up to impersonation
attacks.”

According to the scoring provided by the contest, Apple fared the worst,
followed by General Motors, Home Depot, Johnson & Johnson and Chevron.
Details on specific vulnerable areas were not made public, but are
available to the target companies upon request, Hadnagy said.

“This is my opinion, but most awareness training is not worth its weight,”
Hadnagy said. “The proof is in how easy attacks are carried out against
companies with regular security awareness training.”

Still, companies that do conduct training aren’t doing it regularly,
according to the results gathered. Some refresh less than annually, while
others went so far as to admit to the pretexters that they’d had it during
new-employee orientation and never again in the years since.

“The purpose for us holding this competition is to raise awareness of
social engineering as a threat,” Hadnagy said, adding that corporations
should consider social engineering as part of regular penetration tests.
“We’re seeing an increase of social engineering in pen-testing, but we’re
not seeing accepted by many major corporations.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.