The Schmooze Strikes Back: Our Firewall Might be Up, but the Front Door is Unlocked
It’s the oldest trick in the book in the security industry: talking your way through corporate security measures. Popular media like movies and television shows portray hacking as a celebrated enterprise of geeks behind glowing computer screens who never make any sort of human contact except for in rare instances; but in the world of computer security the bespectacled hacker at the keyboard is just as dangerous as the friendly voice on the phone or a uniform with a corporate badge walking confidently through the front door.
The Wall Street Journal is running a story right now about the revelations of modern penetration testing done by security professionals against much of the customer-centric corporate world. Many of these revelations aren’t anything new—the security of a wall is only as good as the people manning the front door, after all. An attacker might not be able to scale or breach a colossal fortress barricade; but just like the Trojans, taking a bunch of the enemy in for the night because they looked inconspicuous will land you quickly in hot water.
The article tells a series of stories, including one about Shane MacDougall, the winner of a hacking contest called Schmooze Strikes Back, who used online videos of Oracle employees to accurately describe their employee badges. He used this information to contact a satellite office of the corporation and dupe an employee into releasing information to him about their OS and antivirus systems by posing as a government officer collecting information.
“What is the point of creating all these security measures if I can just schmooze my way inside?” Mr. MacDougall said.
The article mentions that customer service employees—and this includes employees who speak with other offices in the same corporation—act as the first line of defense for many companies. However, they’re also the primary point of attack for hackers using social engineering to gather information or penetrate defenses. In fact, while most hackers will suffice themselves by simply using social engineering to pull records on specific accounts and customers (often for purposes of identity theft) others will use it as a pretext to open up an avenue for deeper penetration.
In the past, major corporations defended customer information from such attempts by outsiders to gather it by using less-well-known questions such as addresses, middle names, Social Security Numbers; but the ubiquity of social media such as Facebook where people share this sort of information constantly makes these somewhat obfuscated information points easily gathered. Banks will often also ask for the last one or two transactions on the account in order to authenticate.
However, with all security, there’s a risk/reward trade off between keeping the customer secure and making them happy. The more security between a customer and their account information the harder it is for them to go about their daily life—for example, having to answer three random questions each time I call in to pay my credit card bill could get extremely tedious.
The ideal here isn’t to find a trick that will increase security at the front door with the customer service agents; but to decide where the demarcation line sits for information and authentication. The front lines need better training as to when they should contact a supervisor to intervene—thus creating a record trail of the possible social engineering attempt should it succeed—and limit the information available to them without that intervention. Someone pretexting information that’s the common trade of customer service cannot be stopped anyway so it will come down to documenting the interaction and determining how to aid the customer (by rolling back a transaction or resetting their security) or escalating the event further up the chain to prevent a larger breach.
Humans are social creatures. They want to be helpful and often employers don’t realize that although greater access to information to their customer service representatives does greatly increase their ability to make customers happy, it also makes them looming targets for social engineering.
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU