Image
“To be of any use for security protection you have to think like a ‘real social engineer,’ you need to understand the brazen dedication these people have to being rogue— forget some American retail giant and look closer to home."Let’s look at being someone you are not 'in the wild.' For me, at work, I simply print a realistic photo ID card and dress accordingly for the pretext I am working with that day—a suit for a businessman, jeans and a t-shirt for a casual workplace, a teller's uniform for a bank. I have fake business cards and usually a fake letter to enforce this pretext, but the biggest thing I have with me on the day is the knowledge that if I get caught, I won’t have ten years behind bars contemplating the job. In the wild, we can learn a lot about the levels of preparation that are put forward for a big job. They won’t just order new uniforms from eBay and stroll in; they will make sure they look used and authentic. They wouldn't leave proving their identity to chance and counterfeit passports and photo ID would be obtained prior to the job. Planning for such an event 'in the wild' would leave nothing out of scope and nothing to chance. Staff would be followed home, petty theft prior to the event would obtain further information (think domestic burglary to obtain a laptop), and chuck in the sheer desire for wealth and to succeed, and you have a very malicious attack. Now isn’t the time to get scared or resort to morals because when you think like this, you have the personality that would empty the banks of a charity or take an elderly woman's life savings. It’s hard to forget whilst sitting in our comfy offices, swinging on our office chair the sheer savagery and evil that exists in this world. Throughout the industry, you do come across little gems of creativity that shine through, such as that which is found here. What I found amazing about this is the ingenuity and level of skill we are defending against. It is well documented. Already in prison for serious financial fraud, Neil Moore escapes using the social engineering skills we preach about to information security professionals every day. Some are complacent, as they have ample security measures in place already, but few look to see the details in this story. The prison is the pinnacle of security. It has all the security we can muster, yet the techniques and principles of social engineering do not care for it. We work alongside existing security principles, exploiting as we go; adapting transactions for own favour and reward, step by tiny step working towards our goal. We need to understand this mindset to realise how these people would exploit your organisation. Fraud and cons are evolving in the UK. No longer are they paper-based events in some dodgy London pub; they are amalgamating with technology and advancing at an alarming rate. Spurred on by laughable conviction statistics, the criminals are winning nearly every step of the way. The way organisations handle social engineering has to be adapted and bought into the mainstream security testing practice of every business. Criminals are done with the days of obtaining credit cards – they are £5 each and not worth the hassle. Attackers are moving towards your business and looking at your balance sheets with mouth-watering appetites. Only a fool would think they are secure and that an internal team of security practitioners could possibly cover every last attack vector. It’s time to look at the underground ways of Britain and shine some light on them – this is the only way we are going to get wise about it all and stamp it out. Britain loves a good social engineering film, like ‘Dirty Rotten Scoundrels’ or ‘Catch Me If You Can’ from across the pond. But surprisingly, few businesses relate these blockbuster films with day-to-day life and that is worrying, although hardly surprising. Many companies have benefited from our advice already – information from our reports has improved profits, social media presence, business communication efficiency, trust with investors, staff safety and of course, security. So, please remember social engineers aren’t a rare thing. It’s time you considered the impact they could have against you.
Image
