Large Enterprises Fail Social Engineering Tests

Some of the biggest companies, including Apple, IBM and AT&T, were easily tricked into giving up potentially sensitive information during a contest which featured a variety of social engineering attacks.

The Social Engineering Capture the Flag contest targeted 14 companies in five different industries, including retail, airlines, food service, technology and mobile services, during the DefCon conference in Las Vegas in August.

Grift of the gab

Contestants tried to ferret out information from employees at Apple, AT&T, Conagra Foods, Dell, Delta Airlines, IBM, McDonalds, Oracle, Symantec, Sysco Foods, Target, United Airlines, Verizon and Walmart using social engineering techniques, according to a post-mortem report released by Social Engineer.

Contestants had to obtain certain types of information, “flags” from various companies during a 25-minute time period. There were over 60 flags, representing non-sensitive data, but still information about the companies’ inner workings, such as names of the food service providers in the company cafeteria, antivirus programs deployed and the browser version being used.

None of the 14 companies succeeded in keeping the information away from the attackers, according to the report. Only three employees offered any type of resistance, the report found.

“Many companies have the mentality of ‘It won’t happen to us’ or ‘Our people won’t fall for that’. The sad truth is, those are the very people that will, and do, fall victim to these attacks, as demonstrated by the contest,” said Chris Hadnagy, lead developer of the Professional Social Engineering Team at Social Engineer, who organised the contest. Hadnagy is also author of Social Engineering: The Art of Human Hacking.

Of the firms tested, AT&T received the highest overall score and Oracle received the lowest. However, in a real-world situation, both companies would have failed the social engineering penetration test for giving up any information in the first place, the report said.

Employees too weak

Contestants had two weeks to gather information and research their assigned target using passive information-gathering methods, such as Google searches and looking at social networks and Websites. The Contestants compiled their data in a “dossier,” turned in prior to the conference, which was used to calculate part of the overall score for each contest participant. At DefCon, the contestants sat in a soundproof booth and were allowed to directly contact the company and given 25 minutes to collect as much information as possible.

All of the targeted companies’ employees were persuaded to visit a URL the caller requested, according to the report. Considering the number of times attackers compromise a company by infecting one machine with malware downloaded from a dodgy Website, the fact that the employees were easily convinced to go to the link was worrying, according to the report.

A contestant called an AT&T retail outlet and had difficulty getting the employee to provide any information, which was a positive sign, since it meant the employee was thinking about what was appropriate to divulge. However, the contestant discovered it was just a matter of calling a different AT&T employee at that location to get the same information instead.

Many of the firms gave up the information online, allowing contestants to collect their flags even before the phone call. Open FTP servers and internal and external Web pages yielded a lot of information, making it much easier for the contestants to create convincing phone scripts.

Pass it up policies

It is one thing to teach employees policies, but better to teach them what to do when they are asked to violate policy, Jim Stickley, CTO of TraceSecurity, told eWEEK in an earlier interview. Stickley uses social engineering tactics when auditing security measures at banks and credit unions around the country. Instead of teaching “Don’t give out private information over the phone”, employees need to be told to say they cannot do that and to offer to transfer the call to a senior manager, Stickley said.

This year’s report drew nearly identical conclusions as last year’s report, which also found that companies were not adequately training their employees and motivated attackers could use publicly available tools to dig up a wealth of data in a reconnaissance mission. The barrier of entry for social engineering attacks “is very low”, the report concluded.

Despite investing millions of dollars in security annually, the companies are doing a poor job of training employees to spot and rebuff attempts to disclose information or to perform certain tasks, the report concluded. Employees contacted by phone were inclined to be helpful, especially if the caller claimed to be a customer to legitimise the social engineering interplay, according to the report.