The Cyber Risk Report for November 7 through 13 covered the second consecutive Social Engineering Capture the Flag event that was organized by Defcon 19 (a prominent industry “underground” security conference). The event proposes a challenge to competitors with the focus of leveraging social engineering tactics to successfully obtain key company information from a list of prospective companies, with the ultimate goal (based on the past two years) of raising awareness of the threat impact social engineering has on organizations. Furthermore, the competition highlights the common tactics and aspects that social engineers employ. As this year’s competition drew to a close, the Social Engineering CTF Results Report (which provides a debrief of the event, outcomes, and lessons learned) puts an emphasis on the techniques utilized, and the reasons why the respective techniques ultimately succeeded or failed.
Today’s NCSAM Tip is on recognizing and avoiding the most commonly used social engineering techniques. The root of the problem is simple enough: people are too trusting of content on the Internet. There is a long promoted perception of community, information sharing, free items, help, and friendliness on the Internet that has lulled many into a false sense of safety or security. Unfortunately, the reality is that just about every “con, scam, grift, hustle, bunko, swindle, flim flam, gaffle, sting or bamboozle” known is alive and well on the Internet. When you more closely examine the social engineering techniques that are used by criminals on the Internet, you see they are often the same or variations of con games and scams that go way back, and that many people are familiar with. This too gives people a false sense of security in that many believe they can identify these malicious attempts to exploit them. But, many tests of these beliefs have shown that most fail.
Instead of looking at the complicated technical details or various techniques themselves, it is easier to see the human factors they are attempting to exploit. Cisco SIO did some research of those human factors commonly exploited in 2010, and included the findings in the Cisco 2010 Annual Security Report. What we found was that regardless of the technical details or specific techniques and variations, the attackers commonly attempted to exploit a short list of human weaknesses:
At Cisco we understand that the field of IT has grown considerably over the past few years, reaching the point where even professionals in the industry can have a hard time keeping up with everything that is happening in all areas. With groups like Anonymous and LulzSec taking down some pretty big names, it is clear that there is need for greater awareness of security and some of the issues that make security an interesting but ongoing challenge.