Know your adversary: Focus on social engineering
In this podcast recorded at Black Hat USA 2017, Tim Roberts, Senior Security Consultant at NTT Security, talks about social engineering and emphasizes the importance of security awareness and security culture.
Here’s a transcript of the podcast for your convenience.
Hi, my name is Tim Roberts. I work for NTT Security Threats Services Group. We provide service offerings for offensive security testing. This includes network application, wireless mobile penetration testing, as well as on-site social engineering, covert physical, even overt physical offers.
With all of that said, as a security consultant, I get to see a plethora of different things. Things that work and things that don’t work; both on the technical side and the physical security side. My favorite type of assessment that we offer is a covert physical security assessment. Often times this includes social engineering assessments as well, and also red team assessments. This is kind of the whole thing, right? Several different attack metrics.
The attack metric that works the most and is still consistent with looking at trends, so compromises for example; some of the biggest compromises because somebody clicked on something they shouldn’t have. This is obviously a social engineering, and this is done often through email, phishing attempts, vishing over the phone, but even on-site.
The on-site thing, I love doing those assessments because it is a great opportunity to really help with security awareness. You do these types of assessments and then the next time you provide this awareness training to your employees and your company – you can also use that as learning tools. And that’s going to stick with somebody a little bit more than doing a quarterly or an annual point and click security awareness training.
Stay away from that kind of thing in the control of people searching for answers through another screen as they’re taking it, then they’re good for the rest of the year. I really like to harp on creating an environment where security culture and instilling your role as an employee here. And why is this is important to you and not just the company, but as an employee?
Why is it important that you are able to pick up and somebody, say I walk into a facility ‘Hey, I’m here, I want to apply for a job.’ Okay, have a seat. I go and have a seat. Then I start looking around for jacks and stuff, I’m digging in my bag, I’ve got a big laptop bag, why do you need that if you’re there for an interview? But I pull out a dropbox for example, and I plug it in, you have DHCP, now I have access to your system and say it has wireless on it and I go outside and I connect to the access point. Then I just drop into your lobby because you are connected to the network throughout the entire facility.
These are kind of on-site threats that you have to worry about and what I’m talking about, knowing your adversary. So, for example, a badge – sometimes people don’t think about these things. The thing that works for me the most is either ‘I’m here doing a – test your connectivity’. Then I plug in some kind of keylogger or like a LAN terminal or something like that. And then I’m able to get information that way.
You know, when I’m trying to manipulate a security guard, I do a lot of talks at conferences and one of our talks is specific for security guards where we target them specifically to see what they’ll allow me to do especially if I say ‘I am an auditor’. For example, I walk up to the security guard, I say ‘Hey, I’m doing…’ I have a fake badge around my neck or a badge sleeve I forged. I’m dressed pretty decent, matching the dress code and everything and I just walk over and say ‘Hey, I’m doing badge inventory’. Badge inventory? They didn’t even question that. I’m here doing badge inventory, I need to kind of see what your process is for giving active badges to employees that had forgotten badges at home.
And I had this clipboard with me, and I had a little list and everything. So anyway, this guard ends up walking me through the process and says ‘Yeah, I have a badge right here’. Shows me the badge binder and it has all these active badges in it so I’m able to go behind her desk, crack jokes, she’s flipping through the binder and what I’m doing is I’m taking them and running them across this. Inside I have a Raspberry Pi with a wireless on it so I’m able to connect to the wireless in real time. Then I got these proximity badge writers. I was able to harvest 20 badges, 20 active badges that let me in throughout that facility and additional facilities. So whatever that role is or whatever they were separated by their roles.
Security awareness training makes sure you are really focusing on social engineering and make it interactive. Make it fun, make it stick, and make it a culture. Thank you!