In 2012, a Wal-Mart store manager in Canada received a phone call from a “manager in the headquarters of Wal-Mart in Bentonville, AK” about a possibility of winning a large government contract.
During the course of this conversation, the “manager” took detailed notes of key corporate information from questions he was asking the Canadian store manager. Of this information the “manager” was able to obtain physical logistics such as the janitor contract, the cafeteria provider, staff schedules and pay periods. He was also able to obtain information on the computer systems in use at the store along with critical pieces of information about the types of security measures that were used.
The problem is – THERE WAS NO MANAGER IN THE HEADQUARTERS AND THERE WAS NO GOVERNMENT CONTRACT.
The call was part of competition run by DefCon. DefCon is a hacker convention where hackers show each other their newest and cutting edge hacking timps.
The “manager” had managed to get the identity of a real manager in the headquarters of Wal-Mart and used this to play a game of ‘capture the flag’ where he was able to capture all items of significance on a checklist in this competition.
Examples of Social Engineering
This is all social engineering. So much is done technically to thwart attackers when it comes to securing a network, including using firewalls, desktop and server security software, etc., but the use of social engineering can completely circumvent all these protection methods when the inside of an organization can so easily and willingly give away all the information and ways to access it.
The following are examples of ways network hackers are using social engineering to infiltrate a network and how you can protect yourself.
1) Protect all personnel information
While it’s a nice touch to put your employees along with the job titles and functions on your corporate website, doing this also allows attackers access to this information and allows them to identify their targets.
Once an attacker has that information, that information can be used to impersonate your personnel
2) Track and record all available communication
This may sound too ‘big brother’, however having this information and record of communication in the event of an attack can help in tracking down the origin of the attack making it easier to recoup any losses.
3) Make sure that all information given out is only given as necessary
Although in the example above it was a store manager that gave the key pieces of information, it’s more often available from a lower down the line or former employee that exposes this information. By keeping key information only with those that need to know you can eliminate the risk of that information getting out.
4) Formalize the flow of information
Sharing corporate information should never be done on a whim. Make sure an information sharing plan is in place that has procedures for sharing company information. Social Engineers can piece together information and do detective work to find what they’re looking for. With a formal structure in place information leaking can be stopped at given points.
5) Limit the channels that data can be shared on
Phishing is a form of social engineering. Digital communications including email and social media are most commonly the beginning of a social engineering attack. By limiting what can be done from within your organization, you can prevent your employees from being socially engineered into visiting malicious sites and exposing sensitive information.