What Info Could Social Engineers Get From Your Employees?

Wombat recently sponsored the Social Engineering Capture the Flag Contest at the popular DEF CON conference in Las Vegas. In this unique contest, social engineers are put to the test. Twenty social engineers gather to test the human element of ten companies’ security force. The goal of the contest is to earn points by gathering “flags” of different info from the employee on the phone. Some examples of the questions the social engineer ask are:

- What browser do they use?
- What version of that browser?
- What anti-virus system is used?
- What operating system is in use?
- Who is their 3rd part security company?
- Asking them to visit a fake URL (one of the larger point items)

Now why would anyone want small bits of info from the employees? Every piece of info helps a hacker. Knowing just the operating system and the browser can help hackers design their way to the info they’re looking for.

The contest participants begin their research on target companies prior to the event by collecting any info they can online through public sites such as LinkedIn, Twitter, and other social media or public listing sites. The research during the live event varies. Some participants took the route of saying they were a student, journalist or another common role. A couple other participants took a bolder step by pretending to be managers or executives from within the company.

So, what info was gathered? What could the social engineers get the employees to admit over the phone?

- Browser versions
- Network security software brand
- Types of security training for employees
- Got the employee to visit the suggested link
- Wireless capability
- Mail versions and updates

On the other hand, some of the participants were stopped in their tracks due to strict security policies in place with the employees. A couple callers tried to access hotlines and ask questions but the operator requested an employee ID number and wouldn’t let them go on further. Other employees either transferred them around or simply stated they could not give any information out.

While this contest can reveal the weakest link in a company’s security efforts, it can also show the most powerful tool - employees. Social engineers can get info from them in the least expected way. But when employees are trained and aware of the dangers present to them, they have the knowledge and tool sets to resist against social engineering attacks.

The full report of the SECTF contest from DEF CON will be available this fall and we will report on the results. For more information on how your employees can recognize and avoid social engineering attacks, read more info on our social engineering training module.