(ISC)² Twitter Updates

  • (ISC)² Twitter Updates

    Archives

    More...

    About the
    (ISC)² Blog

    • (ISC)² believes in the importance of open dialogue and collaboration, between both (ISC)², its certified members and members of business and society.

      (ISC)² established this blog to provide a voice to its certified members, who have significant knowledge and valuable insights to share that can benefit the information security industry, the people in it and the public at large.

      The postings on this site are the author's own and don't necessarily represent
      (ISC)²'s positions, strategies or opinions. (ISC)² does not control, monitor, or endorse any links provided in this blog and makes no warranty or statement regarding the content on any linked website.

      Those who post comments to blogs should ensure their comments are focused on the topic at hand. (ISC)² reserves the right to remove any post or comment from this site.

      Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org.

      Please click here for FAQs.

      Please click here for the Blog guidelines.

    « Habitual security - the way we do things | Main | Server side attacks vs User side attacks »

    09 August 2012

    Social engineering trumps Wal-Mart customer service

    This year's social engineering 'capture the flag' competition at the DefCon hackers' conference was won by a contestant who does social engineering for a living.  In the course of a 20 minute phone call, he successfully fooled a Wal Mart employee into revealing all the pieces of information he was after, even getting him to visit a website to 'complete a survey'.  Read about the con here.

    Aside from the Wal Mart story itself, the comments on the CNN article are just as telling. Even allowing for the fact that only certain people were inspired enough to want to read and respond to the article, some of them appear almost unbelievably naïve about social engineering. They don’t appreciate how straightforward these attacks are, and how sneaky and resourceful real social engineers can be when they have the flags in their sights. They don’t understand that they might be targets, having access to all manner of information and systems that would be of interest to the black hats. They don’t know how to spot, nor how to deal with suspected attacks. They think that social engineering is illegal, and that therefore protects them.

    Like I said, naïve.

    Wal Mart’s official response to the con was pretty good as such PR fluff goes – acknowledging they were fooled and agreeing to do something about it is a good start. I wonder what they will actually do, though, to improve their ‘staff training’. I rather suspect they are also naïve but hopefully they are learning quickly and changing fast.

    I hope Wal Mart's security people, if not general management, are familiar with books such as The Art of DeceptionThe Art of Intrusion and Ghost in the Wires by Kevin Mitnick, or Spies Among Us by Ira Winkler.  I hope they have absorbed Johnny Long's No Tech Hacking and David Lacey's Human Factor books.  Most of all, I hope they are actually using Rebecca Herold's Managing an Information Security and Privacy Awareness and Training Program to build an awareness program that covers social engineering, just one of many issues where awareness helps.

    Kind regards,
    Gary Hinson CISSP (and security awareness pro) 

    Posted by on 09 August 2012 at 03:46 PM in Authentication, Books, Confidentiality, Current Affairs, Ethics, Fraud, Games, Hacking, Hinson, Risk, Training |

    Comments

    Nice post. Social engineering remains the most effective attack vector till date.

    Posted by: Jeffrey | 10 August 2012 at 03:15 AM

    Thanks Jeffrey. I agree! In conjunction with physical site penetration, fraud and hacking, it becomes an extremely powerful technique, but even by itself it can clearly achieve a lot.

    G.

    Posted by: Gary Hinson | 10 August 2012 at 04:38 AM

    The comments to this entry are closed.

    Recent Contributors

    Past Contributors