This year was DEF CON’s 26th year – the world’s biggest security and hacking conference which is held annually in the warm Las Vegas. There were more workshops, information “villages”, presentations and events to learn from and flex your hacking muscles on than ever before. A handful of cyber-security consultants from Transcendent Group were present to soak up the dry desert heat and see the latest security trends.
Something that stood out from the cutting edge “technical wizardry” and newly discovered weaknesses targeting cars, industrial control systems and the internet of things (IoT), was the age-old art of social engineering.
DEF CON hosted a social engineering focused information village where live social engineering capture-the-flag events were held. Contestants had to compete for points based on different types of information or actions that they were able to elicit from their chosen target, relying solely on their social engineering skills. The highest point flag was awarded for having your victim open a potentially malicious website on their company workstation – commonly used to steal user credentials in real world examples.
Calls were made to real companies, with a few big names, from a soundproof booth where contestants worked their way through a call-list. They were only allowed some passive information gathering ahead of the challenge from open internet sources. What amazed us was how successful and trivial it still was for the attackers to get information, and even get their victims to browse to websites within a couple of minutes. Once or twice suspicion arose when the attacker chose a very brazen approach trying to maximize their score. However, the victims were mostly happy to help out with the participants’ kind requests.
This is a reminder of how important it is not to underestimate the simplest of attack vectors when it comes to your organization’s security. People are usually inclined to be helpful towards others, and even if not, the attacker chooses a more compelling tactic such a sense of urgency or authority. Armed with some open information, persistence and a telephone, attackers may gain the access they want without even having tried to look for a technical vulnerability in your systems.
Social engineering, which includes phishing, is still rated is the number one way that attackers use to compromise their targets.
This is something that is really difficult to monitor and protect against. The key still remains having solid awareness campaigns, focusing on human behavior and equipping your employees with the ability to detect and react to suspicious requests more easily. This can be achieved with routine simulations using common social engineering tactics, measuring the resilience of the organization to understand the risk and further adapt your strategy.
It is especially important here in Scandinavia where we typically have a very high level of inherent trust and might be more inclined to fall victim to such attacks.