Blog: How-Tos

Simple steps to stop Social Engineers

Tom Roberts 01 Oct 2013

While it does seem odd that a social engineer would give the most effective ways to stop him doing his job and thus making his life that much harder, my ethics scream that if I’m not winning then everyone else is! Here are some very simple steps to stop many of the inroads people can make into your personal or work life.

One

“Keep it secret, keep it safe” – Gandalf (Lord of the Rings). This may seem like a no brainer but if something needs security applied then you should work on it in non-public spaces. As a social engineer I have many times seen people on public transport or in very public areas working on documents with headers like RESTRICTED or CONFIDENTIAL or CLIENT IN CONFIDENCE. These types of documents are marked like this for a reason (and if they aren’t then you should look more closely at your protective marking scheme or how you determine how sensitive documents are made so).

Many people don’t understand the full technicality of how or why a document is marked up in the way it is, but IF it is then it should be treated with the care it deserves. You wouldn’t want your doctor reading your personal records on the bus in the morning for all to see over his shoulder. Your client has similar views about his private information. This includes discussing private information in public spaces. If you MUST do such things then keep specifics to a minimum and talk about generics. “The client is upset our delivery is delayed” is going to be less of an issues than “Client X is refusing to pay their bills because we haven’t made the changes to the security after the pen test”. The latter is asking someone to have a poke into possible insecure systems before they get patched or corrected.

Two

Don’t give away information that you don’t need to – Stickers and badges can indicate where you work, where you live or even infer information about you that you may not intend. Giving up this kind of information may make you a target if someone is looking to infiltrate your company or your personal life. If you stand in the coffee shop with your name badge while waiting in line I may infer your name, where you work and even possibly the type of work you do. It may then be trivial to call up the front desk and ask for you personally. Meanwhile I could pretend to be your bank, a supplier or a client. The fact I called you direct and gave your name, means you may be more likely to believe me.

If someone calls and asks for personal information, check these things – do they need to know it, do they have a right to know it, do you want to give it to them? If the answer to any of those is “no” then think twice before providing it. If I walked up to you in the street and asked for your home address and hours you worked (thus telling me the best time to rob your house), you’d tell me to take a running jump. Same goes for cold callers and people you don’t know who randomly walk up to you at work asking for info they have no business needing or knowing.

Three

Shred it – Rubbish and bits of paper can be used to facilitate other forms of ID or be used as “proof” of identity. Don’t think that people are beyond rooting around in the trash to get what they need. Where there is muck there’s brass as they say in parts of the UK. If it has your name on it or your companies name on it… shred it with a suitable cross cut shredder.

Four

Get decent locks – If Fort Knox had a paper door to the safe everyone would laugh. It’s all too common to see highly sensitive and expensive equipment or rooms secured with a lock that is little more than deterrent. Electronic locks should log time and date and be regularly changed so that staff who leave or visitors can’t detail them to others who may abuse them. Leaving the same PIN on a security door for 10 years is likely to mean there are a lot of people who know it that may not work for you. You wouldn’t give a key to your front door to anyone who visited you house… the same applies to companies and their physical security.

Five

Block Tailgaiters and stop shoulder surfers – It’s all too common in an office to be polite over being secure. It’s easier to hold open the door than to confront someone and ask them to show their pass or validate themselves. Unless you work in an office of only a handful of people you are unlikely to know EVERYONE who works there. This makes it easy for someone to “look the part” and pretend to be part of the crowd and walk past highly expensive security systems that are rendered useless by someone who holds open the door to the pretty girl who you haven’t seen before, or the guy with the nice smile and polite manner. When you are entering a security password or PIN make sure you make it hard for someone to trivially watch you over your shoulder. Is that guy behind you in the line at the coffee shop on his phone actually filming you enter your PIN on your credit card as you pay (believe me this happens)? Why take the chance and carefully obscure the pad with one hand.

Six

Clean Desk, Clean Car, Clean Slate – After hours all that stuff on your desk you don’t want anyone to move because your life is too hectic to put it away is wonderful to read. It can contain notes, passwords, schematics, names of contacts and a variety of “breadcrumbs” for attackers to follow up on. You wouldn’t leave your credit cards on the dash board of your car when it’s parked overnight in the street (well we hope not) as it’s an invitation to thieves. Social Engineers are just burglars in suits and the they don’t want your credit card, they want the database passwords to ALL the credit cards. Don’t leave something out they could easily manipulate or copy or steal.

Seven

If you wouldn’t tell everyone, then it’s probably best not putting it on the internet – The internet is a wonderful tool. It has open frontiers of information sharing never before thought possible. It’s also made it easy to put the most embarrassing, sensitive or generally inappropriate material on websites and public areas. If you wouldn’t want the information you are about to post to be known by everyone you work with (and I mean EVERYONE) then think twice about putting it on a web portal. This also goes back to not being a target. Putting that you are in charge of a multi million pound account for Client X might make your ego swell and make you more employable, but it also give your competition an “in” into stealing that client from you or using that information to jeopardise them, thus possible putting you out of work. That won’t do your ego or your wallet any good. Don’t think that anything is “private” on the internet. Chances are it’s not and what you think of as privacy, probably isn’t.

Eight

Live and Learn – If you make a mistake, come clean, and get it fixed as soon as you can. If you are a boss then you should engender an ethos of fair disclosure. If someone admits to something that may be a security issue, don’t chastise, rectify and train. Scared people who fear for their jobs will hide security issues for fear of retribution. This means it may go unnoticed or even worse the staff may try to cover it up. This could leave a potential security hole in your system for a very long time.

If you do make a mistake, Don’t try to fix it yourself unless you seek professional advice or know EXACTLY what you are doing. The act of trying to fix it may cover potential evidence if it created a security incident and may only act as trail to your own door and hide any real attacker while you take the blame. The faster and more honest you are the less the impact. The one point I will make, don’t make the same mistakes over and over. Once is forgivable, twice is less so, more than that and you are not showing that you can adapt and learn from your mistakes.