Tuesday, March 24, 2009

Social Engineering 101

Social Engineering 101
By Andrew C. Hopkinson

“On Aug. 17, 2004, security officials at the Nuclear Regulatory Commission (NRC) started receiving reports of a spree of thefts at agency headquarters in White Flint, Md. About $800 had gone missing in the space of a few hours and it looked like an outside job. Report No. 08-21 described a typical encounter with the unknown suspect. Now you might ask how could someone enter such a secure facility and steal in our post 9/11 world. Enter Ameenah Franks a 19 Y/O young woman with straight black hair that hung past her shoulders. Her excuses were often flimsy inventions, but people don’t like confrontations. They feel they’ve done enough if they ask a question and get an answer. Elsewhere around D.C., at other highly secure federal buildings, similar thefts were causing frustration among security officers. There were reports of missing cash and electronics at the Federal Aviation Administration, the Department of the Treasury, and the Government Accountability Office. The suspect had a keen uncanny sense for the weaknesses of office dwellers, even in government offices where employees should know better. These complexes are not a tourist destination, as armed guards will inform you. Visitors need to have verifiable business in the building and must provide photo ID. Bags get scanned, people get the metal detector. Employees must show a badge with their photo and job title”. So how did she get in? “Social Engineering 101”, she would stand outside a facility, sometimes where smokers congregate and strike up idle chat. She would get a name, or department and when they employee’s of the building were going in she would follow as they held the door for her. Once inside she would say she was going to meet so and so in the HR department or whatever info she had engineered and off she went. A simple knock on an unlocked closed door would grant her access to an office if no one inside confronted her and if they did she would simply apologize for the intrusion and move on. If no one was in the office she would enter, where more information was and small items she could steal to re-sell or a pocketbook with petty cash. One example I use in teaching security guards is; Approaching and striking up idle chat about the weather, economy etc… then asking if they always work the day shift because I have a night job and miss working days. The questions are simple and leading often setting up additional leading questions such as; I guess you work alone during the day? A simple reply often is no there are four of us during the day, but only 2 at night, that’s why I don’t like working nights. What have I accomplished in several minutes? I now know their security posture in a 24 hour period. So now you are asking yourself what does this have to do with self defense? In a world full of predators we don’t often look at the identity thief or social engineer as a predator. When in fact they are now at the top of the food chain, take for instance online sexual predators who often engineer information from unsuspecting children and teens. Now do you see where I am going with this? We need to educate our children and family members to be aware of social engineering techniques, whether by telephone, internet or in person. I can ascertain names, ages, schools and locations just by sitting across from a group of teens at the mall. What would a sexual predator do with the same information? Would he follow one out of the mall and use this information to lure the unsuspecting child into his vehicle, or close enough for abduction? Just because someone knows your name or the name of your parents or what school you go to, does not make them a friend! In this age of abundant instant information, it is imperative we educate not only our children and family members but ourselves. If someone you do not know is asking a personal question that is a RED FLAG! Remember most people avoid confrontations, if you feel uncomfortable, it is your sub-conscious mind doing its job of protecting you and you had better listen loud and clear! Remember your safety and the safety of your loved ones begins and ends with you!

Stay safe,
Andrew

No comments:

Custom Search