Anyone with access to any part of a system, physically or electronically carries at least the same potential security risk as the IT systems themselves.
Why test the strength of your organization’s people? One simple word: Limbic.
The primary area of the brain that deals with stress is its limbic system. Because of its enormous influence on emotions and memory, the limbic system is often referred to as the emotional brain.
The term “stress” is short for distress, a word evolved from Latin that means “to draw or pull apart.” The Romans even used the term districtia to describe “being torn asunder.” When stressed-out, most of us can probably relate to this description.
The overall goal of social engineering tests are to attempt to influence and manipulate human behavior with the goal of penetrating IT systems or uncovering data that could lead to stealing sensitive or proprietary data and/or wrecking the reputation of a company. The thought of an unhappy customer, a lost job and paycheck — things like this — can and will cause people to cough up the keys to the kingdom of sensitive data, unwittingly.
Consider this scenario:
Someone plots to call your customer support/customer advocate department. This person attempts to collect username/password data over the phone that can lead to system access and the potential compromise of sensitive data.
Here is how it plays out. This person calls your business, purporting to be from a client who has lost his username and/or password. An urgent need exists to get into the system and the usual personnel that have the credentials are unavailable, fired or on vacation, etc.
They stress your customer support person, make the person come to a decision about hanging up on a very unhappy client (and facing the consequences) or appeasing the client by breaking policy.
The aim of personal persuasion is not to force people to complete tasks, but enhance their voluntary compliance with the request. This can often involve stress. The target believes that they have no control of the situation, and that they are therefore exercising their power to help out. The customer is always right, right?
This nefarious individual creates background music and voice overs. If trust is not gained during the phone call, the individual puts the CS rep “on hold” to speak to a manager. While on hold the CS rep hears the music and company sound bites and may gain trust in thinking the person is physically present at that company.
While on hold if there is doubt, the CS rep might read the caller ID and reference it against the client file in the CRM/DMS/ERP system that the company is using. Because the nefarious individual spoofed the caller-id that shows up on the CS reps telephone, further trust is gained.
These simple tools, if well executed, can help IT security professionals to assist their clients in avoiding what may be one of, if not the largest, entry points into a business.
Remember this quote from Bruce Schneier
“Amateurs hack systems, professionals hack people.”
And, finally, this one from Kevin Mitnick:
“…my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.”