Welcome to symthic forums! We would love if you'd register!
You don't have to be expert in bit baking, everyone is more than welcome to join our community.

You are not logged in.

21

Wednesday, August 24th 2016, 10:31pm

Yeh that'd be very cool :)

You're right, playing on the fears and other emotions of the employees is the trick to making it all work - but fear is the best way if you can do it, since fear is the strongest emotion.

I've seen a colleague record a fart into a soundboard, and put the soundboard into his back pocket. He *ran* into a big secure building, ran to the nearest staff holding a key (which he'd staked out on a previous visit) and said "Mate, do you have a Men's Room I can use?!" as he reached to his butt and pressed the button for the soundboard, and buckled at the knees. The security guard, in far of having to deal with a nasty diarrhoea poop cleanup, immediately gave him access to the men's room, where he reached into the ceiling and installed a remotely accessible miniature computer before he left - effectively giving him the ability to be 'inside' the building for as long as it took to hack it.

Likewise, rather than employing fear, you can employ compassion. Female employees are far more susceptible to this since women are genetically programmed to care for others more than men. A young man who presents well (wearing a nice suit) but is sobbing uncontrollably while politely asking for access to a men's room will rarely be knocked back. On the other hand, triggering alpha males' defensive nature is just as effective. A security guard who takes you into custody will lock you into a room inside the building......... = hax. Any information you have about the system - including humanity - is a potential source for a breach.

Once our teams present results and recommendations in our reports, the human weaknesses in the system tend to shine through further. Sometimes, the management will respond by taking all recommendations and implementing them as documented, but far more often, they decide that they as business experts, know better about hacking than the professional hackers they hired - human ego creating that weakness once again. Often, the management will take the attitude that we were only successful in breaching their systems through social engineering, because of the failure of their staff. "Stupid receptionist... I wouldn't have done that", is the thought pattern (BTW I try to target at least one member of management to avoid that). So, they may train the receptionist but in reality there is a "black mark" on their record and their time with the company is limited. Or they may just outright punish the staff.

I would say though, that 9 times out of 10, the reaction they take is defined entirely by money. They'll follow the recommendations which are relatively inexpensive, such as having their server admins apply patches or configuration changes.... but paying their staff to take a training course? That's a loss of labour *and* you have to pay trainers, and for a big company that's a 6-figure-sum, and they just won't do it. At the end of the day, senior management are judged by how much money they make, and accordingly they don't really care about anything else.

There's some validity to that approach, I have to admit. Given that we know that the only completely secure computer system, is one without a power source, there will always be some degree of risk. The businessmen will perform a cost:benefit analysis and attempt to minimise that risk, to a degree which is financially optimal. As an engineer, I would tend to measure the potential cost of a breach as a part of that cost:benefit analysis, but... Hey, us engineers do tend towards over-engineering things. The 'right' answer is somewhere in the middle, and really, one never knows where that 'right' place is, until after the breach happens.

Posts: 15

Date of registration
: Aug 11th 2016

Platform: Xbox One

Location: London, UK

Battlelog:

Reputation modifier: 1

  • Send private message

22

Monday, August 29th 2016, 2:08pm

This was a seriously interesting read. The methods your company use to test the level of security are truly innovative. I wonder if criminals are even remotely as creative and if there are stories about it available?
Likewise, rather than employing fear, you can employ compassion. Female employees are far more susceptible to this since women are genetically programmed to care for others more than men. A young man who presents well (wearing a nice suit) but is sobbing uncontrollably while politely asking for access to a men's room will rarely be knocked back. On the other hand, triggering alpha males' defensive nature is just as effective. A security guard who takes you into custody will lock you into a room inside the building......... = hax. Any information you have about the system - including humanity - is a potential source for a breach.
Imagine in the game, if there were a mission, where you had to simulate the example above by first needing to get changed into a nice suit (the game lets you change attire) before confronting the secretary. You could hack in on conversations and find personality and attitute traits that make a specific NPC susceptible to the exploit :) Sadly however, I am almost certain that the developer would get into trouble for steretyping certain genders to behavioural tendencies like you mention above. Do you think it's possible to release such features without risking severe repercussion?
I would say though, that 9 times out of 10, the reaction they take is defined entirely by money. They'll follow the recommendations which are relatively inexpensive, such as having their server admins apply patches or configuration changes.... but paying their staff to take a training course? That's a loss of labour *and* you have to pay trainers, and for a big company that's a 6-figure-sum, and they just won't do it. At the end of the day, senior management are judged by how much money they make, and accordingly they don't really care about anything else.
Since most of the companies you deal with claim social engineering to be the decisive factor in the breach, do they try make sure that all "electronic" or "mechanical" security measures are at least well covered?
I can certainly see that training staff is way too expensive for most companies and firms, but what happens to the employee that was exploited? Instantaneously fired or do they (company) take the blame due to not providing training? Do you also have head of security wrestling with senior management over funding needed for better security? Do you report your results to the IT department or the actual managing director?