After all, gullible employees lead to security breaches.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
Humans want to trust other humans. If I struck up a conversation with a gentleman in a suit at the bus stop who explained his life story, why would I distrust him?
We all have a natural tendency to believe what trustworthy-looking people tell us. And that’s what gets us in trouble.
What is social engineering,

What is social engineering?

Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide some sort of useable data. For instance, instead of trying to find software vulnerabilities to exploit for sensitive data, a social engineer might try to trick someone into divulging an administrative password without realizing it.

Have you ever seen the crime drama Catch Me If You Can? Frank Abagnale, the main character, is a master of social engineering. He convinces people he’s an airline pilot, doctor, and attorney by forging documents and acting like he belongs. The scary thing is, it’s a true story.

What’s the problem with social engineering?


Here are some common ways social engineers try to socially engineer us

  • Steal badges and credentials in unlocked cars
  • Go to the local donation store and buy old company T-shirts
  • Pose as janitorial staff to get into a building
  • “Can you hold the door for me? I don’t have my badge.”
  • Pose as an IT person that needs to fix the network
  • Try unlocked doors around the backside of buildings
  • Pose as law enforcement conducting an inspection
  • Dumpster dive for sensitive documents
subscribe to blog.securitymetrics.com for more data security articles

Here’s what happens when I try to socially engineer someone.


How to avoid being a victim

The best way to avoid being socially engineered is by educating yourself and your employees. Here are some points you should touch on during training:
  • You should be slightly paranoid (better to be safe than sorry)
  • Social engineers don’t sneak around. They’re confident and friendly. They look like they belong. Don’t be pressured by their convincing ways.
  • Never give out your username/password, badge, PIN, ID number, credit card, or schedule. In essence, never give out sensitive information about you or your company.
  • Ask for a contact to verify why the person needs the information they’re asking for
  • Don’t hold secure doors open for people you don’t know

The only way to identify if your employees have soaked in all that knowledge is to test them. You can don a disguise and test them yourself, or enlist the help of a professional (also called a pen tester), to come onsite and test your employees, experiment with your physical security, and see what interesting information they can find in your trash cans.

Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.