Sometimes I really can’t believe what you can pull off in large corporate or government organisations over here. Supplier doors that are wide open and give you direct access to the building (via the restaurant); patch cabinets that are open while nobody is in sight; trust-based employee systems; sticky-notes with corporate (login) information; unattended laptops, (car)keys, badges; tailgating possibilities; unsecured fences (gaps) in critical building/parameters…
This is just a tiny list of things I encounter on a daily basis. I know that you can’t treat your employees like they are in a prison, but there is a large difference between being secure and leaving your vault wide open to the public.
The 7 basic ideas to think about below seem extremely obvious; but please think about them for a minute and check them off yourself too. I guarantee you that you won’t have 7 check marks; if you have, you’re a big liar and probably the most vulnerable to a social engineering attack. Pretending to do everything safe a big bull-trap and an easy target.
Lets start of with a few obvious points; but even these are surprisingly often successfully abused.
1. Don’t click on emails you don’t trust; send them to your administrator instead to alert (and update your virus scanner).
2. Don’t listen to people on the phone when they ask you to go to a website or give login information; ever!
Humans trust by default; which isn’t a bad thing. However, we also like to hide and lay low instead of stepping up and confronting people with that they’re doing or who they are. In a large corporate environment, you see new people every single day. This makes it easy for a social engineer to abuse. A simple Hey, how’ you doin’ is often the only thing you need to say as a social engineer to bluff people off. An angry face helps too; as people don’t like to get in trouble, they rather look the opposite way and move on.
3. Ask people you don’t know who they are (and make some new friends!).
4. Ask people what they are doing when you don’t know them (and learn a new skill!)
It’s common knowledge that you should have a different (strong) password for each account that you have. Right…. So you can remember all 1001 accounts with random 9 character passwords? Chances are that your local sports-club where you play every saturday evening isn’t as well protected as your office… Hacking into their database thus reveals your office passwords too; or at least a very decent hint into which direction they have to search for your password (no, an increment of the last digit of your password each time isn’t a strong change).
5. Don’t use the same passwords from work computers at home or on social websites too.
With IT gear being smaller and smaller nowadays, it’s extremely easy to tuck away a tablet under your shirt when you pass by. A social engineer abuses this in great extend. Phones, carkeys, tablets, notebooks; everything will be taken to get the data. It’s even more dangerous when they place it back after a couple minutes… The devices are surely tampered with and thus rigged with malware.
I can grab your carkeys; unlock your car, put them back and sit inside until your working day is over… I can gently force you to go and grab with I want to have as data and leave without leaving my traces in the system. I’m an asshole, yes I know. But organised crime really doesn’t give a damn about what you think about them too… If they’re after a multi-million dollar heist, they will do whatever it takes to get their intelligence.
6. Don’t leave your personal items on your desk for grabs when you’re not at your desk.
If you think something is fishy, it probably is… If not, hey, you make mistakes too, you’re human! Rather be wrong twice than to be fooled when you had that feeling… You as a human being have the best built-in IDS/IPS/Firewall etc know to exist: your brain, eyes, ears and smell. When you spot something you don’t trust, REPORT IT TO YOU CISO/SO!
7. Trust your instincts; always