Organizations are still not doing a good job of protecting themselves from social engineers determined to discover information that's valuable for preparing an attack.
In social engineering, someone tries to get a company employee to disclose information that a hacker could use to attack the organization. Increasingly, the social engineer will use complex scenarios, Hadnagy said.
Not quite long ago, Social-Engineer.org released results of its fifth Social Engineer Capture the Flag contest, in which 10 men and 10 women try to socially engineer 10 of the biggest global corporations such as Apple, Boeing, and General Electric. Despite ongoing improvements by participants, not all employees or online information was properly secured. For example, one contestant found an unsecured help desk document that included log-in credentials for a participating company's employee-only online portal, Hadnagy said.
"It’s disheartening to note that after years of attacks and years of warnings, these valuable pieces of information are still so easily found and exploited," he added.
In this year's contest, 60 percent of contestants pretended they were fellow employees when they contacted real employees to try and discover information. This created an almost immediate bond, said Hadnagy, and often encouraged the real worker to be helpful.
"Those who didn't pretext as an employee had to work harder to build rapport," he said.
One reason: It's embarrassing for employees to question whether another caller truly is a colleague, said Hadnagy. If the individual truly is a coworker, there's an immediate loss-of-face. Others ignore protocols. Guidelines may not be in place, and employees don't realize they're being played.
Some recent contestants, especially females, pretended to be subordinate workers, which garnered more help from sympathetic employees, he said.
A lot of guys pretexted as someone with authority or power. I can't say that correlates. The women came in as humble. I'm part of the tribe and I'm working for the man. That got information. I love playing the garbage man more than I love playing the manager. When I'm playing the garbage man, no one looks at me.
Stopping the info flow
There is nothing like an anti-virus or firewall to install against social engineering. Rather, it comes down to good awareness programs, to ongoing employee education and testing.
"It needs to be realistic. It needs to be involved. It needs to be personal," Hadnagy told me.
A company could, for example, send a phishing email to 1,000 employees. If workers open it, the message tells them they were part of the campaign and must take this one or two minute lesson. The business then notifies employees this type of campaign will be occurring regularly. The lesson will include ways employees can identify phishing emails so they become less likely to fall for these scams.
In only a few months, this approach can cut down the number of successful phishing emails to 18 percent from 80 percent, he noted.
Employees also should have scripts for phone calls, not word-for-word screenplays, but guidance about what to say if someone starts asking questions about operating systems, training, or other practices. Businesses must implement clearly defined, non-threatening policies for handling any potential breaches so employees can safely self-report, without fear of repercussions for the occasional lapse.
Organizations also can hire external consultants for penetration testing, Hadnagy said.
That sounds self-serving, because that's what I do. It's not just self-serving. When you want to find out if here's something wrong with you, you're told at a certain age, "Hey, go to the doctor and get checked out." They poke us, prod us. The one time we go in and find something, they take care of it before it turns into a serious problem.