Women did well on Defcon social engineering test
IDG News Service - Of the 135 Fortune 500 employees targeted by social engineering hackers in a recent contest, only five of them refused to give up any corporate information whatsoever. And guess what? All five were women.
That's one of the interesting data points that contest organizers gathered, following their widely publicized event, held at the Defcon hacking conference last month. Organizers are in Washington this week, briefing the U.S. Federal Bureau of Investigation on what they learned, but they expect to release a report with more details sometime next week.
Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.
The contestants were extremely successful, said Chris Hadnagy, one of the event's organizers. Just one company didn't divulge the secrets participants were told to dig up, and that happened only because nobody could get a live body on the phone. "If we had been hired by each one of these companies to do a security audit on the social engineering side, almost every one of the companies would have failed," Hadnagy said.
Contestants weren't allowed to ask for truly sensitive information such as passwords or social security numbers, but they tried to find out information that could be misused by attackers, such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.
One interesting discovery: half of the companies contacted are still using Internet Explorer 6, a browser known to have serious security holes. Another discovery: if contestants tried to get employees to visit an outside Web site, set up for purposes of the contest, they always succeeded, eventually.
The results show that even the most secure companies can be undermined by employees who do or say thing they shouldn't.
And the threats are real, according to Christopher Burgess, a senior security advisor at Cisco, one of the companies targeted by contestants. "In real life, pretext calls happen in many, many companies," he said. "It's a well refined art in information collection."
People have called Cisco, claiming that their systems are down and that they're on urgent deadlines, trying to get employees to give out information that they shouldn't, Burgess said. "We train our personnel to recognize that social engineering is a means by which people manipulate others to perform actions or divulge sensitive information."
Cisco has made a lot of its security training procedures publicly available, so that other companies can learn from its experiences over the years.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts