Of 135 corporate employees targeted by social engineering hackers in a recent contest, only five refused to give up any business information whatsoever.
All five were women.
At the DefCon hacking conference last month, hackers targeted 17 major corporations, including Google, Wal-Mart, Symantec, Cisco, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a Plexiglas booth, with an audience watching, contestants called company employees and tried to get them to divulge business and technical details.
The contestants were extremely successful, said Chris Hadnagy, one of the event's organizers. Just one company didn't divulge the secrets the participants were trying to dig up, and that was only because the hackers couldn't get an employee there to answer the phone.
Many contestants got their information by pretending to be insiders who were doing audits, or consultants filling out surveys.
"If I took away one thing from the discussion, it's that the best defense is to train all of your personnel to validate who they are talking to if they don't recognize the voice, before sharing any information about your company," said Christopher Burgess, a senior security adviser at Cisco Systems Inc., one of the companies targeted.
What about the five women who were suspicious and refused to provide any information to the hackers? "Within the first 15 seconds, they were like, 'This doesn't seem right to me,' and they ended the call," Hadnagy said.
This story was originally published in Computerworld's print edition. It was adapted from a version that appeared earlier on Computerworld.com.