Social Engineering Exercise

(Chuck Kissel) #1

Does anyone actually do a Social Engineering Exercise against their employees or facilities?

Here is a story.
On my first week of my last job (9 years ago). My CIO sent me to all of the Bank’s Branches with a Hat, Shirt and ClipBoard that had the local telecom’s logo on it. My first assignment was to walk in and ask to “Inspect the Lines”. I was unannounced and unintroduced at the time. The test was to see of the Branches would call into the help desk or their direct management to see why I showed up without prior notice. Less to say I got into several branches without a call or further lookup and most of those cases they left me by myself in the back or basement.

(Dawn R Wolf) #2

I’d be really interested in some DIY Social Engineering stories from other users. What they used and what worked. Thanks for the example Chuck!

(Jeff Henderson) #3

I don’t have a program in place yet but I tell my contractors to try to get in the building and if they do I ask them to tell me who let them in. This way I can let the management know we need follow training for that group.

(Shawn Wenzel) #4

I think that it social engineering based penatration testing should be standard operating procedure for any organization. It’s amazing in this day and age that corporate logos and confidence can instantly instill a complete sense of trust in most employees.

(Itamar Shalev) #5

Hello there. Good story :slight_smile:
We provide our clients (worldwide) in-depth cybersecurity training to test employees’ awareness using live social engineering techniques such as tailgating, vishing, baiting, etc. Some we do as blackbox and some as whitbox. As we combine the human factort with technology some asks asks us to combine the exercises we conduct with cyber-physical PT’s. We run few programs already and the results are great.

(Michael Kraft) #6

I agree, these type exercises are invaluable…my senior leadership might not see the value, or maybe I should say, even knowing what the outcomes might be they would be hesitant to conduct one, has anyone ran into this wall and how did you overcome it?

(Itamar Shalev) #7

Large corporated have internal audit and they can be open minded for such service. Also, you have regulated markets are obligated with conducting such exercises. The challenge is to prove the effectiveness of such thing as part of the organizational awareness program and I can elaborate a lot more… :slight_smile:


My plan this year is to deliver computer based training for information security issue including social engineering where the minimum score is 70%, hope this training will rise our employees about security awareness in daily task.

(Eric) #9

Interesting story! We have yet to run a social engineering exercise at my place of work but I can see us doing one in the near future. We may also include spoofing some intranet sites and redirect some users there to see if they can tell the website is not the real one.

(Stephen Rogers) #10

Not a pen test but a lesson in security.

I went to customer site that I was last at three years ago. The manager took out a large binder filled with business cards and compared my card to the card he received my previous visit. (Different cards, but same info.) He then called the cell phone number listed on the cards to see if my phone rang. I was quite impressed by his vigilance.

(Steven Kuhns) #11

I think is a very interesting topic to most of us and would be a fun thing to try. Unfortunately I think if we were to attempt to justify the need for this to our management teams, the cost benefit would not be in our favor. I think to a CIO this would be seen as “the cherry on top” of a well-constructed security awareness program. Today most companies are still struggling to build out a program and keep it functioning. I think if something like this would be implemented, it would have to be presented in a way that would target specific areas within the company that pose a high impact to this threat.

(Ted Johnson) #12

In the classroom training I do (prior to our doing the KB4 tests) I often bring a coworker that the customer isn’t familiar with and have them sit in the classroom. During my physical security part of the class (Win-L, password protecting PCs and smart phones, etc.) I ask them who the person is. It helps to iron in the real threat of strangers entering their offices and potentially accessing their computers while they’re away.

(Gareth Meredith) #13

I work at a school where we got sick of teachers not using laptop locks we supplied, and leaving the classroom doors wide open.

During a whole school prize giving we went around all the classrooms that were open and collected their laptop’s. (From memory we got around 30-40).

When they cam rushing to us to explain they can’t find their laptop we then instructed the teachers concerned to go to see their principal to explain why they were such an idiot. Only then did we give their laptop back.
Security around their laptops has been great since.

(Paul Gill) #14

In my prior position at a regional hospital, I hired a security auditor. Each week he would target one floor or department, walk in without a page and in plain street clothes. He would walk around and see what he could access. Medication cabinets, computers, printers, etc. At first it was horrible, he never got stopped and was able to access various systems and information. But then he would go back and talk to the managers, attend staff meetings to educate the users. It got a lot better over several months. But then we started sending someone else on off hours to do the same audit and had a lot of failures again. We had to target training to the other shifts, etc. It’s been slowly improving again.

I think this type of physical social engineering is absolutely necessary.

(Dorothy L. McGee) #15

I wish we had these kinds of exercises where I work, but unfortunately we don’t have much in the way of security training for our employees. Most of it consists of broadcast emails after something has happened, like when we got hit with ransomware. Security training should begin the moment an employee walks through the door and continue with random exercises to see if they are following best practices.

(Brian Smith) #16

I would love to do an exercise like this in my business to see how well some of our locations are using their heads.

(Dan) #17

This is a ‘fun’ idea. I’m going to be working on how to incorporate this here.

(Lisa) #18

As a part of our Pen Test we did a physical security test. Our ‘friendly’ atmosphere worked against us as employees let the strangers in. They were here a good part of the day without being questioned. We learned some good lessons. We have also made some changes and published our policy for all employees.

After the pen test, we had two other issues which we used a learning opportunities for employees (again, letting people in and leaving them unattended).

In the past year, employee behavior has changed and people question and report much better.

(Matt Parkes) #19

In a similar camp, love the idea of testing users awareness using phishing and vishing and even physical walk in the door tests with senior management knowledge but I know they would say no - physical tests they would say well you have to get through reception so unless you have an appointment you are not getting in, however you still have the tailgating risk where an employee uses their access to get in and unthinkingly lets in a stranger behind them and if reception is unmanned for a minute or two bingo.

(Warren White M.S. Cybersecurity) #20

I use to work at a mental health facility where I would see vulnerabilities with the staff members every day. It is scary to see how many patients had free roam of areas that had sensitive information, passwords for the computers left around, amongst other things. Security should be top priority but instead, it seems like most places run off the honor system. I feel paranoid using the same password over (which I stopped doing) let alone write down my password anywhere. At one point, they had a person come through to see how much sensitive information they could find laying around, posing as a patient. We did ok but potentially patients can be victims of identity theft. I don’t even want to know what one disgruntled worker can do with thousands of patients personally identifiable information.