A penetration tester is a person who tests for vulnerabilities or unauthorized access to systems. Systems range from computer networks to physical access to locations. Penetration testers can use many elements of social engineering to gain access to systems. They can utilize phishing, or other techniques such as elicitation, to gain information from unsuspecting employees to get passwords, entry into buildings, or other access into systems.
Social engineering is the human side of breaking into a corporate network. Companies with authentication processes, firewalls, VPNs, and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information in an email, by answering questions over the phone with someone they don’t know, or even by talking about a project with coworkers at a local pub after hours.
Story: Out of Town
True Story – The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. They dug through the corporate trash, finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers had studied the CFO’s voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
Penetration testers use any means to exploit their targets. Depending on the scope of work it is not uncommon to see penetration testers become employees at the target company. While employed they are pulling off the ultimate social engineering exploit. Elicitation and pretexting is their sole job while employed for the target company. Background checks are an important way to defend against this type of attack.
Wells Fargo customers were victims of a social engineering attack that utilized phishing. This is a classic example of this social engineering technique that involved sending an e-mail to customers requesting that they update their account information and the link in the e-mail sent them to a fraudulent site. The attacker also used a sense of urgency in the mail to entice its victims to select the link and enter their information.
The attack included the use of Open Source Research, obtaining a position as a temporary employee within the target, misrepresentation of responsibilities by the temporary, abuse of physical access, internal hacking, internal coordination and facilitation of external hackers, and straight external hacking. The results were staggering. Within one day of the on-site activities, over $1,000,000,000 of information was “stolen.” While the firewall was impenetrable and Smart Cards prevented access from outsiders, information was compromised almost at will by an insider. This was accomplished in a company that has a tremendous technical security program.