We love reporters, we really do. We have a great relationship with many reporters from all over the globe. We understand that sensational titles and stories are what sells. With that in mind we wanted to take a minute to address some of the false conclusions that are being made based on some of the data coming out of this year’s Social Engineering Capture the Flag contest.
As part of the contest, we make a point to never embarrass a company due to the results of the contest. There are a number of quotes that are being attributed to Chris that are inaccurate, as we would never name one company or another as doing the “worst” as part of the competition. During our press conferences at Defcon we were asked about this and we declined answering for this very reason.
Additionally, we caution anyone from declaring that one company is more or less secure than another based only on the calls. The structure of the contest is such that one contestant calls one company for a limited period of time. There are far too many variables in that arrangement to say that any single company did worse than another. (i.e. the skill of the caller, the person they get on the phone, the pretext used, etc)
At this point, the only conclusion that we can confidentially make is that the state of defense against social engineering attacks in corporate America is very poor. All companies contacted did poorly, even against amateur social engineers. Our goals are to educate and help companies, as we have said numerous times on our podcast, newsletters and new site we launched www.social-engineer.com. We do not do that by embarrassing or humiliating the same companies we want to help.