Finding The Hidden InfoSec Story

Social Climbing….

Photo Credit: maios via Compfight cc

When Mallory said the reason he wanted to climb Mount Everest was “…because it was there…” as a social engineer I knew what he meant.  Sometimes, a big part of the motivation for breaching a target is the size of the corporate scalp on offer, the magnitude of the potential payload, but most importantly it is the challenge itself that can grab you.  As a teenager growing up in Liverpool, I had several “Everests” I was looking to “climb” and all for different reasons.

Firstly, I became a little obsessed with a horrible old zoo in a nearby town, long since closed and demolished, it was a dreadful place full of rusty cages in various stages of decay, and a handful of tatty animals in terrible conditions, the owners eventually prosecuted for cruelty.  I wanted to get inside and take a look around, I wanted to shut them down.

Next, there was a multi-storey office block, with seemingly thousands of miserable workers, belching in and out of the many entrances and exits at various times during the day.  I had noticed and become intrigued by the fact that there was one floor that was never lit. Ever.  I used to stare up at that floor sometimes and wonder what was on it that meant it had to be kept in permanent darkness. I wanted that secret.

There was also funeral parlour close by, that was well-manned and apparently very secure.  With the morbid curiosity of teenagers myself and a couple of friends were desperate to get inside and have a look around, and generally frighten the lives out of ourselves in the process.

We also looked at shopping centres and offices, churches and schools, university campuses and public buildings. We considered car showrooms and cinemas, museums and shops, apartment blocks and the tunnels underneath Liverpool.

In short, if a building looked interesting and was locked, we wanted to open it.   Not to steal anything, we weren’t interested in that, (I only became a “thief” when paid by clients to do so as part of a pen-test), stealing was never the point, getting past was.  Those three targets were my early “Everests” and I planned how I would get in to them for months and months before successfully “breaching” all three.

I didn’t call this “social engineering” at the time, I had neither the language nor the kit I would deploy nowadays, but those early breaches set me up for my later adult exploits as an ethical social engineer and I never forgot the thrill of those first adventures.  The fear of getting caught and the wonder of getting past security, in whatever form, and being somewhere you shouldn’t be, is addictive and dangerous and adds complexity to these types of attacks on a psychological level.

My teenage hit-list was pretty harmless in itself.  We stole nothing, damaged nothing and it was just a tick on my budding criminal bucket list of targets I could say I got past, but translate this mentality to an adult, criminal setting and we as security professionals have a real problem.

If you are someone’s “Everest” you will, sooner or later, almost certainly be breached.  It is almost impossible to guard against this type of adrenalin-led trophy hunter indefinitely because the attacker will gain the focus of the fanatic.  The breach becomes a mission, an obsession, a way of life, but this level of commitment is rare, simply because there are other targets that are equally challenging and carry more tangible payloads like revenge, financial benefit, disruption and moral justification.  If a target becomes too difficult or time-consuming there are plenty more to choose from, other mountains to climb, there may be only one Everest but there are lots of corporate mountains that look like interesting climbs.

It’s likely Mallory never looked upon a mountain without considering how he might climb it, and similarly a natural social engineer will always consider how they might breach an organization, just because it’s there.  I was recently at a conference in London and found myself being legitimately buzzed in past security and escorted to the lifts.  I had no reason to scope the place, I was a speaker and a guest of the company, with free access around the building, but I had already worked out what I would do to get past, just hypothetically, if I had to, and this wasn’t even my Everest, it was just there.

The point is that as a security professional it is very hard to fight someone with this kind of mindset.  People who build gates and construct firewalls, who guard buildings and follow procedures usually think in different ways to those of us who would look to breach them.  To jump over, tunnel under, go around or through or get someone else to let us past them.

I went for the zoo first, simply because it was the easiest target.  There were few staff, so less contact, and they seemed dopey and uninterested in the job.  The office block was harder in some ways as there were checks, but the building was about as secure as a kid’s tent, and in the end I walked in and had a look around, and found out what was on that darkened floor.

However, the funeral home was a nightmare, from a social engineering point of view.  The people were alert and focused on their jobs, they were chatty, cheerful and asked a lot of questions.  We could see from even the most basic surveillance observations that in order to get into that place we were going to have to really think things through, plan ahead and get our act together.  It was too much like hard work, so we hit the other two first.  Less interesting targets, but so much easier.

Make your organization like that funeral parlour. Professional social engineers are patient, cheeky and daring  but ultimately the less human interaction the better, and there are so many mountains to climb, so many scalps to collect that if your team make it harder than it needs to be, they are likely to move on to an easier target, or at least come back another day.

Unfortunately, you can’t make yourself less interesting as a target.  There are as many reasons for your organisation being on that bucket list as there are hackers. Rather, you need to make yourself more of a pain in the neck to get past. So, if your organization is of interest to someone looking to breach it, if you represent a tick on a bucket list, or corporate trophy for the hacker cabinet, then you need to start to think like a social engineer and educate your entire staff to do the same.

Staff need to be engaged and professionally nosey, curious about things that are out of the ordinary and awake to those matters of routine that are so familiar that we switch to auto-pilot.  The first time your people are faced with a social engineer should not be the first time they have ever heard the term.

I recently read a ghoulish article about the bodies of climbers who have fallen on Everest, the conditions are such that they cannot be removed so the slopes become the final resting place for those who have unfortunately met their end on the mountain, a grim reminder of the dangers of the quest for those passing on their way to the summit.  Make your own mountain a difficult climb, and educate your people to recognize and interrupt corporate trophy hunters.  Populate the slopes with people who know how to deter and detect them and direct them away from your Everest, because there are other mountains “there” as well.

Author: Jenny Radcliffe

Share This Post On