Loading...

How Robust is Your Reception?

Janine Chasmer
Janine Chasmer

People hack people

The aim of this blog is to emphasise the detrimental effects that organisations can encounter if they are faced with a social engineering attack. The blog will outline different types of social engineering mechanisms, Equantiis’ first-hand experience of dealing with them for Clients and recommendations on how not to fall into an attackers trap.    

The term Social Engineering is defined as a malicious attack conducted by humans to attain confidential or personal information – essentially hacking people! Whilst the end result may evolve into compromising a system, the approach isn’t directed at technology.  

With cybercrime skyrocketing, organisations often overlook the weakest link in information security – people. This allows fraudsters to take advantage of individuals’ naivety and psychologically manipulates them into becoming an accomplice to their nefarious goal. 

 

Social Engineering Techniques

Whilst there are a number of techniques used in social engineering, areacovered here are:  

Baiting  a method that attempts to lure or place someone into a false sense of security by laying a trap in order to exploit them. This could be by giving them infected equipment (e.g. a USB stick with malicious content) or sending them an email or post with links to a fake website.  

Quid Pro Quo – is often regarded as a subcategory of baiting. The targeted individual is offered something in exchange for something else, e.g. divulging personal information that could be used to reset an account 

Pretexting – is when a perpetrator creates a false sense of trust between themselves and the to-be-victim in order to gain access to confidential informationThey often disguise their identity and impersonate co-workers or figures of authority in coercing the victim into providing sensitive information. 

Tailgating – also known as piggybacking, is an inconspicuous technique involving an unauthorised person physically following an authorised person into a restricted area. This technique is so powerful that the authorised person with access will often hold the door open for the person following behind. Any employee handbook should already warn employees about challenging unknown staff on work premise. 

 

Using these techniques in practice

Equantiis recently made some security recommendations to a client’s Executive Board. In order to help the project sponsor develop a compelling business case to invest in securityEquantiis carried out ‘Mystery Shopper style social engineering experiment. 

The team successfully bypassed the building reception desk using a pretext cover story and tailgated their way past the client’s reception.  

After entering the client’s offices, Equantiis was challenged by an employee around two minutes laterAgain, using the pretext, a fictitious venue hire enquirythe employee was happy to guide the team around the offices.  

Equantiis was able to photograph parts of the building with permission on the pretence of the venue booking (the quid pro quo!). After being left aloneEquantiis photographed confidential locations within the offices, including; meeting rooms, computer screens and employeesFinally, on departure, Equantiis dropped a malware infected USB device on an SMT’s desk in the hope that the employee would take the bait and plug it into a computer. 

This example highlights the importance of thinking about security without just looking through a technology lens. It is at the end of the day an organisational wide issue! 

 

Key takeaways and actions for organisations

Ultimately, social engineering is an imminent problem that is affecting businesses on a large scale. The C-suite should use Equantiis’ experiment as an example, to demonstrate the impact of a simple social engineering attack on organisations 

Equantiis’ advice to businesses on protecting themselves against social engineering attacks are: 

1. In depth and continuous training

All employees should receive comprehensive security awareness training that is regularly updated and revisited. This will enable employees to identify the different mechanisms social engineers use to conduct attacks. The training should also include techniques that employees should look out for when identifying a social engineering attack. 

Organisations could introduce bi-monthly mystery shopping exercises, to test employees vigilance and thought process when combating or questioning the issue. 

2. Introduce processes and countermeasures

Organisations should identify a process that all employees can follow if they are faced with a social engineering attack. Having strict guidelines and countermeasures in place will equip staff with procedure that they may follow in order to report and action if and when they spot anything suspicious.  

3. Tighten your primary defence mechanisms

Reception desks are usually the first point of contact any fraudster will have to approach before gaining access into the building, and if the primary defence is easily penetrable then the latter may seem substantially easier. Therefore, organisations need to enforce strict policies that equip reception employees, with the necessary skills to challenge or even refuse visitors entry. 

A policy could simply involve introducing name badges that visitors need to wear at all times in a visible location, so that all personnel can identify visitors in the building. 

Share this article

More about the author

Janine Chasmer
Janine Chasmer - Executive Consultant

Background - Janine’s skills and experience include consultancy, project management, facilitation and delivering transformation working across a number of sectors, including Insurance and Higher Education, and as an experience Membership professional, with over 11 years’ experience in the third sector. Role – As an Executive Consultant, Janine guides and support organisations undertaking significant change or transformation and manages and delivers consultancy support on a wide range of technology implementation projects. Responsibilies – Janine is the sector lead for Higher Education and Not for Profit. Passion for…. Books, films, theatre and holidays with friends.

Contact an expert

Get in touch directly with a consultant –
We’d love to discuss how we can help you achieve your project goals.

Get in touch