Social Engineering: 6 commonly targeted data points that are poorly protected

Now in its sixth year, the Social Engineering village at DEF CON has always been an interesting location. Each year the village hosts talks and interactive lessons on human hacking, but the major draw is the Social Engineering Capture the Flag contest.

1 title
Credit: Thinkstock
It's the little things that cause the biggest problems

This week, thousands of hackers have traveled to Las Vegas to learn about the latest in security research and techniques during BSides Las Vegas and Black Hat. This weekend, during DEF CON, the education continues as hackers roam the halls moving from talk to talk or head over to one of the villages.

Now in its sixth year, the Social Engineering village at DEF CON has always been an interesting location. Each year the village hosts talks and interactive lessons on human hacking, but the major draw is the Social Engineering Capture the Flag contest (SECTF).

During the contest, participants scramble to gather flags; bits of information that appear to be harmless on their own, but can spell trouble for an organization if combined.

The following list of flags are commonly targeted by participants during the SECTF event, and while basic, it's important to note that each one is something that's rarely missed during the contest.

2 wifi
Do you Wi-Fi?

Flag: Is there a wireness network?

Danger: The connectivity between wireless and internal networks can be a way for malicious attackers to compromise corporate resources. In addition, finding poorly configured wireless networks isn't uncommon, and that can turn into another vector for an attacker.

Solution: Take care to implement proper network design to ensure a DMZ between public and internal networks. If the wireless network is an internal network, ensure proper security controls to include strong authentication.

3 caterer
Targeting the help

Flag: Who does your….IT support, food service, shipping, document disposal, janitorial, waste management?

Danger: This creates believable pretexts for impersonation through phishing, vishing, and onsite attempts.

Solution: Develop strong corporate policies, including what information can be disclosed to unverified callers; verification procedures for callers/visitors; and procedures for allowing individuals onsite (visitor badges, government ID, etc.)

4 computer
Tell me about your computer...

Flag: What browser do you use? What OS do you have? What is the make of your computer?

Danger: The knowledge of any internal systems, such as software and operating systems, can be used for technical exploitation of any known vulnerabilities. It alerts the attacker of technologies in use by the potential victim and provides information useful during follow-on phishing or vishing attacks.

Solution: Implement solid patch and security management and policies regarding the disclosure of unnecessary information and follow through on them.

5 vpn
Credit: halfrain
What about VPN access?

Flag: Do you have a VPN? What type?

Danger: An attacker can use this knowledge for technical exploitation of any known vulnerabilities. It alerts the attacker of technologies in use by the potential victim and also provides information useful during follow-on phishing or vishing attacks.

Solution: A mentioned previously, develop solid patching and security management policies regarding the disclosure of unnecessary information.

6 access
Credit: Just_Bernard
How are things accessed?

Flag: Questions related to the use of badges for various levels of access, including doors or systems.

Danger: An attacker would be forewarned with this knowledge and will likely have the ability to clone counterfeit badges for use in onsite impersonation attempts.

Solution: Develop strong corporate policies, including what information can be disclosed to unverified callers; verification procedures for callers/visitors; and procedures for allowing individuals onsite (visitor badges, government ID, etc.)

7 open
Credit: Screenshot
Open this webpage for me...

Flag: Will you navigate to this (unknown) website?

Danger: This tests the target’s willingness to navigate to an unknown website at the request of an unverified individual. This places the corporate network at risk of downloading malware or disclosing login credentials.

Solution: Develop strong corporate policy, including verification procedures for callers, and behaviors that are acceptable on the corporate network.

Asking a target to open a webpage (SEORG.ORG) is one of the top flags during the SECTF contest because it works. Every year several targets have no problem testing an Internet connection by following instructions an opening a domain in the browser.