Social Engineering:
I was with a client the other day in a secure room. The client left for lunch, locking me inside the secure room. The door to the secure room contains a glass window that allows any passerby to see inside. An outside vendor comes by and knocks on the door. This immediately brought to mind a common problem.
While this vendor was almost certainly legitimate, my only interaction with this client is with this secure room and the individual who locked me in. I have no idea who this vendor is, or, even if he is the clients legitimate electrician, if he has any business being in this secure room at this particular time. I routinely see UPS/FedEx/USPS hold open doors for people to allow them access into an area in which they have no business, but the delivery person has no idea and, true to the intent of social engineering, allows the person in.
In my case, I walked up to the door and advised the external vendor that I did not have the authority to allow him access to this area. He was furious and began yelling. This reminded me that social engineering is not just walking into a building looking as if you belong. Social engineering can include being quite unpleasant.
If a person exclaims loudly enough that he belongs, perhaps someone will be more apt to open the door. It’s odd to me how people innately understand the problem of social engineering when they’re at home, but quickly forget it at work.
To put this situation in the light of a personal situation, imagine you are visiting a friend at his home. He trusts you, so when he has to run a quick errand, he leaves you at his house and locks the door. Moments later, the cable guy shows up and demands entrance to install a new cable hookup. You would almost instinctively refuse entrance, and if he became loud and obnoxious, you may even call the police. Why would you act differently at work?
-Ben.
Ben Howard is a Sr. IT Consultant with NSK Inc
NSK Inc.
75 Kneeland St., Suite 201
Boston, MA 02111
617-303-0480
No comments:
Post a Comment