Big U.s. companies appear to be vulnerable to social engineering attacks, where employees had to be tempted to have too much internal information. This information can then be used in hackaanvallen.
On the DefCon-security conference in August, it was a capture the flag contest held, in which the participants information about businesses had to get hold of, such as the name of the virus scanner that a company uses, which internal ports are open and what browser is being used. The trick of this type of information, also known as ‘social engineering’, is often used by attackers are made to hackaanvallen to perform at a company. The participants tried details to obtain from companies such as Apple, Dell, IBM, Oracle, and Symantec.
An analysis of the competition is now presented. One of the worst performing companies was Oracle, and also the American airlines, Delta Airlines and United Airlines gave to much information, as you can read in the report. Symantec, IBM, Dell and Apple performed about the same, but gave still information, free. The organizers draw that the difference between companies for a large part can be explained by the performance of the participants and the resilience of the individual employees.
The participants had prior to the league two weeks, the time to preliminary research to do for a company, where it was not allowed to make direct contact. During the capture the flag contest, they had 25 minutes to get a company to call and information from the staff. There was a call with employees of the sales department, support department and shops of the companies. In some cases, did the capture the flag-participants as a potential customer, sometimes as a colleague.
The participants asked not to sensitive private information. Also, there were no government institutions, educational organisations or financial institutions approached. In the fourteen approached companies, the results were amazing; the participants were able to get all the companies information to figure out, what points or flags produced. So could the employees of all the person called companies to be tempted to a certain url, which is a security risk. Also gave employees internal information, while not in all cases was allowed. Some of the information didn’t even have to employees to be asked, because it is already on the internet was to be found, for example, via social media.
The authors of the analysis give little away about the information that each company gave me away. They recommend companies to have social media guidelines in life to call where the information they may share about the company is limited. Also, employees should be better trained to make them resilient against social engineering, and companies have to their employees in the same way, testing as well as during the contest happened.