Awareness video shows social engineering attack

Commonwealth Films’ training video, “Stolen Access: Keeping Information Secure,” relates some warning signs that can indicate a social engineering attack.

This 2003 production starts with a credible scenario demonstrating social-engineering techniques as industrial spies penetrate an organization by posing innocent-sounding questions to employees by phone. The criminals find the name and position of their target, his secretary’s name and their phone extensions. They pose as job applicants, new employees and customers. They determine that their target is on holiday, that he has forgotten his new password, and who has the emergency password list. They impersonate the target’s sister-in-law, provide convincing sound effects to convince the keeper of the password list that the target is too ill to come to the phone, and achieve their objective: the target’s password. The criminals then steal copies of the target’s confidential files and read his e-mail for weeks. They sell the competitive information to competitors and cost the target’s company several contracts in competitive bids.

As the film sums up, here are the warning signs:

* The caller tries to frame his or her request as an emergency.

* Social engineers often invoke authority as a tool of intimidation.

* They may claim that there’s a technical emergency and offer or ask for technical help.

I’d add that a real bell-ringer is that they ask for passwords over the phone. Down boy! Bad social engineer. BAAAADDD social engineer! (Sorry, we have a new puppy and I’m getting into strange verbal habits.)

Advice from the technical consultants at Commonwealth Films on handling an unusual call:

* “If it seems wrong, assume it is wrong.”

* “If you’re uncomfortable, end the call.”

* “Don’t violate policy to ‘help’ a friend or associate.”

* Disclose only appropriate information.

* Report unusual calls.

The film continues with an interesting scenario demonstrating how eavesdropping on indiscreet conversations can allow an industrial spy to deduce passwords when employees use personal preferences and interests to secure their system access. Casual public conversations and overly explanatory, unencrypted directories and files make spies’ work too easy by half. The film provides excellent suggestions for choosing effective passwords.

Other scenarios in the film:

* Phishing scams using bogus “virus warning” e-mail messages and fake Web pages that ask for system logon information.

* Being too trusting at work by leaving confidential files accessible on a workstation session, discarding unshredded bad photocopies of confidential documents, leaving confidential documents in photocopiers and on fax machines, and (yikes) putting passwords on Post-It notes.

* Using public wireless access points for communication of confidential data without VPN software.

* Bogus cellular phone calls asking users to input their personal identification numbers “to keep your service active.”

As always, this Commonwealth Film training video is a valuable contribution to corporate security awareness programs. Congratulations to writer and director Bruce McCabe, producer Jennifer Wry and veteran executive producer Thomas McCann.

Note: The author has no financial interest whatsoever in Commonwealth Films. However, these nice people allow me to show their previews to my students in class and I am grateful to their director of customer relations, David Burke, for his consistent kindness over many years.