Hello Readers,

I would like to start this post by narrating a social engineering test that my organization was hired to do once for a large IT company. The test was designed to test the “human resilience” towards information disclosure attempts.

The test began by initiating a telephone call to the front office executive. We politely informed the executive that we were calling from a large network equipment manufacturing company. Our research had shown that this client of ours was a major buyer of equipments of this network equipment manufacturer. We informed the executive that the network equipment manufacturer publishes a monthly magazine which profiles their best customers’ and this month the company that was chosen was hers. We congratulated her and requested her to connect us to the network monitoring team. She eagerly did so.

We repeated the same story with the engineer from the network monitoring team and requested them to answer a few questions so that we could publish them. We also requested the engineer whether we could “quote” him and use his name. He was eager and agreed. Next we started asking questions, some of them which are listed below, in the form of the actual questions asked during the dialogue.

Question – Can you tell us some of the higher end range of the equipments that you have purchased from us?

Question – I am sure you must be using our high end VPN facility. Can you tell us to how many client locations you have VPN connectivity?

Question – …and what would some of these clients be ??

Question – ….and are you happy with the speed at which we solve bugs in the RTOS (Real Time Operating System)?

Question – …and did you install the last updated RTOS version that we released on…?

Question – …and what would the version No: of the RTOS be ?

At the end of this conversation, we had collected the following information.

1 – The version no: of the RTOS running on the equipments
2 – The last date of update
3 – The clients the organization has
4 – The list of clients to whom VPN connectivity was established
5 – The model no: and list of equipments used by the organization

Based on the above information, we could draw out a fairly detailed network architecture of the organization. We also knew the VPN tunnels running out of the company. We queried existing information security vulnerability databases to identify the current security issues with the RTOS used in the equipments.

We submitted the reports to the client. The client was obviously not pleased with the way information was disclosed. What displeased the client most was that the employee disclosed the names of their customers’ which was considered sacrosanct. As per the official policy of the company, such information should be disclosed only through the PR (public relations) department of the organization.

So, what is the learning. From my perspective, the fact is that inspite of the best technology available to protect information, people will still disclose information.

In the next part of this post, I shall be exploring behavioral factors that are the root cause for people committing information security errors.

Warm regards,

Anup

http://www.firstlegion.net