Response to a social engineering comment

I’ve been trying to think for a bit now as to what I can make a new post about…and with the holidays that ventured and some personal matters, it wasn’t any easier, hah.  But, recently, an individual commented on my social engineering post, and I know I could simply reply to it, but I decided not to.

The comment itself reads:

Good first example, poor oversimplified and subjective second example. The success of social engineering is based heavily not only on the common human being naive but often genuinely interested in helping out someone in need — a need to gain access to information. Unfortunately, it is all to commonly information that they are not privileged to have access to in the first place. The truth is that true security requires people, process and technology. It all begins with education and awareness

I do agree with that social engineering is arguably often due to the intent to help another. That statement, however, also depends on what is trying to be done via this technique. For example, I read on another website recently that a few people got arrested for trying to get a restraunt to give them free food (or something). Now, could the person these people have talked to been trying to just help a fellow human? Possibly. But, either the person was really, really gullable, or the arrestees just got quite lucky, considering they videotaped it and put it on YouTube.

The last three lines I almost 100% agree with. Let me play out two scenarios to bring out both the yay and nay on this.

Lets say your boss has a seperate ID to gain access to a generic ID mailbox (used for FAQ things, spam, whatever need be). Now, the boss has employee A and B who both need access to that mailbox as well. Employee A is more on the educated and aware side, while employee B isn’t. The mailbox isn’t necessarily full of top-secret, CIA-will-arrest-you type of information, but employee B decides that they deem it necessary to forward some mail directed to their boss, to their own mailbox. Did they do anything wrong? Technically no, although you can label this as invasion of privacy, but they did not do anything illegal to get into the mailbox…all the content was readibly available to employee A as well, and the boss. The point that this is trying to make, since I’m not sure if I’m conveying it well enough here, is that not only does “true security requires people, process and technology”, but also trust.

Last scenario…I’ll do this based on what a lot of people at my work do. We get a customer who calls saying that they want the number to this or that technician, or their e-mail, or whatnot…because they missed their call. Now, everyone who works for Ford Motor Company or Ford Credit has access to the same user database as we do, so you feel it’s okay to give out the tech’s contact info. Now, usually we verify that they actually need to talk to this tech by requesting a ticket number or something, but some people don’t worry about that. Now, this scenario doesn’t even require technology or trust, since this can even be done by flipping papers around. But, I do agree that people should be educated and aware of the flaws of not following procedures. Now, in actuality, the procedure for this is to not give them the information anyways, but…that’s a different story.

Well, this is about all that I can think of posting right now. Not exactly a ground-breaking post, but was fun to make none-the-less. I would also like to send a thank you out to the individual who made the comment. You made me start thinking about what I had said in that post, and I agree about the second example.