Tag: social engineering

The Zoo

A very small zoo was thrown into chaos when the star attraction- a gorilla named Chuck- unexpectedly died right before they opened for the day.

The owners were worried, because people came from all over just to see Chuck’s antics. Surely, the gorilla’s passing would spell the end of the beloved zoo.

But then, the owner had an idea. He called Jason, one of his employees, and offered him an extra $100 a day if he would wear a gorilla costume and pretend to be chuck- just until they could get a live replacement. Jason agreed, and minutes before opening he was suited up and ready in the enclosure.

Everyone loved Jason’s antics. The children clapped and laughed, and even the adults enjoyed watching the fake Chuck run around and beat his chest. Eventually, however, business started to die down. Chuck was still a popular attraction, but people could only watch an animal do the same tricks so many times. So Jason began changing things up. He would throw a ball out of the enclosure and wait for people to throw it back. He’d dance in a very gorilla-like way. But everyone got the biggest thrill when he would climb over the divider and hang over the lion’s pit. It was truly a death-defying spectacle.

One day, while Jason was hanging over the very hungry lion’s pit, the aging costume gave way and Jason fell hard onto the ground. The lion started circling menacingly, ready to pounce and tear the costumed man to bits.

“Help! Help!” Jason started shouting, scrambling madly to get up and out of the lion’s grasp.

“Quiet you, fool!” the lion whispered. “Are you trying to get us both fired?”

Sometimes, things aren’t what they appear. What we think is a friendly gorilla is a man in a costume. A dangerous lion is a friend. Appearances can be deceiving, so it’s important that we verify that what we’re seeing or hearing is correct.

Much like in this story, sometimes people don’t want you to know who they really are. The man with a clipboard that comes into your facility- are they really an inspector? The woman that shows up from IT saying she needs your computer for maintenance- did IT actually send anyone down?

Sometimes, it only takes a little bit of vigilance to see through someone’s disguise. And we should always be checking.

“Criminals don’t wear suits”

Once upon a time, in a land not-so-far-away, a small group of individuals walked to the doors of a multinational corporation, and walked out with millions of dollars worth of company secrets and assets.

Through days of patient research and study, they were well equipped to work their way through the company, obtaining small pieces of information and compiling it into unmitigated access. Could this happen to you?

First, they learned the names of key employees by calling Human Resources and social engineering the information from them. They would have preferred to find a company phone roster in the dumpster, but no one had thrown one away lately. Although the passwords and internal memos that they did find certainly helped cushion the blow.

This company had a very friendly climate, and prided itself on hiring friendly and courteous employees. The friendly employee at the entrance was more than happy to hold the door for one of the individuals when he jogged to catch the closing door. Why not? Criminals don’t wear suits and ties, right? They got inside the moat.

Another friendly employee was more than happy to help out the stressed out intern who lost his access badge on the first day, and just had to get the report to his boss before he gets fired! Why not? Were all on the same team, right?

No matter how strong a castles walls, it does no good once the enemy’s inside.

Inside the secure area, they found a gold mine of unshredded documents both in the trash and piled by the shredder. In a stroke of inspiration, a hastily scrawled note was placed on a busy shredder: Shredder out of order. Put materials in this box to be picked up by security. Also, traditional hacking techniques allowed unrestricted access to key computer systems, which is often superfluous if the password is written down and hidden. (No one would ever know that this is my password, even if they do look in the drawer!)

Lucky for them, the CEO had let them know (through his out of office auto reply) that he would be gone that day. His assistant was very helpful when the new janitor forgot his keys and had to stay on schedule!

Could it get worse than this? It very well could. There’s a good chance that your organization may never suffer a planned, organized intrusion such as this. But basic OPSEC, often at little or no cost to the organization, can help prevent such a disaster. Never forget how important you are!

Vacation

Pop Quiz time fellow OPSECers:

Q: Which of the following is the BEST example of an out-of-office statement for your work email?

A: I’m not in. Don’t know where I’m going. Don’t know how long I’ll be gone. Don’t know when I’m coming back – and neither do you. OPSEC Baby! I will be checking email daily.

B: I am currently out of the office for 14 glorious days. I finally got my vacation approved and I’m taking the little woman, Junior and baby girl to the Atlantis Resort (and casino!!). For any security issues don’t even think about contacting me! Instead, please contact Regional Security Manager Susie Smith at (555)-555-1234. BTW: she is also the SAP coordinator. Assuming I actually come back to work (ha-ha) all emails will be addressed on my return.

C: I am currently out of the office. If you need immediate assistance please contact Joe Smith at (555)-555-1234.

D: I am on travel until the first of next month. I’m attending a classified conference which means I won’t have my laptop during the conference (8am – 5pm each day). I can’t even check during lunch so I’ll be leaving my laptop in my hotel room but I promise to get back to you after 5pm. If you really need to contact me call the Springfield Marriott and ask for me (room 209), Steve Jones (room 426) or Joey Smith (room 427) and they’ll put you through. For those of you working on Project Nighttrain – I won’t have access to JWICS or SIPR until I get back so don’t bother sending anything to those accounts. Have a great day.

Assuming I don’t have to actually give you the correct answer I surely hope you get the point. What you put in your out-of-office statement – or your voicemail message – must be free of sensitive information. This also speaks to need-to-know. There are a multitude of reasons why this is important and a multitude of ways an adversary could exploit your information – suffice to say that you need to heed this advice. Keep your out-of-office email statements and your voicemail recordings short and to the point. Don’t include any information that doesn’t absolutely need to be there.

Keep the Faith!
Revelator

Vacation – The Go-Go’s