Testing, audit and review [CISMP]
Social engineering

In this module you’ll be continuing with the information life cycle by following the process onto Test strategies and approaches through to reporting and verification and finally concluding with auditing and digital forensics.


Mark: So, welcome back to this session on social engineering. I'm joined with-, by Dave Doody again, our expert. Dave, let's just jump straight into it. What is social engineering? 

Dave: Well, social engineering, Mark, is where an individual, or individual people, you know, a group of people, can be targeted to try and extract from them information that really shouldn't be given away. Things like passwords, or even access into a building, you know. So, that's generally what we're trying to do. And an individual, or a group of-, or bad guys, will be trying to be able to use this, you know, for their own benefits. These-, the types of different-, of social engineering that we'll encounter, or you can encounter, we've all heard of, you know, emails being targeted. You know, the phishing. We've also variations of phishing emails, okay? So, we've got vishing, where it's voice. Voice phishing. And we've got smishing, SMS types of attacks. So, using an SMS approach to phishing. Then we've got whale phishing, and spear phishing. We have where we're starting to target the bigger people within an organisation. People like the CEO and the Chief Financial Officer. We also have what's known as tailgating, where somebody opens a door, walks through the door, and an individual will follow them through, and that, you know, they're not even being controlled. So, that's known as tailgating. And, another term that you may hear is piggybacking as well. And, and social-, shoulder surfing as well. 

Mark: So, yeah, I understand from a personal perspective, you were subject to a social engineering attack? 

Dave: I was, yeah. A while back. And this is where social engineers are really really good, because they understand the working environment, and the structure, and when people are going to be stressed. And I was targeted on a Friday. Friday evening, when I'm trying to finish work, trying to close down my emails and my desktop. I was on a conference call at the same time, so I was trying to do multiple things all at once. And, as a bloke, we can't do that. And I got a phone call, and saying, 'Dave, we're from O2, and we would like to offer you this case'. You know, an offer. And I explained, 'I'm sorry, I'm on a conference call and I'm trying to close down.' They understood, through my tone, that I was stressed, and I was working, you know, trying to deal with many things, and so they pushed it forward, and I went, 'Okay, look, right. Get this over and-, Yes, I'm interested, but I'll call back'. And they went, 'No, we need it now, can you please give me the-, your security name, or-', And so, I gave it, in the stress, and it's immediately after I gave that, I realised what had happened. And when I came off the conference, I went onto my O2 account, I could not get onto my account because they had used that to actually get on there, and now start ordering phones. So, it was an immediate phone call to O2 to clarify what had happened, and they cancelled it all. 

Mark: And cancel it. I also understand that you, one of your colleagues got hit with a social engineering attack. 

Dave: Yeah, we've had several. But I'm going to go slightly off target here, because I have a friend who's a social engineer. His job is to social engineer. And what I used to do for a lot of new starters in BT is, we would all meet up in a hotel bar, as part of the induction week, and what we would do is we would be drinking, my colleague would walk in unannounced, and they didn't know who he was. He would buy a beer at the bar, and then he would just start walking round the room, talking to people, pretending he was from some other organisation, and he would be gathering information from them just through talking, and he would understand their body language and so on. And then, on the next morning, he would actually introduce himself in the auditorium and explain to people what they-, information they'd given him, and how that could-, yeah. 

Mark: Wow, that's quite a shock. I understand they've gone even higher now with some of these social engineering and then they're involved in something called deepfake. 

Dave: Yeah, deepfake, it's, you know, it's now using the technology. So, effectively, me and you talking now, if that's being recorded, we can make a conversation, and they can make up sentences from what I'm saying. So, it may not be actually me. A good example of this was a, you know, a short while ago, an English-, you know, a company in the UK, the CEO was actually fooled by deepfake. He heard a-, he received a telephone conversation, which he thought was coming from his immediate boss, and his immediate boss was saying he needed to transfer, I think it was something like $200,000 to a supplier. Now, that supplier just happened to be a false-, a false account. But, because the CEO had been taken in by this recording, he actually transferred the money across, and so the hackers had managed to actually take an extortionate amount of money. 

Mark: Oh, wow. So, how can we defend against these type of things? Because obviously, people are-, could be quite concerned about this. 

Dave: Well, the starting point is making sure you've got policies, processes, and procedures in place. Making sure that the organisation and the employees are aware. So, having good, sound awareness programmes, and introducing people to potential harm. Even though they may walk out of a building with an ID card on and they think it's-, there's no harm, well actually, all it takes is a photograph of somebody walking out with an ID card, and then they can-, they can mimic that ID card, and gain access to an organisation. 

Mark: So, training awareness is probably-, 

Dave: Training awareness. 

Mark: Training awareness and practising these type of things? 

Dave: Yes. 

Mark: Well, thank you so much for, for joining us in, in this session. We've learned a lot about different social engineering techniques, the different attacks, your personal experience is, is obviously valuable, as your colleagues are, and then obviously learning some very practical tips about defending against this. So, I appreciate that, thank you so much for that. Thank you, Dave. 

Dave: Very happy, thanks very much, Mark. 

Mark: Thank you. 

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.