Women did well on Defcon social engineering test

Contest results will be published next week, organizers say

Of the 135 people Fortune 500 employees targeted by social engineering hackers in a recent contest only five of them refused to give up any corporate information whatsoever. And guess what? All five were women.

That's one of the interesting data points that contest organizers gathered, following their widely publicized event, held at the Defcon hacking conference last month. Organizers are in Washington this week, briefing the U.S. Federal Bureau of Investigation on what they learned, but they expect to release a report with more details sometime next week.

Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.

The contestants were extremely successful, said Chris Hadnagy, one of the event's organizers. Just one company didn't divulge the secrets participants were told to dig up, and that happened only because nobody could get a live body on the phone. "If we had been hired by each one of these companies to do a security audit on the social engineering side, almost every one of the companies would have failed," Hadnagy said.

Contestants weren't allowed to ask for truly sensitive information such as passwords or social security numbers, but they tried to find out information that could be misused by attackers, such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.

One interesting discovery: half of the companies contacted are still using Internet Explorer 6, a browser known to have serious security holes. Another discovery: if contestants tried to get employees to visit an outside Web site, set up for purposes of the contest, they always succeeded, eventually.

The results show that even the most secure companies can be undermined by employees who do or say thing they shouldn't.

And the threats are real, according to Christopher Burgess, a senior security advisor at Cisco, one of the companies targeted by contestants. "In real life, pretext calls happen in many, many companies," he said. "It's a well refined art in information collection."

People have called Cisco, claiming that their systems are down and that they're on urgent deadlines, trying to get employees to give out information that they shouldn't, Burgess said. "We train our personnel to recognize that social engineering is a means by which people manipulate others to perform actions or divulge sensitive information."

Cisco has made a lot of its security training procedures publicly available, so that other companies can learn from its experiences over the years.

Although Cisco was one of the companies targeted in the social engineering contest, Hadnagy isn't giving out information about any specific companies.

Still, after going over the contest results with Hadnagy, Burgess said that the contest showed that the training process never really stops. "You can't train once and go away," he said. "You have to keep this training fresh."

Many of the contestants got their information by pretending to be insiders who were doing audits or consultants filling out surveys.

According to Burgess, employees should know to put a stop to this type of pretexting. "If I took away one thing from the discussion, it's that the best defense is to train all of your personnel to validate who they are talking to if they don't recognize the voice, before sharing any information about your company."

Burgess didn't want to talk about why all of the people who shut down contestants were women.

According to Hadnagy, though, different attacks work against different people. And maybe the types of social engineering techniques used by the Defcon contestants just weren't ideal.

Still the five women performed admirably, he said. "Within the first 15 seconds, they were like, 'This doesn't seem right to me,' and they ended the call," Hadnagy said. Unfortunately, their co-workers didn't do so well.

"Obviously there was some kind of security awareness with their training," he said. Another factor may have been the fact that all of the contestants were men. "I think inherently women are more cautious when guys are involved," he said.

Less than half of the 135 people called during the course of the contest were women, Hadnagy said.

Three of the five women who shut down contestants were managers, and female managers are often the least likely to fall for social engineering attacks, according to Jonathan Ham, a principal with the Lake Missoula Group, a security consultancy that does social engineering tests for financial services firms. "They're going to be the least trusting, the most suspicious," he said. "At the upper level of experience and training, I will avoid the women and call the men if I can," he said.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags Cisco SystemsDefcon 2010Defconsecuritysocial engineeringwomen in it

More about CiscoCiscoFederal Bureau of InvestigationGoogleIDGMicrosoftSymantecWal-Mart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place