Do you know my birthdate? Or my mother’s maiden name? Would I trust you enough to tell you this information? Does it matter if you know, and does it pose a security risk?
Most of us accidentally reveal specific information about ourselves in any social interaction – it’s natural to talk about your family, where you are from, and to explore shared interests with people you have met. Information sharing is a normal part of human interaction, but it is a part of us that can be manipulated and used to gain access to resources or locations by bad actors. This process is known as social engineering – tricking a target into revealing specific information or performing a specific action.
We would expect that people working in the security field are probably not susceptible to a standard phishing attack, and maybe more vigilant in the workplace about tailgating or fake IT calls, but how does a room full of security professionals behave when we invite them to socially engineer each other? The results are in.
At the recent GÉANT Security Days conference we invited participants to take part in a social engineering exercise during the event social and into the morning of the next conference day. Participation was entirely voluntary, and a series of rules were set to make the game as safe as possible:
- DON’T hack/log into someone’s accounts;
- DON’T access someone’s phone;
- DON’T walk into someone’s room;
- DON’T look though someone’s bag;
- DON’T use information that you already know;
- DON’T give away answers, collaborate.
Participants were allowed to use a variety of techniques to find out information about the other players to win points against a bingo card. The choice of timing of the event was purposeful; the lowered barriers of a social event make people immediately less guarded and more likely to reveal information.
Overall, a lot of information was gathered by our participants and whilst the data points may seem innocuous on their own – used with other information could be problematic. How many of you have a family member’s name or birthdate or a pet as a password for an account somewhere?
Some of the most interesting events that happened during our experiment were:
- A number of people managed to get the hotel room number of other players. A lot of this information was voluntarily given, but it one case the hotel reception actively gave this information out with no reason.
- One participant went bin-surfing and was able to get several name badges that had been thrown away. If this had been a secure event that depended on name badges for access, this would be a serious flaw.
- Participants were able to get the personal phone numbers and personal email addresses of several people by surfing social media. Are you as careful with the accounts associated with your personal email where you might not have a password manager?
- A lot of information was gained by shoulder surfing as people sat at the social and texted / phone family and friends. Our phone screens can accidentally reveal a lot of information to anyone sitting close by.
Another interesting point was talking to attendees about how the game made them feel. Some commented on the uncomfortable feeling of being observed, but this was simply because we made them hyperaware of a process that can be used every day. Others did not enjoy playing the part of the hacker, feeling that it brought out the worst in them.
The point of this exercise was not to make everyone paranoid, or to destroy social interactions at the event. It was however a good showcase in reminding people how easy it is to find out information, and then correlate this with other information. The main defense against social engineering approaches is awareness raising, and as many of the talks at Security Days highlighted – gamifying our approach to learning, training and awareness is one of the best ways of ensuring the message is heard.
If you would like to reuse this exercise at an event, we are happy to share our bingo cards below and the introductory slides can be found on the event website. For more information about the game please contact nicole.harris@geant.org.
Are you curious to find out what happened at Security Days? Here’s the full write up. Happy reading!