16 January 2018
Robert Siciliano

Identity Theft Expert

Robert Siciliano - IDTheftSecurity.com

741Posts 2,062,988Views 62Comments

Women Proved Securest in the Defcon Social Engineering Game

10 October 2010  |  3057 views  |  0

In a recent post (Hackers Play “Social Engineering Capture The Flag” At Defcon), I pointed to a game in which contestants used the telephone to convince company employees to voluntarily cough up information they probably shouldn’t have.

Of 135 “targets” of the social engineering “game,” 130 blurted out too much information. All five holdouts were women who gave up zero data to the social engineers.

Computerworld reports, “Contestants targeted 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft, Pepsi, Ford and Coca-Cola. Sitting in a plexiglass booth, with an audience watching, they called up company employees, trying to get them to give up information.”

Contestants had twenty minutes to call unsuspecting employees at the target companies and obtain specific bits of (non-sensitive) information about the business for additional points. Participants were not allowed to make the target company feel at risk by pretending to represent a law enforcement agency.

The players extracted data that could be used to compile an effective “attack,” including “information such as what operating system, antivirus software, and browser their victims used. They also tried to talk marks into visiting unauthorized Web pages.”

Social engineering is the most effective way to bypass any hardware or software systems in place. Organizations can spend millions on security, only to have it all bypassed with a simple phone call.

The players in this game were all men. Maybe the women didn’t give up any data because they were simply untrusting. It could be that the women were properly trained in how to deter social engineers and protect company data over the phone. Or maybe the women simply paid attention to their sixth sense, and felt they were being conned.

Any time the phone rings, a new email comes in, someone knocks on your door, or visits your office, question those who present themselves in positions of authority.

Don’t automatically trust or give the benefit of the doubt.

Within your home or business, communicate what can and can’t be said or done, or what information can or cannot be provided.

Keep in mind that when you lock a door, it’s locked, but it can be opened with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face to face, with a cynical eye for a potential agenda.

TagsSecurityRisk & regulation

Comments: (0)

Comment on this story (membership required)

Latest posts from Robert

Top 10 Tips for Securing Your Mobile Devices and Sensitive Client Data

11 January 2018  |  2433 views  |  0 comments | recomends Recommends 0 TagsSecurity

Your Social Security Card Gets Stolen: Now What?

04 January 2018  |  3217 views  |  0 comments | recomends Recommends 0 TagsSecurity

What Was Scary About Blackhat 2017?

02 August 2017  |  6396 views  |  0 comments | recomends Recommends 0 TagsSecurity

Black Hat 2017 was an Amazing Event

29 July 2017  |  6907 views  |  0 comments | recomends Recommends 0 TagsSecurity

Blackhat Hackers Love Office Printers

28 July 2017  |  5533 views  |  0 comments | recomends Recommends 0 TagsSecurity

Robert's profile

job title Security Analyst
location Boston
member since 2010
Summary profile See full profile »
Security analyst, published author, television news correspondent. Deliver presentations throughout the United States, Canada and internationally on identity theft protection and personal security....

Robert's expertise

Member since 2009
739 posts62 comments

Who's commenting on Robert's posts

Ketharaman Swaminathan