Social Engineering

Hey there everyone!

I'm planning an event for October as part of the Cybersecurity Awareness month. It involved social engineering the people I work around for a week and then reveal the results on Monday.

If anyone has any advice as to what information you would ask for, I'd love to hear some ideas...I have the following:

-SSN
-Name of Bank
-Married
-Area (General area where they live)
-Phone carrier
-Did they ask why
-Did they not ask why

I'm not actually collecting information, I'm just compiling tabular data. I hope you can help me narrow things down. I know it will have to be gleaned from the form of conversation, so keep it reasonable.

Thanks!

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

NetworkVeteran

It involved social engineering the people I work around for a week and then reveal the results on Monday.

This would seem to be more a test of how much your co-workers trust you, than how likely they would be to reveal information to a random stranger social engineering them. I would share all of these, minus my SSN, with people I've worked closely with. Although I don't think, by happenstance, I've shared my bank with any co-workers.

NetworkVeteran

I'll add, for me to seriously worry when someone says, "I have your IP address!!" or whatever, they would need to show me that with such information they could actually do something significantly harmful to me, my family, or my employer. Many here probably remember those silly "I have your IP address.. so download my spyware!" pop-up ads some years ago.

-Name of Bank

Let's reverse engineer this. Suppose you called up your bank and wanted to do something important--like transfer or wire $10,000 to someone. What proof of your identify would they require you to provide?

That's what you should be really worried about others gaining.

About7Narwhal

I would certainly check with HR or Management before doing this.

I would ask favorite color, first pet name, first car, where they got married, where they graduated high school.

paul78

Great resource on SE is here at Social Engineering - Security Through Education It was a lot of fun to listen at Defcon.

jfuller01

Thanks for the replies! I work in a S-6 (Commo) shop so we already have access to all this information. That being said, its more of an insider threat situation. Most people who are targets of a foreign entity own expensive cars they can't afford, are married and live outside their means, are working odd hours.

As far as HR goes, its going to be up to my section chain of command. We might have to let our BC know, but beyond that we want only 2-3 people to know about it so it will be effective.

Thank you all! Let me know if this new comment might inspire some more ideas!

Routerronin

Joseph Stalin once said: poets are the engineers of the soul. He didnt forsee hackers.

paul78

Oh - not sure how I forgot about one of my favorite presentations on the subject. If you haven't seen Jason Street's presentation "Steal Everything, Kill Everyone, Cause Total Financial Ruin!" - check it out - lots of social engineering concepts discussed - DEFCON 19: Steal Everything, Kill Everyone, Cause Total Financial Ruin! (w speaker) - YouTube

the_Grinch

Mother's Maiden Name sticks out as something very important to get. If you haven't seen the movie "Now You See Me" they have a really great part with social engineering being involved.

paul78

@OP - I know that you want to focus on collecting information but I respectfully would disagree that data collection should be the flag. You mentioned that you believe that the threat is from employees with credit risk. Trying to determine if those same employees are vulnerable to identity fraud will not reduce any risk of insider threats due to employee fraud. It would make more sense to have credit screening on employees and do not place those employees in positions where financial fraud can be committed. If your goal is to see if you are susceptible to social engineering attacks, those attacks are a lot more subtle. I would go after 2 things - (a) physical access (I.e. can you piggy-back into space) (b) introducing a persistent threat. For (b) - it would make more sense to collect some information about IT infrastructure and use that information to induce an employee to click on a web link. There are lots of social-engineering techniques that you can use for (b). I would also add that collecting information that can be considered private information is a illegal in many states in the US and in the EU without explicit consent from the employee. I would never allow that type of a test in our organization and HR would not be able over-ride my authorization. It's a risk and privacy issue - not HR. Check with a privacy attorney.

Everyone

Agree with paul78. Social Engineering exercises should generally focus on IT. Can I get you to give up credentials is safe to do. Can I get you to give up PII is not safe. I'll hopefully be presenting on this exact topic at the 2014 RSA Conference.