Blog

How to Carry Out (or Prevent) a Social Engineering Proximity Attack

Nov 10

Written by:
11/10/2011 9:37 AM

I guess we don’t talk a whole lot about proximity social engineering attacks because we just don’t really believe that someone could pull it off. Maybe it’s our naïveté about the security of our building. Maybe it’s our own lack of confidence that makes us doubt that anyone could be so brash. Or maybe we just don’t think about it because it feels sort of stalker-y and uncomfortable.

This article reads like a recipe book for a budding social engineer who wants to learn how to carry out a proximity attack. Therefore, it can also teach all of the rest of us how to take off the blinders and be a little more careful.

So, rule of thumb #1 for a social engineer: Project Confidence.

So, the moral of the story for us? Don’t be intimidated by a stranger’s confidence or ease if you discover them in a secure area. Easier said than done, I know. So here’s your out: if you’re concerned but can’t confront the person face-to-face, at least report the incident. It’s the passive-aggressive way to prevent a social engineering attack.

Rule #2: Take advantage of human nature.

Ah, here is one we can all work on together. Now I’m not saying that we should scrap all social convention and henceforth never again hold the door open for a stranger. But seriously, if your building requires a card, a key, or a code, be sure the door shuts behind you when you enter. And plan your apologetic “I’m sorry, I can’t hold the door for you” response ahead of time, so you are not caught off guard by a sad-eyed stranger who just wants to follow you in.

Rules #3 and #5 (yes, I’m skipping around): Dress the Part and Remember to Smile

In this case, we again have to suspend our typical behavior and just stop and think. If someone looks weird (too dressed up, too dressed down, too friendly, too confused) AND they are in a secure area or just somewhere they shouldn’t be, report it. Or, at the very least, offer to escort the person to a secure area where they can show credentials and be directed appropriately.

And Rule #4: Be Ready For Questioning

If social engineers are getting ready to be questioned, we should be preparing our questions. Don’t be afraid to ask—after all, if the person in question is legit, you’ll probably just come across as helpful. But if they are not legit and they either answer by rote or seem a little too confused by common company information, send up the red flags.

Trackback Print

Tags:

Categories:

Location: Blogs Parent Separator

Miranda Nerland

Blog Search

KeywordsPhrase

RocketReady Twitter

Twitter Updates

Keep Your Android Healthy! http://t.co/jVCIkhRn about 1 months ago reply
Let's review the top 5 security breaches of 2011. Surprisingly, employees were the biggest losers (of information). http://t.co/Kl0MBBPk about 4 months ago reply
Click here to find out how to recycle your way to a security breach. http://t.co/mMQRNzgR about 5 months ago reply
That guy that just followed you in from the parking garage could be a social engineer—and you just held the door open. http://t.co/C8EcCgVN about 6 months ago reply
Yes...the name is ridiculous. But “vishing” is a serious threat. http://t.co/aCWncSwE about 6 months ago reply