Professionals hack people...
The title of this post is part of one of Bruce Schneier’s quotes:
Amateurs hack systems, professionals hack people.
Sometimes it is easier and more effective to use social engineering (on any form: phone call, especially crafted email, etc) to get that first step in. People are usually willing to help and unless they are trained they are easily manipulated. You can call and convince them to browse to a website you coded and open a PDF. This PDF would be a weaponized PDF and would help getting a backdoor or other malicious code into the person’s computer. Once you have this backdoor then you can just find your way around until you find your target.
A lot of companies and organizations spend a lot of money securing their networks and systems. They might even spend money on their physical security as well. However, sometimes they forget to spend time and money on the one thing that is usually the weakest link: people. You might have the most paranoid firewalls, the best laid-out IPS, honeypots, network segmentation with access controls, a DMZ that resembles the security of a top nuclear facility. You might have cameras everywhere, high-tech perimeter security that includes laser, IR cameras, movement sensors, etc. Still, if the assistant of the CEO is easily manipulated into opening an email, word document, picture, etc, all that security accounts for nothing.
That’s why one of the first things I recommend when I provide solutions after a red team assessment is employee and personnel training. It doesn’t have to be expensive or long. I just need one hour to explain the tactics that the adversaries might use, provide hands-on examples so they can see and what to do when you are trying to be manipulated.
Be smart, learn how to defend against social engineering.