Wonder how your company would hold up against a team of hackers? At this year’s DEF CON Hacking Conference, held last month, there were some interesting surprises.
Give them 25 Minutes, Your Employees will Offer Valuable Company Information
The conference, which brings together accomplished social engineering hackers, hosts a contest where hackers target 17 major corporations over the course of the two-day event, including Google, Wal-Mart, Symantec, Cisco Systems, Microsoft and Coca-Cola. Contestants sit in plexiglass booths, with an audience watching as they call up company employees, trying to get them to give up information (in 25 minutes or less).
Though contestants aren’t allowed to ask for sensitive information like passwords or social security numbers, they do try to get information that could be misused, like information about what operating system, antivirus software and browser their victims used, as well as trying to get access to unauthorized web pages.
Take Our Security, Please
How did this year’s hackers do? Quite well, actually. Only one company wouldn't divulge the secrets participants were told to dig up -- but only because no one from the company was available. Yet, despite such a miserable enterprise outcome, there was one interesting bright spot. Of the 135 Fortune 500 employees targeted only five of them refused to give up any corporate information. All five were women, three of whom were managers.
While no one is making the claim that women are less likely to divulge sensitive information, it makes for an interesting anecdote. Additionally, it makes us wonder why there were only five women on the target lists -- we thought the Fortune 500 had better representation than that!
The contest also revealed other interesting morsels, which should have the enterprise cowering in embarrassment.
- 50 percent of the companies contacted still use Internet Explorer 6, an obsolete browser with obvious security holes.
- Contestants were most always able to get employees to visit outside websites, set up for purposes of the contest.
What can we learn from these content results? A lot.
Employee training being the most obvious, even the most secure companies need to understand that sensitive information could be at risk, if employees are not prepared.
The contestants were most successful when they pretended to be conducting over-the-phone surveys. A lot of times, hackers were able to smooth talk overworked IT managers to spill the beans, or get new employees to open up.