Go With the Flow: Strategies For Successful Social Engineering

Chris Silvers

Tue, 4th December 2012


Speaker Bio 1:
Chris is responsible for leading or conducting social engineering, internal and external penetration testing; Windows host, network architecture, firewall and router/switch reviews as well as enterprise security architecture and design projects. He serves as the service line lead for the social engineering practice, maintaining and developing the methodology as well as continuously enhancing techniques to reflect the threat environment.

Chris also provides client education services as an instructor of the Ultimate Hacking Foundstone courses. Most recently, Chris taught the Ultimate Hacking Foundstone course at the 2008 and 2011 Blackhat security conferences. He was also awarded second and fourth place in the Defcon 19 and Defcon 20 Social Engineering Capture The Flag (CTF) competitions, respectively, exhibiting his ability to "schmooze" a call center employee into revealing sensitive corporate information.

Questions and answers

Max, Concise Courses:
Can you share any type of bench mark covnersion rates? Obviously one of the key goals is getting a password, have you worked out a minimum conversion rate that you are looking for?

Chris Silvers:
Not really. In fact we go back and forth with this as far as trying to keep some statistics because everybody in security wants some measurement and to be able to show improvement year after year, but the problem is that the threat is changing so much and the techniques in social engineering change so much that its very difficult to compare one engagement to another even with the same company and even the same caller and all that type of stuff. So, we keep statistics based on how many people we consider “passed or failed” the test but at the same time if you are using a different pretext, especially a year later, it’s really difficult to compare one year after the next.


Max, Concise Courses:
If there is one thing an organization can do to protect themselves better what would it be, i.e. is there a major hole that can be instantly patched?

Chris Silvers:
There’s really not. As you see on the Internet, there’s no patch for stupidity! Just imagine me holding my wedding ring to the camera and, saying that “we are all vulnerable to social engineering”! That’s just part of the human condition. I do think that there is a certain amount of training that can happen. There is not much training out there right now. This is by no means a sales thing but Foundstone are actually working on a Social Engineering Class. It’s really tuned towards companies’ internal security people and how they can do their own self-testing. They therefore don’t have to necessarily spend all this money to have companies come in and do it.

Most companies that hire us can only afford to hire us once a year so what happens between those annual assessments? People forget – right? You look at normal training and the retention rates after a week maybe 30% of what you have taught people is sticking with them so it’s the kind of thing that has to be part of a program and repeated and reinforced.