Social Engineering



  • A conversation I just had with our head of IT Security:

    Him: There’s a company trying to email us, and they’re not getting through

    Me: OK, let’s take a look. Who are they?

    Him: ObviousTypoOfOurCompanyName.com

    Me: Oh, yes. They sent a load of phishing mails to us earlier today. They’re blocked on the mail filters, the link they sent is blocked on the web filters, and….tappety tap tap….yes, their web host has just responded to let me know their hosting account has been blocked.

    Him: Oh. They were conducting security testing to see how vulnerable our users are to social engineering attacks.

    Me:……well, I guess we passed.

    I’m actually quite impressed with what he’s trying to do, but it would have been a lot more effective if he didn’t try and sneak it under my radar.



  • @justanotheradmin said:

    A conversation I just had with our head of IT Security:

    Him: There’s a company trying to email us, and they’re not getting through

    Me: OK, let’s take a look. Who are they?

    Him: ObviousTypoOfOurCompanyName.com

    Me: Oh, yes. They sent a load of phishing mails to us earlier today. They’re blocked on the mail filters, the link they sent is blocked on the web filters, and….tappety tap tap….yes, their web host has just responded to let me know their hosting account has been blocked.

    Him: Oh. They were conducting security testing to see how vulnerable our users are to social engineering attacks.

    Me:……well, I guess we passed.

    I’m actually quite impressed with what he’s trying to do, but it would have been a lot more effective if he didn’t try and sneak it under my radar.

    You stepped out of line here. He was trying to test your users using a reputable service someone emailed him about earlier today. They promised GUARANTED RESULT 100%, so it's not like there was any risk.


  • BINNED

    +1. Very meta.



  • @justanotheradmin said:

    but it would have been a lot more effective if he didn’t try and sneak it under my radar.

    I'm no head of security, but wouldn't that be the whole idea? I mean, you're reading TheDailyWTF and there are plenty of stories around here of sysadmins incompetence. Yes, you were his Schrödinger's cat



  • @ubersoldat said:

    @justanotheradmin said:
    but it would have been a lot more effective if he didn’t try and sneak it under my radar.

    I'm no head of security, but wouldn't that be the whole idea?t

    That depends on what exactly he wanted to test. If he wanted to test the users' ability to identify and ignore social engineering attacks IF one gets through the spam filters and whatever else they have in place, then yes the OP should have been told about it (assuming he wasn't being tested on it himself). If he wanted to test how effective the whole system is, including the OP's ability to prevent those attacks from ever getting to users, then you would be right, it would be the right move to keep the OP in the dark.



  • @lethalronin27 said:

    That depends on what exactly he wanted to test. If he wanted to test the users' ability to identify and ignore social engineering attacks IF one gets through the spam filters and whatever else they have in place, then yes the OP should have been told about it (assuming he wasn't being tested on it himself). If he wanted to test how effective the whole system is, including the OP's ability to prevent those attacks from ever getting to users, then you would be right, it would be the right move to keep the OP in the dark.

    He claims to have been attempting to test the users response. Granted, testing our detection and response could well have been part of it, but his surprise at the mail not being delivered would suggest otherwise. He actually asked if I could leave the mail block in place for them to keep trying to get through, but lift the web block, and also whether there was anything I could do with the webhost to withdraw the complaint and have the bogus site reinstated, since part of the test is cold calls to users to try to get them to visit the site.



  • @ubersoldat said:

    Yes, you were his Schrödinger's cat

    Erm, what?



  • @pkmnfrk said:

    @ubersoldat said:

    Yes, you were his Schrödinger's cat

    Erm, what?

    justanotheradmin's network = sealed box

    "fake" phishing emails = random atoms entering the box

    users = potential damage (vial(s) of poison that may or may not be released by the random atoms)

    And justanotheradmin is the cat.

    Until the head of IT Security had this conversation (opened the box); justanotheradmin could be assumed to be both braindead and not-braindead.


Log in to reply