Professional ethical social engineering testers can sometimes cross ethical and legal boundaries, which can have significant consequences, warned Sharon Conheady, director at First Defence Information Security Limited, at IRISSCON 2022.
During her career in ethical social engineering testing, Conheady has a number of notable stories, including using an unsuspecting security guard to help her carry out a stolen computer server while in another, she posed as catering staff to exit a football stadium undetected.
Despite this testing often being clever and entertaining, Conheady warned against glamorizing this type of work, and noted there is a “fascination” with famous fraudsters of the past, such as Victor Lustig, who ‘sold’ the Eiffel Tower.
“Attackers do not abide by ethical and legal codes of conduct, but we as security professionals do need to think about it,” said Conheady.
She emphasized “there are tonnes of laws you might break” that ethical testers must be conscious of during their work.
These include:
- Forgery and trademark infringement – for example by creating a fake website or impersonating an individual or organization in emails and documents
- Data protection and privacy – such as recording private conversations
- Breaking and entering – e.g. picking locks to enter buildings
- Bribery and corruption
- Theft of physical assets, information and identities
- Impersonation or pretexting – especially police officers
Knowledge of local laws is paramount before undertaking any job, with Conheady noting that what’s legally acceptable in one region may not be in another.
Additionally, social engineering testers must ensure they stay within the scope of their assignment. “It’s so easy to get carried away when you do them because they’re really fun and you want to get further,” she stated, adding that social engineers tend to “egg each other on a lot.”
For example, tactics like “USB drops” can be dangerous as you don’t know where they will get plugged in – such as friends and family of an employee.
These professionals must also ensure what they are doing is safe, both for them and the client. In one case, two security professionals were jailed in 2019 for breaking into a courthouse in Iowa, US, despite being contracted to do so by the state’s judicial arm.
Although the charges were later dropped, Conheady said “it has made a lot of social engineers in the industry think twice about what we’re going to do as part of a test.”
The Iowa case shows that social engineers must ensure their contracts for this type of work are “100% iron-clad.”
Contracts should include:
- A description of the test and the types of activities involved
- The time window of when you’re allowed to test
- Any restrictions and limitations e.g. are there areas/teams out of scope
They should also ensure the contract is checked by relevant departments in both the testers’ and the clients’ organizations, particularly legal and HR teams.
Social engineers should also carry around their ‘get out of free card’ in case they are caught or confronted. This card should have their name and that of other testers involved, clearly explain what they are doing there and have the names of at least two contacts within their own and target organizations who have authorized the tests.
Even where activities are legal, they are not necessarily ethical, cautioned Conheady. She highlighted several phishing email tests conducted by major organizations during the COVID-19 pandemic that were highly questionable.
For example, a phishing test email by UK train operator West Midlands Trains purported to offer a financial bonus to staff to thank them for their efforts during the pandemic, causing a lot of upset among staff when they realised it was fake.
“If you are going to send this kind of test out to your organization, be prepared for the negative publicity that is going to follow,” warned Conheady. She added that these tactics can be counterproductive if it leads to disengagement with the company and an employee backlash.
To avoid such ethical problems occurring, Conheady advised security professionals preparing a social engineering test to check with legal and HR departments first. They should also “imagine how the people involved would feel when they find out they have been socially engineered.”
Finally, Conheady emphasized that social engineering testers should understand what they’re getting into and be aware of the possible downsides.
“If you’re going to act like the bad guy, be prepared to be treated like a bad guy,” she stated.