Subscribe Free
in Features

The Blag Market

Posted 24 October 2018 · Add Comment

Could your organisation stop an experienced operative from gaining access to its premises and extracting vital information? As Steve Knight reports, governments and businesses across the Middle East have the chance to find out.

 A top security company has been offering a ‘penetration testing’ (blagging) service to UK customers for some time. However, not too many people know that the Middle East has access to a similar service.
The company – Dorset-based C3IA Solutions – works in the defence and security sectors, for government departments and within industry, serving both SMEs and multi-national firms.
Once commissioned, C3IA operatives try to talk their way inside an organisation to gain access to sensitive material.
“Company executives are often staggered by the sort of information we can extract – usually by the simplest means,” said C3IA founder Matt Horan.
C3IA also offers a similar ‘blagging’ operation in the Middle East.
“Because cyber-security – particularly corporate – is improving, criminals are now switching tactics to physically enter businesses in an attempt to acquire information that they can use for nefarious purposes,” explained Horan.
“This has led to a growing need for specialists, who are skilled at breaching security, to highlight where companies should improve their systems and procedures.”
C3IA has a number of such operatives, who carry out this type of ‘penetration testing’ using both simple and more elaborate techniques in order to gain access and trust.
They call it ‘social engineering’ and often make use of social media to research and make contact with their targets in the various companies and organisations.
A study in the US by Agari showed that, in 2016, 60% of leaders were, or might have been, a victim of a social engineering attack; by physical or digital interaction.
It showed that 65% of those who were attacked said employees’ credentials were compromised, and financial accounts were breached in 17% of cases.
One of the C3IA Solutions operatives, who has to remain anonymous for obvious reasons, explained: “The weakest part of any organisation is its people. They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.
“I get asked to try and breach all types of businesses and organisations and usually start by researching their staff online. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often the clients want me to take a photo in part of their premises that should be very secure or they want databases accessed or customer details or invoices ‘stolen’. I usually find out simple things like what type of identity card and what colour lanyard the staff use and I have so many I can usually find one to match.
“I’ll then pretend to be a new employee, or from their IT support, and, because I have a bit of knowledge and information, I’m often just waved through.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security.
“The process tests whether staff are adhering to company policies and highlights whether the policies and systems require changing.
“Often this type of activity will be completed alongside checking the computer systems by penetration testing and means we can provide a detailed security report with recommendations.”
Horan added: “Businesses and organisations are getting better at their cyber-security and now realise that their physical security is their weakest part. Testing it regularly can lead to better training for staff and it gives reassurance to customers, clients and their insurers.”
C3IA tactics will change depending on the part of the world in which the company is operating. Whereas, for example, it may be relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment, somewhere like the Middle East might be more tricky.
“Social engineering activities in the GCC countries will rarely be straightforward,” said Horan. “Assessing the risks of working there comes with important considerations.
“Firstly, it is a vast area with several distinct cultures, several different languages, and the harsh environment and the religion of Islam as its unifying themes. It is important to understand the fundamental differences (and conflict) between the Shia and Sunni Islamic blocs, and which countries align with each other, if you are to have any comprehension of how, for example, a Saudi might interact with an Iranian. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, plan, and exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.
“Of course, for our operation, there is also the increased physical danger from the commonality of harsh and punitive laws, terrorist organisations, routinely armed police and security guard forces, which we may not ordinarily face in the UK or Europe.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and of course duty of care.”
Sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff, according to Horan.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed,” he concluded.

* required field

Post a comment

Other Stories
Advertisement
Latest News

How technology is making aviation safer

Kevin Riordan, head of airports & checkpoint solutions at Smiths Detection, talks about the various technologies that will dominate airport security over the next decade and the impact they are likely to have on the overall customer

Oman Air CEO comments on impact of Boeing 737 MAXs grounding of the airline

Abdulaziz Al Raisi, chief executive officer of Oman Air, has said that the grounding of the 737 MAXs has had a major financial impact on Oman Air.

Etihad Airways celebrates 15 years of service to Germany

The airline launched daily flights between Abu Dhabi and Munich in June 2004. Munich and the Swiss city of Geneva both received their first Etihad flights in that month, making them the first two destinations served by the airline in

Emirates introduces its First-Class cabin in Durban

Emirates has introduced its First-Class cabin in Durban, in conjunction with the airline’s seasonal frequency increase of four additional flights a week, bringing the airline’s award-winning, luxury travel experience to the

Oman Air cabin crew in brand new style uniform

Oman Air cabin crew will step out in their brand new Oman Air uniforms this week.

Etihad Airways introduces new Boeing 787-10 Dreamliner on Rome route

Etihad Airways has introduced its newest aircraft type, the Boeing 787-10 Dreamliner, on daily services to Rome.

ACCA19_SK0201080919
See us at
ACCA19_BT_2404091019DIAC19_BT264161119