Subscribe Free
in Features

The Blag Market

Posted 24 October 2018 · Add Comment

Could your organisation stop an experienced operative from gaining access to its premises and extracting vital information? As Steve Knight reports, governments and businesses across the Middle East have the chance to find out.

 A top security company has been offering a ‘penetration testing’ (blagging) service to UK customers for some time. However, not too many people know that the Middle East has access to a similar service.
The company – Dorset-based C3IA Solutions – works in the defence and security sectors, for government departments and within industry, serving both SMEs and multi-national firms.
Once commissioned, C3IA operatives try to talk their way inside an organisation to gain access to sensitive material.
“Company executives are often staggered by the sort of information we can extract – usually by the simplest means,” said C3IA founder Matt Horan.
C3IA also offers a similar ‘blagging’ operation in the Middle East.
“Because cyber-security – particularly corporate – is improving, criminals are now switching tactics to physically enter businesses in an attempt to acquire information that they can use for nefarious purposes,” explained Horan.
“This has led to a growing need for specialists, who are skilled at breaching security, to highlight where companies should improve their systems and procedures.”
C3IA has a number of such operatives, who carry out this type of ‘penetration testing’ using both simple and more elaborate techniques in order to gain access and trust.
They call it ‘social engineering’ and often make use of social media to research and make contact with their targets in the various companies and organisations.
A study in the US by Agari showed that, in 2016, 60% of leaders were, or might have been, a victim of a social engineering attack; by physical or digital interaction.
It showed that 65% of those who were attacked said employees’ credentials were compromised, and financial accounts were breached in 17% of cases.
One of the C3IA Solutions operatives, who has to remain anonymous for obvious reasons, explained: “The weakest part of any organisation is its people. They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.
“I get asked to try and breach all types of businesses and organisations and usually start by researching their staff online. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often the clients want me to take a photo in part of their premises that should be very secure or they want databases accessed or customer details or invoices ‘stolen’. I usually find out simple things like what type of identity card and what colour lanyard the staff use and I have so many I can usually find one to match.
“I’ll then pretend to be a new employee, or from their IT support, and, because I have a bit of knowledge and information, I’m often just waved through.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security.
“The process tests whether staff are adhering to company policies and highlights whether the policies and systems require changing.
“Often this type of activity will be completed alongside checking the computer systems by penetration testing and means we can provide a detailed security report with recommendations.”
Horan added: “Businesses and organisations are getting better at their cyber-security and now realise that their physical security is their weakest part. Testing it regularly can lead to better training for staff and it gives reassurance to customers, clients and their insurers.”
C3IA tactics will change depending on the part of the world in which the company is operating. Whereas, for example, it may be relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment, somewhere like the Middle East might be more tricky.
“Social engineering activities in the GCC countries will rarely be straightforward,” said Horan. “Assessing the risks of working there comes with important considerations.
“Firstly, it is a vast area with several distinct cultures, several different languages, and the harsh environment and the religion of Islam as its unifying themes. It is important to understand the fundamental differences (and conflict) between the Shia and Sunni Islamic blocs, and which countries align with each other, if you are to have any comprehension of how, for example, a Saudi might interact with an Iranian. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, plan, and exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.
“Of course, for our operation, there is also the increased physical danger from the commonality of harsh and punitive laws, terrorist organisations, routinely armed police and security guard forces, which we may not ordinarily face in the UK or Europe.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and of course duty of care.”
Sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff, according to Horan.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed,” he concluded.

* required field

Post a comment

Other Stories
Advertisement
Latest News

Emirates anticipates peak arrivals period in upcoming weeks

Travel is expected to reach an all-time high in the upcoming weeks for Emirates, as the airline expects yet another busy period with travellers flocking into Dubai after the summer holidays and Eid breaks.

Ground handling industry failing to take the right action to solve talent and profit challenges

Recent research by RTITB Airside has found that airlines, airports and ground handlers are failing to take the right action when it comes to solving profitability and talent recruitment and retention challenges.

Etihad Airways most punctual Middle Eastern carrier in the first seven months of 2019

Etihad Airways was the most punctual Middle Eastern carrier in the first seven months of 2019.

MEBAA Show Morocco gearing up for September event

Business aviation exhibitors across the world are keen to take advantage of the region’s opportunities by promoting their products and services at the MEBAA Show Morocco, taking place 25-26 September at Marrakech Menara Airport.

DXB welcomes 41.3 million passengers in the first half of 2019

Dubai International (DXB) welcomed 41.3 million passengers in the first half of 2019, maintaining its position as the world’s largest international airport by traffic volume.

Pakistan and India Independence Days celebrated at Abu Dhabi International Airport

Visitors to Abu Dhabi International Airport (AUH) from Pakistan and India were greeted by the green, white and saffron colours of their national flags, and steaming cups of Karak chai, to commemorate the Independence days of the two

MEBCONSK1607240919
See us at
BIDEC BT0108301019MEBAAMORBT2006260919Dubai AS BT2006211119AVAFA20BT2607050320MEBCONBT1607240919DIAC19_BT264161119