Subscribe Free
in Features

The Blag Market

Posted 24 October 2018 · Add Comment

Could your organisation stop an experienced operative from gaining access to its premises and extracting vital information? As Steve Knight reports, governments and businesses across the Middle East have the chance to find out.

 A top security company has been offering a ‘penetration testing’ (blagging) service to UK customers for some time. However, not too many people know that the Middle East has access to a similar service.
The company – Dorset-based C3IA Solutions – works in the defence and security sectors, for government departments and within industry, serving both SMEs and multi-national firms.
Once commissioned, C3IA operatives try to talk their way inside an organisation to gain access to sensitive material.
“Company executives are often staggered by the sort of information we can extract – usually by the simplest means,” said C3IA founder Matt Horan.
C3IA also offers a similar ‘blagging’ operation in the Middle East.
“Because cyber-security – particularly corporate – is improving, criminals are now switching tactics to physically enter businesses in an attempt to acquire information that they can use for nefarious purposes,” explained Horan.
“This has led to a growing need for specialists, who are skilled at breaching security, to highlight where companies should improve their systems and procedures.”
C3IA has a number of such operatives, who carry out this type of ‘penetration testing’ using both simple and more elaborate techniques in order to gain access and trust.
They call it ‘social engineering’ and often make use of social media to research and make contact with their targets in the various companies and organisations.
A study in the US by Agari showed that, in 2016, 60% of leaders were, or might have been, a victim of a social engineering attack; by physical or digital interaction.
It showed that 65% of those who were attacked said employees’ credentials were compromised, and financial accounts were breached in 17% of cases.
One of the C3IA Solutions operatives, who has to remain anonymous for obvious reasons, explained: “The weakest part of any organisation is its people. They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.
“I get asked to try and breach all types of businesses and organisations and usually start by researching their staff online. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often the clients want me to take a photo in part of their premises that should be very secure or they want databases accessed or customer details or invoices ‘stolen’. I usually find out simple things like what type of identity card and what colour lanyard the staff use and I have so many I can usually find one to match.
“I’ll then pretend to be a new employee, or from their IT support, and, because I have a bit of knowledge and information, I’m often just waved through.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security.
“The process tests whether staff are adhering to company policies and highlights whether the policies and systems require changing.
“Often this type of activity will be completed alongside checking the computer systems by penetration testing and means we can provide a detailed security report with recommendations.”
Horan added: “Businesses and organisations are getting better at their cyber-security and now realise that their physical security is their weakest part. Testing it regularly can lead to better training for staff and it gives reassurance to customers, clients and their insurers.”
C3IA tactics will change depending on the part of the world in which the company is operating. Whereas, for example, it may be relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment, somewhere like the Middle East might be more tricky.
“Social engineering activities in the GCC countries will rarely be straightforward,” said Horan. “Assessing the risks of working there comes with important considerations.
“Firstly, it is a vast area with several distinct cultures, several different languages, and the harsh environment and the religion of Islam as its unifying themes. It is important to understand the fundamental differences (and conflict) between the Shia and Sunni Islamic blocs, and which countries align with each other, if you are to have any comprehension of how, for example, a Saudi might interact with an Iranian. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, plan, and exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.
“Of course, for our operation, there is also the increased physical danger from the commonality of harsh and punitive laws, terrorist organisations, routinely armed police and security guard forces, which we may not ordinarily face in the UK or Europe.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and of course duty of care.”
Sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff, according to Horan.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed,” he concluded.

* required field

Post a comment

Other Stories
Advertisement
Latest News

Falcon 6X gears up for first flight

Dassault Aviation is making steady progress toward an early 2021 planned first flight for its latest and roomiest aircraft, the Falcon 6X, despite the upheaval caused by the coronavirus epidemic.

Green recovery must embrace sustainable aviation fuels

The International Air Transport Association (IATA) has emphasised the aviation industry’s commitment to its emissions reduction goals.

Flydubai: Welcome to Dubai

Flydubai has begun welcoming tourists to Dubai following the lifting of flight restrictions that were put in place in response to the COVID-19 pandemic.

Why a holiday company took a trip into the unknown

Jordan has always been a tough location in which to operate. One young airline fighting to make its mark in the local market is Fly Jordan Airlines.

Iraq repatriation flight returns South Africans home

CemAir has welcomed 80 South Africans home from Iraq and Jordan on a special repatriation flight which touched down at OR Tambo International Airport on Wednesday morning.

Etihad in codeshare with Air Arabia Abu Dhabi

Etihad Airways has entered a codeshare agreement with Abu Dhabi’s first low-cost airline, Air Arabia Abu Dhabi.

GAS_SK2805200920
See us at
GAS BT0907290920MAPS2020 BT1102171120SaudiAirshow21BT2011180221