Subscribe Free
in Features

The Blag Market

Posted 24 October 2018 · Add Comment

Could your organisation stop an experienced operative from gaining access to its premises and extracting vital information? As Steve Knight reports, governments and businesses across the Middle East have the chance to find out.

 A top security company has been offering a ‘penetration testing’ (blagging) service to UK customers for some time. However, not too many people know that the Middle East has access to a similar service.
The company – Dorset-based C3IA Solutions – works in the defence and security sectors, for government departments and within industry, serving both SMEs and multi-national firms.
Once commissioned, C3IA operatives try to talk their way inside an organisation to gain access to sensitive material.
“Company executives are often staggered by the sort of information we can extract – usually by the simplest means,” said C3IA founder Matt Horan.
C3IA also offers a similar ‘blagging’ operation in the Middle East.
“Because cyber-security – particularly corporate – is improving, criminals are now switching tactics to physically enter businesses in an attempt to acquire information that they can use for nefarious purposes,” explained Horan.
“This has led to a growing need for specialists, who are skilled at breaching security, to highlight where companies should improve their systems and procedures.”
C3IA has a number of such operatives, who carry out this type of ‘penetration testing’ using both simple and more elaborate techniques in order to gain access and trust.
They call it ‘social engineering’ and often make use of social media to research and make contact with their targets in the various companies and organisations.
A study in the US by Agari showed that, in 2016, 60% of leaders were, or might have been, a victim of a social engineering attack; by physical or digital interaction.
It showed that 65% of those who were attacked said employees’ credentials were compromised, and financial accounts were breached in 17% of cases.
One of the C3IA Solutions operatives, who has to remain anonymous for obvious reasons, explained: “The weakest part of any organisation is its people. They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.
“I get asked to try and breach all types of businesses and organisations and usually start by researching their staff online. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often the clients want me to take a photo in part of their premises that should be very secure or they want databases accessed or customer details or invoices ‘stolen’. I usually find out simple things like what type of identity card and what colour lanyard the staff use and I have so many I can usually find one to match.
“I’ll then pretend to be a new employee, or from their IT support, and, because I have a bit of knowledge and information, I’m often just waved through.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security.
“The process tests whether staff are adhering to company policies and highlights whether the policies and systems require changing.
“Often this type of activity will be completed alongside checking the computer systems by penetration testing and means we can provide a detailed security report with recommendations.”
Horan added: “Businesses and organisations are getting better at their cyber-security and now realise that their physical security is their weakest part. Testing it regularly can lead to better training for staff and it gives reassurance to customers, clients and their insurers.”
C3IA tactics will change depending on the part of the world in which the company is operating. Whereas, for example, it may be relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment, somewhere like the Middle East might be more tricky.
“Social engineering activities in the GCC countries will rarely be straightforward,” said Horan. “Assessing the risks of working there comes with important considerations.
“Firstly, it is a vast area with several distinct cultures, several different languages, and the harsh environment and the religion of Islam as its unifying themes. It is important to understand the fundamental differences (and conflict) between the Shia and Sunni Islamic blocs, and which countries align with each other, if you are to have any comprehension of how, for example, a Saudi might interact with an Iranian. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, plan, and exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.
“Of course, for our operation, there is also the increased physical danger from the commonality of harsh and punitive laws, terrorist organisations, routinely armed police and security guard forces, which we may not ordinarily face in the UK or Europe.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and of course duty of care.”
Sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff, according to Horan.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed,” he concluded.

* required field

Post a comment

Other Stories
Advertisement
Latest News

EFTA signs with Commsoft for OASES MRO IT System

Aviation engineering and maintenance company, Commsoft has signed a contract with the Emirates Flight Training Academy (EFTA) for its MRO IT system, OASES.

Will runway closure awake Dubai’s slumbering giant

In May 2019, Dubai International Airport is closing one of its two runways for 45 days. Alan Dron wonders if this will encourage airline customers to try out the under-used Dubai World Central?

AIM Altitude delivers logo feature for Oman Air

AIM Altitude has produced a striking and unique feature panel to be showcased in the First-Class cabins of Oman Air’s Boeing 787-9 aircraft, recently launched on its Muscat to London route.

Rolls-Royce signs TotalCare contract for MEA aircraft

As part of its widebody fleet renewal, the Lebanese carrier Middle East Airlines – Air Liban (MEA) has decided to purchase four new and two option Airbus A330-900neo powered by Rolls-Royce Trent 7000 engines due to deliver in 2021.

Private - at a price

Private aircraft ownership comes with its own set of considerations, all focused on maintaining airworthiness through planned and unplanned events. Chuck Grieve spoke to leading Middle East maintenance, repair and overhaul (MRO)

Middle East and North Africa business aviation association attracts new board members

Ali Alnaqbi, founding & executive chairman of the Middle East and North Africa Business Aviation Association (MEBAA) has welcomed a host of senior industry figures to the organisation he founded in 2006.

Boeing SK0311018051218
See us at
Aviation Africa BT0607280219SaudiAirshowBT0711140319AIME19BTA3005120219