Subscribe Free
in Features

The Blag Market

Posted 24 October 2018 · Add Comment

Could your organisation stop an experienced operative from gaining access to its premises and extracting vital information? As Steve Knight reports, governments and businesses across the Middle East have the chance to find out.

 A top security company has been offering a ‘penetration testing’ (blagging) service to UK customers for some time. However, not too many people know that the Middle East has access to a similar service.
The company – Dorset-based C3IA Solutions – works in the defence and security sectors, for government departments and within industry, serving both SMEs and multi-national firms.
Once commissioned, C3IA operatives try to talk their way inside an organisation to gain access to sensitive material.
“Company executives are often staggered by the sort of information we can extract – usually by the simplest means,” said C3IA founder Matt Horan.
C3IA also offers a similar ‘blagging’ operation in the Middle East.
“Because cyber-security – particularly corporate – is improving, criminals are now switching tactics to physically enter businesses in an attempt to acquire information that they can use for nefarious purposes,” explained Horan.
“This has led to a growing need for specialists, who are skilled at breaching security, to highlight where companies should improve their systems and procedures.”
C3IA has a number of such operatives, who carry out this type of ‘penetration testing’ using both simple and more elaborate techniques in order to gain access and trust.
They call it ‘social engineering’ and often make use of social media to research and make contact with their targets in the various companies and organisations.
A study in the US by Agari showed that, in 2016, 60% of leaders were, or might have been, a victim of a social engineering attack; by physical or digital interaction.
It showed that 65% of those who were attacked said employees’ credentials were compromised, and financial accounts were breached in 17% of cases.
One of the C3IA Solutions operatives, who has to remain anonymous for obvious reasons, explained: “The weakest part of any organisation is its people. They are trained to be helpful, so when someone asks for something their instinct is often to hand it over without question.
“I get asked to try and breach all types of businesses and organisations and usually start by researching their staff online. I have a number of false identities that I use to make contact with them on social media and on LinkedIn. With this information, I can then decide how best to target the business.
“Often the clients want me to take a photo in part of their premises that should be very secure or they want databases accessed or customer details or invoices ‘stolen’. I usually find out simple things like what type of identity card and what colour lanyard the staff use and I have so many I can usually find one to match.
“I’ll then pretend to be a new employee, or from their IT support, and, because I have a bit of knowledge and information, I’m often just waved through.
“There are numerous other methods I use and, although occasionally I’ll ‘trip the wire’ and get caught, I am usually able to breach security.
“The process tests whether staff are adhering to company policies and highlights whether the policies and systems require changing.
“Often this type of activity will be completed alongside checking the computer systems by penetration testing and means we can provide a detailed security report with recommendations.”
Horan added: “Businesses and organisations are getting better at their cyber-security and now realise that their physical security is their weakest part. Testing it regularly can lead to better training for staff and it gives reassurance to customers, clients and their insurers.”
C3IA tactics will change depending on the part of the world in which the company is operating. Whereas, for example, it may be relatively easy for a UK national to pass himself off as a different kind of UK national in an English-speaking domestic environment, somewhere like the Middle East might be more tricky.
“Social engineering activities in the GCC countries will rarely be straightforward,” said Horan. “Assessing the risks of working there comes with important considerations.
“Firstly, it is a vast area with several distinct cultures, several different languages, and the harsh environment and the religion of Islam as its unifying themes. It is important to understand the fundamental differences (and conflict) between the Shia and Sunni Islamic blocs, and which countries align with each other, if you are to have any comprehension of how, for example, a Saudi might interact with an Iranian. Background research and the addition of intimate local knowledge, therefore, is vital if a task is to be scoped for feasibility and then executed effectively.
“A good example of this is airport security, where there is a reliance on technical countermeasures and methods of detection (e-passports, scanners), a plethora of agencies and moving parts, and the potential to identify vulnerabilities in between these sequences of activity.
“In these situations, for the social engineer, the two must-haves are time (to observe, plan, and exploit an identified vulnerability) and a copy of the ‘Rough Guide’ to an area, to ensure that at least a base level of cultural knowledge is understood and utilised.
“Of course, for our operation, there is also the increased physical danger from the commonality of harsh and punitive laws, terrorist organisations, routinely armed police and security guard forces, which we may not ordinarily face in the UK or Europe.
“Using local resources as either advisors or, as appropriate, operators, is an option which may be effective under certain circumstances, but needs to be carefully managed in terms of skill level, knowledge transfer and of course duty of care.”
Sending in an operative is usually quite an eye-opener for clients and really focuses their minds on their security and training for staff, according to Horan.
“Training, education and improving the awareness of staff can greatly reduce the likelihood of an intruder gaining access and the negative impact should they succeed,” he concluded.

* required field

Post a comment

Other Stories
Advertisement
Latest News

Emirates to showcase its A380 at Saudi International Airshow

Emirates will be showcasing its flagship Airbus A380 for two days at the first ever Saudi International Airshow.

Etihad Airways to increase flights to London

Etihad Airways will increase its flights from Abu Dhabi to London Heathrow, from three to up to four daily services, to meet peak demand during the month of April.

IATA releases 2018 airline safety performance results

The International Air Transport Association (IATA) released data for the 2018 safety performance of the commercial airline industry showing continuing safety improvements over the long term, but an increase in accidents compared to

Airbus certifies A400M Cargo Hold Tanks refuelling unit

Airbus has successfully completed the certification flight tests for the A400M Cargo Hold Tanks (CHT) refuelling unit, taking a new step towards the full certification of the aircraft for air-to-air refuelling operations as a tanker.

MEBAA Show Morocco bringing business aviation to North Africa

The MEBAA Show Morocco will bring business aviation to the North African region, according to announcements made at a recent local press conference by Ali Alnaqbi, Founding & Executive Chairman of the Middle East & North Africa Business

Flydubai announces second-half profit of AED 157 million

Flydubai has announced its financial results for the reporting period ending 31 December 2018.

Connect MEIA SK1402010519
See us at
SaudiAirshowBT0711140319Aviation Africa BT0607280219Connect MEIA BT1402010519ACCA19_BT2141218280219IQPC 3CACBT290150319