Women Fared Better in Defcon Social Engineering Contest

Paul Mah

I recently touched on the topic of social engineering with the observation that employees who are not equipped to defend themselves against this vector represent an exploitable situation. Hackers can use this weakness to punch holes through even the most robust of IT defenses.


In "Companies Fail Social Engineering Test" last month, I wrote about a recent Defcon social engineering contest that pitted amateur "social engineers" against large, well-funded enterprise companies. The result was somber to say the least: Employees at every single company in the contest gave away information that they shouldn't have. This clearly demonstrates that even larger companies with the resources to spare are not doing enough to patch this void in their defenses. If I were to drive home the point, the above-mentioned businesses are Fortune 500 companies, and include the likes of Cisco Systems, Microsoft, Google, Ford Motor, Pepsi and Coca Cola.


Now, it has emerged that women fared better at the Defcon social engineering contest. Apparently, of the 135 employees targeted as part of the contest, only five doggedly refused to give up any corporate information. And all five were women.


Chris Hadnagy, one of the event's organizers didn't want to elaborate on this when quizzed by Computerworld on why it was so, though Hadnagy was willing to share his observations on the stellar performance of the above-mentioned employees: "Within the first 15 seconds, they were like, 'This doesn't seem right to me,' and they ended the call."


While the full report has yet to be released, some other nuggets of information have emerged about the contest:

  • Half of the companies contacted are still using Internet Explorer 6.
  • Attempts to get employees to visit an external website were all successful (eventually).
  • The only company that didn't divulge the information that was sought was because all attempts to get a "live person" on the phone failed (huh!).


From the snapshot of evidence presented, it is clear that the spectra of social engineering attacks are very real indeed. So what are some facts that SMBs need to know about social engineering?

  • Training against social engineering isn't a "train once" affair; it needs to be periodically refreshed.
  • Most of the contestants pretended to be insiders either performing audits or consultants conducting a survey.
  • The threat isn't limited to current employees either; at least one contestant went through job sites to find former employees, quizzing them about their previous workplace by pretending to be a head-hunter.


I'll write on this topic again with tips that SMBs can use to help defend themselves against social engineering attempts once the full report becomes available. In the meantime, I am keen to hear if your SMB has implemented any training to defend against social engineering. What are the measures adopted by your company?

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.