Thanks, but no thanks!
I can hear the voice of Richard Dawson saying, “One hundred hackers surveyed. Top five answers are on the board. Name an effective social engineering technique.” What can a survey say about the inner workings your organization? Plenty!
Surveys show up as phone solicitations, online forms and even strangers on the street. Very few of us actually have the time to complete surveys so here’s your “get out of jail free” card to avoid this inconvenience. If you are surveyed about work, tell the person conducting the survey you are not allowed to respond to unapproved surveys because it is against company policy. And by the way, if it isn’t, it should be!
Being raised in a curious society, we have all become comfortable with the impromptu irritation of market research known as consumer surveys. Surveys are annoying. As such, researchers have trained us that – because they know they are interrupting our busy lives to learn more about us – they are willing to compensate us for the nuisance. Thus, we have learned that we should expect something in return for our coveted opinions and personal information. Unfortunately, the combination of interrogation and rewards can be exploited to gather critical but seemingly innocuous insider information. Information that can be used by hackers in preparation for an attack.
On their own, survey questions may seem harmless. But when the right answers to key questions are combined or “aggregated” an attacker can piece together just enough information to be dangerous. Any information requested in a survey could be misused but if the “surveyor” asks for information that is personal, operational, financial or client-related that’s a red flag. Specifically, questions about equipment, security, the network or the company Org Chart should never be answered without proper authorization.
Attackers have learned that they can get away with being bold – even obvious. An ongoing study conducted in London in recent years revealed that 81% of the respondents were willing to give up their passwords to the man-on-the-street surveyor for a piece of chocolate. Since being embarrassed by this study, the percentage of Londoners willing to surrender their passwords for chocolate has dropped to 60%.
Just so you know, NO ONE SHOULD EVER ASK YOU FOR YOUR PASSWORD. This includes the Help Desk, IT personnel, the security guy, your manager or anyone else. If someone asks you for your password, politely refuse and then contact your security team. Passwords are NEVER to be shared. Doing so is a direct violation of not only corporate policies but many client contracts and even regulatory efforts such as Sarbanes-Oxley compliance.
Et 2, Legit?
So, do not respond to surveys. Every now and then, however, there may be a legitimate business justification to complete a survey. That’s fine. Just be sure to obtain management approval beforehand. Otherwise, you could unwittingly be giving away the launch codes for your own destruction.
- Other social engineering techniques
- Passwords for chocolate experiment