Social-Engineer, Inc. Releases Annual Report on DEF CON 22 Social Engineering Capture the Flag (SECTF) Contest

Share Article

2014 SECTF report details contest results, evolving trends and best practices for combating targeted attacks.

Social-Engineering Education

Social-Engineer SECTF

High profile events in the last 6 months are illustrative of the fact that corporations, and specifically retail organizations, continue to be extremely poor at protecting critical information.

Social-Engineer, Inc., the leader in social engineering security testing, awareness and training, today announced the release of the fifth annual Social-Engineer Capture the Flag Report, compiled from the Social-Engineer Capture the Flag competition at DEF CON 22.

The SECTF contest is conducted to raise awareness of the growing threat social engineering poses and to provide a live demonstration of specific techniques commonly used by malicious attackers to siphon information from unsuspecting targets. Social-Engineer’s annual SECTF report details the complex open source information gathering process, the live calls that contestants perform, and explores specific attack methods leveraged to extract information from target companies. The report also highlights emerging threat vectors, realistic pretexts and catalogs the types of information attackers commonly seek. Finally, the report details mitigation strategies that can be taken to improve corporate security awareness across organizations.

This year, the contest targeted all retail organizations, major household brands such as Home Depot, Wal-Mart and Macy’s. These renowned businesses, rife with personal and financial information of the average US consumer, were selected to demonstrate the ease of which a large organization can be infiltrated.

“High profile events in the last 6 months are illustrative of the fact that corporations, and specifically retail organizations, continue to be extremely poor at protecting critical information. Unfortunately, this year’s SECTF supported this trend,” noted Chris Hadnagy, President and Chief Human Hacker of Social-Engineer, Inc.

He continued,“It is hard to overstate how quickly social engineering has gone from an individual issue to an enterprise grade security issue and boardroom priority. Over the past years, organizations have begun to implement training programs to shut down these threats. It’s our goal to provide the training and education necessary to continue this trend.”

Some of the report’s highlights include:
-Open source information continues to plague organizations.
In one case a major retailer allowed their employees to post and discuss various topics on a public forum; many discussions included sensitive information and lead to a deep understanding of the inner workings of this company.
-Insider threats are a growing concern.
The vast majority of pretexts involved the impersonation of fellow corporate employees.
-Justification, regardless of strength, is often enough to obtain compliance.
Quick thinking contestants with justifications were able to keep targets on track despite questions to extract more information.
-Attackers continue to target major industries, and will continue to return until their mission is complete.
Contestants that faced shut-downs were able to obtain sensitive information from other departments within the organization
-Every targeted company surrendered at least one piece of valuable information to contestants.
Organizations, despite public breaches are still susceptible to attacks

To view a full copy of the 2014 SECTF Report, please visit: SECTF REPORT

In addition to this report, Social-Engineer will also will also host a complimentary webinar on Friday, October 31, 2014. Contest judges and social engineering experts, Chris Hadnagy and Michele Fincher, will give a post mortem of the event and answer live questions. To register for the live webinar, please visit:

About Social-Engineer, Inc.
Social-Engineer, Inc. is the leading authority in the art and science of social engineering. Comprised of two different facets, the organization offers both complementary education and commercial services., the company’s complimentary educational component is credited with developing the world’s first social engineering framework. State of the art research and social engineering news is distributed to users through blogs and monthly podcasts. Social-Engineer, Inc. provides security audits and professional training programs for both commercial and government organizations. To learn more about Social-Engineer, Inc. visit, read the free educational blog, or follow us on twitter @SocEngineerInc, @humanhacker.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Christopher Hadnagy
Follow >
Like >
Social-Engineer, Inc.

Visit website