Definition

"Obtaining information or resources from victims using coercion or deceit. During a social engineering attack, attackers do not scan networks, crack passwords using brute force, or exploit software vulnerabilities. Rather, social engineers operate in the social world by manipulating the trust or gullibility of human beings." (Computer Security Handbook -CHS), 2009)

According to Kevin Mitnick, all of the firewalls and encryption in the world will never stop a gifted social engineer from rifling a corporate database or an irate employee from crashing a system. If an attacker wants to break into a system, the most effective approach is to try to exploit the weakest link -- not operating systems, firewalls or encryption algorithms -- but people. For instance, if you wanted to illegally capture and use someone's credit card number, forget about stealing his or her wallet or purse. A social engineer would call the person on the phone and pretend to work for the bank or company that issued the card. With the right persuasion, the person might give them the card number, billing address, social security number and mother's maiden name."

Kevin Mitnick

Bookmarks

Unmasking Social Engineering Attacks

Combatting Social Engineering Attacks

Social Engineering Case

The Art of Deception (Book)

No Tech Hacking (Book)

Computer Security Handbook

Training and Awareness

Programs must be established to counter social engineers. For example, who wouldn’t want to hold the door for one’s co-worker? This is fine, but there should be corporate policies in place whereby everyone is required to wear one’s ID to ensure that the people entering the premises are authorized to be there. Holding the door for an unauthorized person can wreak havoc upon the organization.

Social engineers blend into their environments and tend to be confident, well-educated and outgoing. And due to their need to conform, they tend to be understated, unnoticed, and avoid becoming the center of attention.

Some defenses

Email communications, posters, videos, brown bag lunches and live presentations are all ways to mitigate the risks associated with social engineering. There are some technologies - such as content monitoring systems and email monitoring tools- that can counter social engineering attacks, but such technologies are only one layer used against this vicious technique. Because humans are the vectors of these attacks, and social engineers seek to disrupt people's willingness to trust each other, observant mitigation strategies must be implemented to defend against these dangerous attacks.

Test your knowledge

Past Issues

Malware

Crimeware

Botnets

Phishing

DARPA

Social Engineering-101

“Whatever your thoughts about social engineers, you should at least understand the mindset, and learn what you can do to protect yourself and those around you, because social engineers have one huge advantage: they’re playing you before you even realize there’s a game to be played.”

In essence, our best behavior, our most sympathetic and helpful nature is used against us by the social engineer.

Perhaps the most troubling aspect of social engineering is how the attacker aggregates information. Very often this person will collect small snippets of information that seem harmless to the individuals that provide the information. Yet, when collecting seemingly disparate information from different sources, the social engineer will often put the information together to launch larger attacks.

By using social engineering, technical safeguards are bypassed. Thanks to social psychology, which aides in people being very trustful of others (i.e., such as treating others nicely) social engineers exploit this human element in order to disrupt a trusting environment.

Methods

According to security professionals, social engineering uses pretexting, which means to obtain information under false pretenses. This facilitates the practice of impersonation and seduction.  

Information security experts provide examples of how social engineers use impersonation to obtain information. For example, “most organizations have help desks for IT related issues. Employees, in general, follow the instructions from help desk personnel, simply because they are trusted and usually more knowledgeable about technology. Social engineers understand this trust and will exploit it to steal information. The attacker tries to impersonate help desk personnel, contact unsuspecting employees, and ask for and receive information.” (CHS, 19.4)

Information security experts also explain how seduction is used. They explain that “the attacker, using seduction, will identify a target and will form a bond with that individual, through social settings, online, or through another mechanism. In some instances, social engineers will study their victims over a period of time to learn their habits, likes, dislikes, or emotional weaknesses. It is during this relationship that information may be divulged to the attacker.” (CHS, 19.5)

Social engineering is very effective and will be around as people tend to be the greatest strength and the greatest weakness in an organization. While such attacks are not new, there are many different methods used and their success ensures that they'll continue.