Social engineering is manipulating people into doing something, rather than using technical means. It is the art of gaining access to buildings, systems, or data by exploiting human psychology, rather than by using technical hacking techniques. For example, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees.
A system has hardware, software, and wetware; wetware being the human element of the system. With million-dollar security systems and state-of-the-art security technology, the first two systems may be impenetrable, but with enough patience and knowledge, a social engineer can use weaknesses in the wetware to trick an unsuspecting target into revealing sensitive information. Social engineering is a use of psychological knowledge to trick a target into trusting the engineer and ultimately revealing information.
What Do Social Engineers Want?
The goal for many social engineers is to obtain personal information that can directly lead them to financial or identity theft or prepare them for a more targeted attack. They also look for ways to install malware that gives them better access to personal data, computer systems, or accounts. In other cases, social engineers are looking for information that leads to a competitive advantage.
Items that scammers find valuable include the following:
- Passwords and account numbers
- Keys and personal information
- Access cards and identity badges
- Phone lists
- Details of your computer system
- The name of someone with access privileges
- Information about servers, networks, non-public URLs, intranets
How Does it work?
Social engineers leverage trust, helpfulness, easily attainable information, knowledge of internal processes, implied or impersonated authority, and technology to trick you. Often, they will use several small attacks to reach their final goal, bits of information pulled together into a convincing story. Social engineering is all about taking advantage of others to gather information and infiltrate an organization.
- Information gathering: A variety of techniques can be used by an aggressor to gather information about the targets. Once gathered, this information can then be used to build a relationship with either the target or someone important to the success of the attack.
- Developing relationship: An aggressor may freely exploit the willingness of a target to be trusting in order to develop rapport with them. While developing this relationship, the aggressor will position himself into a position of trust which he will then exploit.
- Exploitation: The target may then be manipulated by the “trusted” aggressor to reveal information (e.g., passwords) or perform an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This action could be the end of the attack or the beginning of the next stage.
- Execution: Once the target has completed the task requested by the aggressor, the cycle is complete.
Types of Social Engineering
- Pretexting: Pretexting is when a person uses false or fictitious methods to retrieve a victim’s personal information such as full name, address, birth date, and social security number. The most common forms of this type of identity theft are over the phone.
- Phishing: Phishing is a type of Internet fraud that seeks to acquire a user’s credentials by deception. It includes theft of passwords, credit card numbers, bank account details, and other confidential information.
- Spearphishing: If traditional phishing is the act of casting a wide net in hopes of catching something, Spearphishing is the act of carefully targeting a specific individual or organization and tailoring the attack to them personally.
- Trojan horse: A Trojan horse is a malicious application that is designed to enable hackers to remotely access the target computer system. Trojans may arrive via unwanted downloads on compromised websites or they may be installed via online games or other internet-driven applications.
- Shoulder Surfing: Shoulder surfing refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it’s relatively easy to observe someone as they fill out a form, enter their PINs at ATMs or enter passwords at cybercafés.
Ways to prevent Social Engineering
- Management buy-in: Budget for training. HR involved.
- Security policy: A sound security policy will ensure a clear direction on what is expected of staff within an organization.
- Physical security: The use of access badges indicating each employee’s status.
- Education/awareness: A good training and awareness program focusing on the type of behavior required. This program might even provide users with a checklist on how to recognize a possible “social engineering” attack.
- Good security architecture: No rogue devices.
- Limit data leakage: For example, websites, public databases, Internet registries, and other publicly accessible data sources should list only generic information, instead of employee names.
- Incident response strategy: For example, if a user receives a request, he should verify its authenticity before acting on the instructions he has received.
- Security culture: The creation of a security culture should be considered a long-term investment that requires a constant effort to maintain and grow.
Conclusion: Social engineering is a way in which an intruder can get access to your information resources without having to be a technical, network, or security expert. The attacker can use many tactics either to fool the victim into providing the information he needs to gain entry or to obtain the information without the victim’s knowledge.
Social engineering can be a threat to the security of any organization. It is important to understand the significance of this threat and the ways in which it can be manifested. Only then can appropriate counter-measures be employed and maintained in order to protect an organization on an ongoing bas.
.This article was contributed by Mohit Rawat, security expert at Infosec Institute