What Is Social Engineering?

Social engineering is manipulating people into doing something, rather than by breaking in using technical means. It is the art of gaining access to buildings, systems, or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. The goal is always to gain the trust of one or more of your employees.

Kevin Mitnick said, “The weakest link in the security chain is the human element.”

A system has hardware, software, and wetware, wetware being the human element of the system. With million-dollar security systems and state-of-the-art security technology, the first two systems may be impenetrable, but with enough patience and knowledge, a social engineer can use weaknesses in the wetware to trick an unsuspecting target into revealing sensitive information. Social engineering is a use of psychological knowledge to trick a target into trusting the engineer and ultimately revealing information.

Social engineering includes scams such as obtaining a password by pretending to be an employee, leveraging social media to identify new employees who might be more easily tricked into providing customer information, and any other attempt to breach security by gaining trust.

“You could spend a fortune purchasing technology and services…and your network infrastructure could still remain vulnerable to old-fashioned manipulation.”

Social engineering is the art of exploiting the weakest link of information security systems: the people who are using them. Social engineering is a method of gathering information and performing attacks against information and information systems. An immense amount of loss has been suffered by organizations and Individuals from these attacks. However, social engineering as a threat is overlooked because of low awareness and lack of proper training for people.

What Do Social Engineers Want?

The goal for many social engineers is to obtain personal information that can either directly lead them to financial or identity theft or to prepare them for a more targeted attack. They also look for ways to install malware that gives them better access to personal data, computer systems, or accounts. In other cases, social engineers are looking for information that leads to a competitive advantage.

Items that scammers find valuable include the following:

  • Passwords
  • Account numbers
  • Keys
  • Any personal information
  • Access cards and identity badges
  • Phone lists
  • Details of your computer system
  • The name of someone with access privileges
  • Information about servers, networks, non-public URLs, intranets.

How Does It work?

Social engineers leverage trust, helpfulness, easily attainable information, knowledge of internal processes, implied or impersonated authority, and technology to trick you. Often, they will use several small attacks to reach their final goal, bits of information pulled together into a convincing story. Social engineering is all about taking advantage of others to gather information and infiltrate an organization.

  • Information gathering: A variety of techniques can be used by an aggressor to gather information about the targets. Once gathered, this information can then be used to build a relationship with either the target or someone important to the success of the attack.
  • Developing relationship: An aggressor may freely exploit the willingness of a target to be trusting in order to develop rapport with them. While developing this relationship, the aggressor will position himself into a position of trust which he will then exploit.
  • Exploitation: The target may then be manipulated by the “trusted” aggressor to reveal information (e.g., passwords) or perform an action (e.g., creating an account or reversing telephone charges) that would not normally occur. This action could be the end of the attack or the beginning of the next stage.
  • Execution: Once the target has completed the task requested by the aggressor, the cycle is complete.

Types of Social Engineering

  • Pretexting: Pretexting is when a person uses false or fictitious methods to retrieve a victim’s personal information such as full name, address, birth date, and social security number. The most common forms of this type of identity theft are over the phone.

    Example:

    In 2006, HP’s chairwoman and some of the members of the board of directors used Pretexting against the board of directors, employees, and journalists to find the source of the board leaks to the public media. The team of the leak investigation hired a third-party firm to obtain the phone records of suspicious individuals under false pretense without their consents, an action that caused the HP’s chairwoman and several directors to lose their jobs.

  • Dumpster diving: Dumpster diving is a technique used to retrieve information that could be used to carry out an attack on a computer network. Dumpster diving isn’t limited to searching through the trash for obvious treasures, such as access codes or passwords written down
    on sticky notes. Seemingly innocent information, a phone list, calendar, or organizational chart, can be used to assist an attacker using social engineering techniques to gain access to the network.

    Example: Workers become complacent and do not think about what they are throwing away. Receipts with signatures, copies of invoices, order forms, and other items are swept into the trash as workers hurry out of the office on a Friday night or just before a holiday. Another rarely thought of item is anything placed underneath signatures. When consumers sign receipts, there is often a note pad or a desktop calendar that is thrown out at the end of the month. With a person’s address, phone number, account number, and signature, the theft is mostly completed. Most homes are easy targets as well. Many people get pre-approved credit cards and these simply get thrown away and can be used, along with other information, to open fraudulent accounts.

  • Phishing: Phishing is a type of Internet fraud that seeks to acquire a user’s credentials by deception. It includes theft of passwords, credit card numbers, bank account details, and other confidential information.

    Example:

  • Spearphishing: If traditional phishing is the act of casting a wide net in hopes of catching something, spearphishing is the act of carefully targeting a specific individual or organization and tailoring the attack to them personally.

Example:

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

IVR or phone phishing: IVR or phone phishing also known as “vishing”; this technique uses an interactive voice response (IVR) system to recreate a legitimate-sounding copy of a bank or other institution’s IVR system. The victim is prompted to call in to the “bank” via a phone number provided in order to “verify” information.

Example:

  • Trojan horse: A Trojan horse is a malicious application that is designed to enable hackers to remotely access the target computer system. Trojans may arrive via unwanted downloads on compromised websites or they may be installed via online games or other internet-driven applications.

Example:

  • Shoulder Surfing: Shoulder surfing refers to using direct observation techniques, such as looking over someone’s shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it’s relatively easy to observe someone as they:
    • fill out a form
    • enter their PIN at an automated teller machine or a point of sale terminal
    • use a calling card at a public pay phone
    • Enter passwords at a cybercafé, a public or university library, or an airport kiosk.

    Example: An example of shoulder surfing is when renting a public locker, some people may choose a four-digit PIN code which is the same as that for their credit or bank access card. A thief who obtains the locker code by shoulder surfing could then access the locker and take and use the credit or bank access card until the card account is blocked. Avoid using banking codes for other items, such as lockers, combination locks, etc.

    • Diversion theft: This is when a social engineer convinces a courier or transport company that he is actually you. He then arranges for the parcel to be arranged to another location nearby. Usually the courier is met at the side of the road by a smiling social engineer who takes the parcel and pretends to walk towards a house or apartment.
    • Forensic analysis:
      Forensic analysis is the use of controlled and documented analytical and investigative techniques to identify, collect, examine, and preserve digital information.

      Example: Obtaining old computer equipment such as hard drives, memory sticks, DVD/CDs, and floppy disks and attempting to extract information that might be of use about an individual/organization.

    • Tailgating: Tailgating involves getting into a physical facility by coercing or fooling staff there, or just walking in.

      Example: Joe, who has forgotten his passkey to the building, shadows Barb as she keys in, and slips in after her. Often Barb does not know Joe, or does not even notice that Joe has tailgated after her. And more often than not, even if Barb has noticed, she will not turn around and stop Joe from tailgating. She would not feel comfortable doing that, as it might create a scene in front of others. If Joe is an intruder, he has achieved the first step in his plan—he has gained physical access to the premises.

    • Baiting: Baiting is typically done by leaving a malware-infected cd or usb key in a company building, some place that would make it seem as though the item has been dropped by accident. This item might even be labeled with some kind of interesting title so as to encourage the finder to use it on his/her computer to satisfy the curiosity, only to have malware infecting the computer and give the attacker access to sensitive information and/or the company’s internal network.

    • Quid pro quo: An attacker offers his victim a gift in exchange for some action or piece of information. The attacker often does not even need to make a deal. By simply providing assistance in some way, an attacker can endear themselves to their victim, making further interrogation a simple matter.
    • Reverse social engineering: Reverse social engineering is a method where an attacker can get their victims to call them back pertaining to something an attacker may have previously said or done. Since the victim is calling the attacker, the victim is already at the attacker’s mercy, and it is almost impossible for the victim to tell that they are being attacked if they have already legitimately made the call back to the attacker.

      Example: The attacker may cause a network failure, show up as a technical support expert just at the right moment, and then help the network operator through the problem. The operator would think of the attacker as someone of high authority that she could trust and would willingly ask or answer detailed questions that include confidential information or a way to access it.

    • Fake pop-up: The attacker’s rogue program generates a pop-up window, saying that the application connectivity was dropped due to network problems, and now the user needs to reenter his id and password to continue with his session. The unsuspecting user promptly does as requested, because he wishes to continue working, and forgets about it.

Ways to prevent Social Engineering

  • Management buy-in: Budget for training. HR involved.
  • Security policy: A sound security policy will ensure a clear direction on what is expected of staff within an organization.
  • Physical security: The use of access badges indicating each employee’s status.
  • Education/awareness: A good training and awareness program focusing on the type of behavior required. This program might even provide users with a checklist on how to recognize a possible “social engineering” attack.
  • Good security architecture: No rogue devices.
  • Limit data leakage: For example, websites, public databases, Internet registries, and other publicly accessible data sources should list only generic information, instead of employee names.
  • Incident response strategy: For example, if a user receives a request, he should verify its authenticity before acting on the instructions he has received.
  • Security culture: The creation of a security culture should be considered a long-term investment that requires a constant effort to maintain and grow.

Conclusion: Social engineering is a way in which an intruder can get access to your information resources without having to be a technical, network, or security expert. The attacker can use many tactics either to fool the victim into providing the information he needs to gain entry or to obtain the information without the victim’s knowledge.

Social engineering can be a threat to the security of any organization. It is important to understand the significance of this threat and the ways in which it can be manifested. Only then can appropriate counter-measures be employed and maintained in order to protect an organization on an ongoing basis.