Social Engineering: The Basics
What is social engineering? What are the most common and current tactics? And how can your organization prevent these scams? A guide on how to stop social engineering.
By Joan Goodchild, Senior Editor
January 11, 2010 — CSO —
You've got all the bells and whistles when it comes to network firewalls and your building's security has a state-of-the-art access system. You've invested in the technology. But a social engineering attack could bypass all those defenses.
Social engineers, or criminals who take advantage of human behavior to pull of a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend.
In this guide, we outline the common tactics social engineers often use, and give you tips on how to ensure your staff is on guard.
- What is social engineering?
- How is my company at risk?
- How do social engineers pull off their tricks?
- Why do people fall for social engineering techniques?
- How can I educate our employees to prevent social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort. (Watch the video to see social-engineering expert Chris Nickerson size up one building's perimeter security)
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
social engineering
- Survival Guide: Overcoming the Obstacles to Effective Risk Management
- Utility Mandate: Software Security for the Smart Grid
- Risk-driven Compliance and Security Management
- CyberAttacks ... Are you protected or prepared to pay?
- Bringing Together Security and Usability
- Simplifying Risk Management: Is Your Company Measuring Up?
- The Escalating Risk of the Insecure Web
- Security Protection via the Cloud
- Maximize Security Coverage, Minimize Costs
- Preventing Data Breaches: A SaaS Approach To Secure Unstructured Data
- Pillars of Enterprise Protection: Protecting the Infrastructure
- Proactive Intelligence-Gathering for Enterprise Protection
CSO Corporate Partners
