Social Engineering: The Basics
What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.
By Joan Goodchild, Senior Editor
Why do people fall for social engineering techniques?
People are fooled every day by these cons because they haven't been adequately warned about social engineers. As CSO blogger Tom Olzak points out, human behavior is always the weakest link in any security program. And who can blame them? Without the proper education, most people won't recognize a social engineer's tricks because they are often very sophisticated.
Social engineers use a number of psychological tactics on unsuspecting victims. As Bushwood outlines in Mind Games, successful social engineers are confident and in control of the conversation. They simply act like they belong in a facility, even if they should not be, and their confidence and body posture puts others at ease.
"People running concert security often aren't even looking for badges," said Brushwood. "They are looking for posture. They can always tell who is a fan trying to sneak back and catch a glimpse of the star and who is working the event because they seem like they belong there."
Social engineers will also use humor and compliments in a conversation. They may even give a small gift to a gate-keeping employee, like a receptionist, to curry favor for the future. These are often successful ways to gain a person's trust, said Bushwood, because 'liking' and 'feeling the need to reciprocate' are both fixed-action patterns that humans naturally employ under the right circumstances.
Online, many social engineering scams are taking advantage of both human fear and curiosity. Links that ask "Have you seen this video of you?' are impossible to resist if you aren't aware it is simply a social engineer looking to trap you into clicking on a bad link.
Successful phishing attacks often warn that "Your bank account has been breached! Click here to log in and verify your account." Or "You have not paid for the item you recently won on eBay. Please click here to pay." This ploy plays to a person's concerns about negative impact on their eBay score.
"Since people spend years building eBay feedback score or 'reputation,' people react quickly to this type of email. But, of course, it leads to a phishing site," said Shira Rubinoff, founder of Green Armor Solutions, a security software firm in Hackensack, New Jersey. "Many people use eBay, and users often bid days before a purchase is complete. So, it's not unreasonable for a person to think that he or she has forgotten about a bid they made a week prior."
Recent phishing lures even take advantage of the economic downturn, said Rubinoff. It has not been uncommon for fake emails to turn up that claim to be from human resources which say: 'You have been let go due to a layoff. If you wish to register for severance please register here,' and includes a malicious link.
No one wants to be the person that causes problems in this economy, so any email that appears to be from an employer will likely elicit a response, noted Rubinoff. Lares' Nickerson has also seen cons that use fake employer emails.
"It might say, 'In an effort to cut costs, we are sending W-2 forms electronically this year,'" said Nickerson.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.
For elements of an effective security awareness program, see Seven Practical Ideas for Security Awareness and Now Hear This!.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Chris Nickerson's success posing as a technician is an example of a story that gets the message across in an interesting way. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff."
Social engineering tricks are always evolving, and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there; see 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid.
The National Cyber Security Alliance recently launched a 'Stop.Think. Connect.' campaign to get users to give more thought to their online behavior so they recognize social engineering cons before they get in trouble.
But it isn't just the average employee who needs to be aware of social engineering. A study conducted in 2010 found executives are actually the easiest targets. In Social engineering: 4 reasons why executives are the easiest targets Jayson Street, a security consultant and CIO of Stratagem 1 Solutions, says executives are soft targets for many reasons, including a lax security attitude and their tendency to use the latest technology—even before it is properly vetted.
Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish, and a successful social engineering test does make the victim feel foolish. This is partly why storytelling works—the reader or listener feels empathy for the person who "got suckered."
Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
Social engineering is the art of tricking security's weakest link (people) into giving up valuable information (like passwords). Learn how social engineers work and how to defend against them.
Social engineering: the basics
Definitions, common forms and tactics, stories and examples of social engineering, and much more
Social engineers' favorite pickup lines
Any email or phone call that starts this way is probably a disguised invitation to trouble
MORE dirty tricks: 5 new social engineering lines
Anatomy of a hack
3 examples of 'human hacking'
A social engineer in action (with video)
- Introduction to VMware vCenter Site Recovery Manager 5
- Introduction to Virtualization
- Preventing Unplanned Downtime with Server Virtualization
- Secure Cloud Infrastructure and Next-Generation Data Centers - An Interactive Panel for Decision Makers
- Gartner Next Generation Network IPS Webcast
- Understand Your Data: The Future of Backup and Archiving
- Overcome Top 7 Admin Challenges of Active Directory
- Insiders Can Ruin Your Company. Take Action.
- Top Solutions and Tools to Prevent Devastating Malware
- X-Ray of the PCI Process-4 Proactive Steps
- Streamline Compliance and Increase ROI
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
