Social Engineering: The Basics
What is social engineering? What are the most common and current tactics? A guide on how to stop social engineering.
By Joan Goodchild , Senior Editor
December 20, 2012 — CSO —
You've got all the bells and whistles when it comes to network firewalls and your building's security has a state-of-the-art access system. You've invested in the technology. But a social engineering attack could bypass all those defenses.
Say two fire inspectors show up at your office, show their badges and ask for a walkthrough—you're legally required to give them access to do their job. They ask a lot of questions, they take electrical readings at various wall outlets, they examine wiring under desks. Thorough, aren't they? Problem is, in this case they're really security consultants doing a social engineering 'penetration test' and grabbing access cards, installing keystroke loggers, and generally getting away with as much of your business's private information as they can get their hands on. (See How to rob a bank for details from this real-world example.)
Social engineers, or criminals who take advantage of human behavior to pull of a scam, aren't worried about a badge system. They will just walk right in and confidently ask someone to help them get inside. And that firewall? It won't mean much if your users are tricked into clicking on a malicious link they think came from a Facebook friend.
In this article, we outline the common tactics social engineers often use, and give you tips on how to ensure your staff is on guard.
Last updated September 27, 2012.
- What is social engineering?
- How is my company at risk?
- Sneaky stuff. Give me some specific examples of what social engineers say or do.
- Why do people fall for social engineering techniques?
- How can I educate our employees to prevent social engineering?
- Are there any tools that can help?
- Looks like this is an important security issue. Tell me more!
What is social engineering?
Social engineering is essentially the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists of any sort. (Watch the video to see social-engineering expert Chris Nickerson size up one building's perimeter security)
How is my company at risk?
Social engineering has proven to be a very successful way for a criminal to "get inside" your organization. In the example given above, once a social engineer has a trusted employee's password, he can simply log in and snoop around for sensitive data. Another try might be to scam someone out of an access card or code in order to physically get inside a facility, whether to access data, steal assets, or even to harm people.
Chris Nickerson, founder of Lares, a Colorado-based security consultancy, conducts 'red team testing' for clients using social engineering techniques to see where a company is vulnerable. Nickerson detailed for CSO how easy it is to get inside a building without question.
In one penetration test, Nickerson used current events, public information available on social network sites, and a $4 Cisco shirt he purchased at a thrift store to prepare for his illegal entry. The shirt helped him convince building reception and other employees that he was a Cisco employee on a technical support visit. Once inside, he was able to give his other team members illegal entry as well. He also managed to drop several malware-laden USBs and hack into the company's network, all within sight of other employees. Read Anatomy of a Hack to follow Nickerson through this exercise.
In What it's like to steal someone's identity professional pen tester Chris Roberts, founder of One World Labs, says he too often meets people who assume they have nothing worth stealing.
"So many people look at themselves or the companies they work for and think, 'Why would somebody want something from me? I don't have any money or anything anyone would want,'?" he said. "While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal."