3 Dec 2007
Instead of trying to break into computer networks and systems which are protected by technical security control measures, social engineers prefer to compromise the people that configure, use and manage them. They cheat and lie their way past those who are naïve and/or unaware of the threat. Generally speaking, people are easier to deceive than computers so social engineering remains a threat for all organizations, even those that have excellent technical security controls.
Almost anyone may be a social engineer. A social engineer is a person who is able to persuade someone else to part with information or something else of value. Parents can probably appreciate the social engineering skills of their children, even before they are able to speak!
In a work context, social engineers may be after sensitive company information: marketing strategies, details of our latest deals, pre-patent information, merger and acquisition plans etc. Such information may be extremely valuable to, say, a competitor. The social engineers may also need other pieces of information, such as login details for the network and a database server, in order to get to their ultimate goal.
Social engineers may also be interested in information about employees. Private investigators, for example, investigating suspected marital infidelity, may try to find out what time an employee normally leaves for home and where he is planning to go on his next business trip. Journalists might go fishing for information to corroborate a news story. Fraudsters and identity thieves would be interested in Social Security Numbers, bank account and credit card numbers, dates of birth etc.
Social engineers depend on being able to fool people into believing they have a legitimate right to information. The deception often works best if they look just like us: they dress like us, talk like us, behave like us. Which social engineer do you think would be more successful at ‘tailgating’ (following an employee into a building): someone who appears to be just another regular employee or someone wearing a stripy top and black face mask and carrying a bag marked SWAG? What about someone dressed as a maintenance engineer or policeman: would you refuse to let them pass? The deception is even easier on the telephone or email, since there are no visual clues to a person’s identity.
December’s NoticeBored security awareness module identifies numerous social engineering risks and controls, and is lightly sprinkled with real world examples of incidents reported in the general news media. Making employees alert to the possibility of social engineering is the first step towards resisting attack.
[Please see December’s NoticeBored newsletter for more background and an analysis of the social engineering threat.]