Working with People: An Introduction to Social Engineering
Posted in Security Articles | Posted on 18-06-2013
|0
A reader sent me this great article on Social engineering, so I decided to share with you all. Enjoy 🙂
Humans are inherently social creatures who have developed a world strongly based on interacting with others. Just like the world of information technology, the human social protocols are a complex series of rules and guidelines for how people behave when interacting with each other, and just like any other system, there are methods to use and abuse it once you understand the rules that govern it. Social engineering is a broad subject, but in this article we will focus mostly on social engineering as it is used to gain access to social groups and sensitive information.
What Is Social Engineering?
Social engineering is using the common tendencies of how people interact with others in order to gain information or a benefit of some kind. Effectively, social engineering can be referred to as the hacking of people. Before the Internet age, social engineering would more likely be referred to as conning, but the scope of social engineering’s applications goes beyond tricking people out of money. It is about causing people to act according to your wishes. Getting someone to say yes to a date is social engineering. So is getting your company a contract from a tough client. In regards to information security, social engineering is getting people to give up protected information.
A social engineering definition can be found here.
How Effective Is Social Engineering?
Even companies that place a high focus on securing their information networks can prove extremely vulnerable to social engineering attacks. DefCon, one of the largest hacking conferences in the world, routinely features a social engineering competition that has demonstrated over and over again that simple tactics can be used to get enough information to potentially do harm to a company. Position in the company also seems to have almost no effect on how susceptible a person is to social engineering; a big wig is just as likely to give up information as a cashier, but the big wig also usually has access to more pertinent info.
Social engineering is gaining attention for its insidious effectiveness, and is starting to get recognized in the media and the corporate world. Check out these news articles for an idea of how it is being perceived:
Smooth-Talking Hackers Test Hi-Tech Titan’s Skills – A look at DefCon hacking competitions, utilizing social engineering within legal boundaries to ferret out intelligence designed to weaken a company’s security.
Social engineering to blame in Syrian Electronic Army hijack of the Onion – The targets of these sorts of attacks aren’t always the ones you might expect, the Onion was a recent victim of a phishing scheme.
Facebook Social Engineering Attack Strikes NATO – Often, the targets are important, such as this attack against NATO. Every organization contains a human element, the target of savvy social engineers.
How a lying ‘social engineer’ hacked Wal-Mart – Many people are naturally biased to trust based on a set of subtle criteria; a tone of voice, a style of dress, even word choices can lead people to give credence to otherwise nonsensical ideas or situations, like this Wal-Mart store manager being duped into giving away company data in exchange for a non-existent contract possibility.
General Tips for Social Engineering
These are common guidelines and methods used by social engineers before and during any assignment on which they are working. These focus more on the preparation and mindset of the social engineer than the actual attack methods that are used.
Do Your Research
Take a look at this seminar on social engineering strategies.
Information is everywhere. If there is a topic you want to know about, you usually only need to glance at the Internet. Reading the news and press releases from a company can give you a firm background history from which to work. A social media site may give you insights into the temperament of a person or give you an idea of the social scene in which they operate. If you are trying to infiltrate a group or become closer to a person with any notable focus, then the Internet can be used to familiarize yourself with the topic.
Hackers may go above and beyond in this regard. If they manage to gain access to someone’s email account or messaging service, there may be records of conversations that can be used to mimic the person in electronic communications or learn about key topics that anyone on the inside should know about.
Read full article here: http://backgroundchecks.org/working-with-people-an-introduction-to-social-engineering.html