What is social engineering, according to Merriam Webster social engineering is “management of human beings in accordance with their place and function in society” (www.merriam-webster.com, 2014). Social engineering is a non-technical form of intrusion that relies on human interaction in an attempt to get the victim to break normal security. An example would be the hacker acting like an engineer calling a company trying to get information on what type of firewall or networking equipment is being used in a company. This information could be used to help a perpetrator to gain access to the system, by allowing them to research vulnerabilities and default passwords.
Most exploits to a system are through social engineering. Almost everyone has received an email offering a free flashdrive, whitepaper or etc for filling out a survey. Moreover, have received an email from the bank or credit card company saying that there is suspicious activity on their account and please provide critical information needed to take care of the problem.
Why would a social engineer attempt to “hack” the person instead of hacking the system directly? The person is usually the weakest link. There is a lot more effort needed to gain access to the system by going through firewalls then tricking an unsuspected user.
Some of the techniques that a social engineer uses are Quid pro quo, Shoulder Surfing, Pretexting, Phishing, Spear Phishing, IVR/Phone Phishing, Trojan Horse, Dumpster Diving and Road Apples to name a few.
“Since there is neither hardware nor software available to protect an enterprise against social engineering, it is essential that good practices be implemented” (Peltier, 2014). How do we defend against the social engineer? Some practices that should be deployed:
- Make sure that anyone who enters the premise show proper identification.
- Make sure passwords are never discussed over the phone.
- Make sure passwords are never left out
- Use shredders to prevent dumpster diving
- Policies and procedures
What are some of the signs of a social engineer?
- They refuse to give contact information
- They rush through the questions
- They drop the names of important people that they deal with
- They attempt to intimidate
- They ask for special information or access