Security Awareness: Social Engineering Part One

Monday, August 30, 2010

Sean Inman

C7159a557369b66632c4b54bf746b69e

What is Social Engineering?

Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. - Wikipedia

Background

Like fraudsters generally, social engineers take advantage of human gullibility. In a corporate context, social engineering is a factor in many information security incidents, including (perhaps especially) those perpetrated by insiders.

Associates have plenty of opportunities to use social engineering on each other, whether under the guise of casual inquiries or even jokes. An example might be ("Oh go on - I bet your password is something easy to guess like your cat's name...").

They have the perfect cover story and plenty of opportunities to exploit their co-workers if desired.

Social Engineering Impacts

Social engineering techniques give unauthorized access to information. ‘ [1] Pretext calls' by internal users can be particularly convincing as they already have access to vast amounts of internal information to build their credibility.

They can browse the email address book for telephone numbers and job titles to pick out suitable targets. Picking up the name of sensitive systems and projects is a breeze for insiders as well.

In a corporate context, social engineering is a factor in many information security incidents, including (perhaps especially) those perpetrated by insiders. Associates have plenty of opportunities to use social engineering on each other, whether under the guise of casual inquiries or even jokes.

An example might be ("Oh go on - I bet your password is something easy to guess like your cat's name..."). They have the perfect cover story and plenty of opportunities to exploit their co-workers if desired.

Finally, we come to the personal impacts of social engineering. Identity theft for instance, is a fact of modern life. Some identity thieves use social engineering methods such as pretexting as part of their repertoire and [2] phishing methods to actively exploit our gullibility though social engineering.

1. Pretext - An effort or strategy to conceal something.
2. Phishing - An attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out by email or instant messaging, and often directs users to enter details at a website, although phone contact has also been used.

The Security Pub's Security Awareness Series will continue talking about "Social Engineering" by discussing the risks, threats, and what we can do to help detect and avoid social engineering. So be on the look out next month.

Cross Posted from The Security Pub. 

Possibly Related Articles:
5080
General
Social Engineering Security Awareness
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.