What is Social Engineering? Social Engineering is a term that is widely used but poorly understood. It’s generally defined as any type of attack that is nontechnical in nature and that involves some type of human interaction with the goal of trying to trick or coerce a victim into revealing information or violate normal security practices.
Social engineers are interested in gaining information they can use to carry out actions such as identity theft or stealing passwords, or in finding out information for later use. Scams may include theft or stealing passwords, or in finding out information for later use. Scams may include trying to make a victim believe the attacker is technical support or someone in authority. An attacker may dress a certain way with the intent of fooling the victim into the thinking the person has authority. The end goal of each approach is for the victim to drop their guard or for the attacker to gain enough information to better coordinate and plan a later attack.
NOTE: Social engineering is the one of the few types of attacks that can be classified as nontechnical in the context of the CEH exam. The attack category relies on the weaknesses or strengths of human beings rather than application of technology. Human beings have been shown to be very easily manipulated into providing information or other details that may be useful to an attacker.
If it helps, you can think of social engineers in the same context as con artists. Typically, individuals who engage in this type of activity are very good at recognizing telltale signs or behaviors that can be useful in extracting information, such as the following:
Moral Obligation An attacker may prey on a victim’s desire to provide assistance because they feel compelled to do so out of a sense of duty.
Trust Human beings have an inherent tendency to trust others. Social engineers exploit a human’s tendency to trust by using buzzwords or other means. In the case of buzzwords, for example, use of familiar terms may lead a victim to believe that an attacker has insider knowledge of a project or place.
Threats A social engineer may threaten a victim if they do not comply with a request. Will reap tremendous rewards.
Ignorance The reality is that many people do not realize the danger associated with social engineering and don’t recognize it as a threat.
WHO DOES SOCIAL ENGINEERING WORKS?
Social engineering is effective for a number of reasons, each of which can be remedied or exploited depending on whether you are the defender or the attacker. Let’s take a look at each:
Lack of a Technological Fix Let’s face it, technology can do a lot to fix problems and address security-but at the same time, it can be a source of weakness. One thing that technology has little or no impact on is blunting the effectiveness of social engineering. This is largely because technology can be circumvented or configured incorrectly by human beings.
Insufficient Security Policies The policies that state how information, resources, and other related items should be handled are often incomplete or insufficient at best.
Difficult Detection Social engineering by its very nature can be hard to detect. Think about it: An attacker against technology may leave tracks in a log file or trip an intrusion detection system (IDS), but social engineering probably won’t.
Lack of Training Lack of training or insufficient training about social engineering and how to recognize it can be a big source of problems.
“There is no patch for human stupidity”.