Social Engineering – If you don’t work in either the security or IT industry, you may wonder what the term means and if it forms any real threat to you organisation. If you have heard the term, then assuming it is an IT issue in isolation, would be a mistake.
Social engineering can be likened to hacking attacks against information systems where a tool is used to probe those systems to exploit vulnerability. In the case of social engineering, human attackers use guile, perhaps inside knowledge or just plain bluff to try to penetrate the defences of the individual to obtain the knowledge they are not entitled to know. In other words, they hack information or access it from an individual.
More often than not attacks to obtain information, including sensitive personal data, are targeted against organisations by using techniques to manipulate unsuspecting staff to willingly provide information, usually because they have been duped into passing information to an individual, even though they do not know them.
The ability of an attacker to develop a rapport with the target is important, which together with some inside knowledge, acquired from research or the use of an insider, will often pay dividends to establish that familiarity that puts front line staff off their guard. Particularly vulnerable are those at the “coal-face” – customer facing staff such as receptionists, telephone exchange or help-desk support staff.
The approaches are often apparently innocent in nature and the attacker could pose as a new or former employee exchanging gossip or advice and may request help perhaps for lost passwords. The attacks are insidious and over time may provide nuggets of information about the organisation or individuals within it.
Another example is where access into a particular site is sought, an attacker may try to gain access by reporting to reception that they have something within a box for delivery to a named individual that research has identified is within the site. Reception may be busy, or the attacker may time his moment by observing reception from a distance to find the right opportunity to prosecute his attack. When challenged the suggestion that “it’s OK, I know where he is and I need a signature anyway” will often create that familiarity that will grant the intruder access.
As described above, social engineering is often linked to insider attacks, since the majority of physical or electronic attacks can be assisted in some way by an insider. The little tit-bit of inside knowledge is used to get past the initial security perimeter be it verbal or physical.
Human nature enables social engineering to develop and become increasingly sophisticated as well as technical. It is essential for all organisations, but particularly those that have sensitive or valuable assets to ensure that front-line staff are provided with regular training to be aware of the threat and be conscious to attack techniques.