The Non-Techie Guide to Understanding How it Works.
Have you seen the movies Matchstick Men, Catch Me If You Can, or Sneakers?
If you have, then you’ve seen plenty of social engineering in action.
Social Engineering, in the context of information security, is the art of manipulating human behavior or psychology to gain access to confidential information, buildings, systems or data. For example, a social engineer who wants access to your building won’t do it by hacking your security system, he’ll convince one of your employees to let him in.
In short, it’s easier for criminals to take advantage of your natural inclination to trust and be liked than it is to find ways to hack your machine.
Any security professional will tell you that the weakest link in the security chain is the human who accepts a person at face value. You can have all the bells and whistles money can buy in terms of security systems along with several deadbolts on your door; but if you open your door to the pizza delivery guy or someone who wears a police uniform without first checking if he’s legit, you’re left exposed to whatever threat he might actually represent.
[bctt tweet=”It’s easier for criminals to take advantage of your natural inclination to trust and be liked than it is to find ways to hack your machine.”]
Here are some situational examples of social engineering:
At the office:
“Can you hold the door for me? ” How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
Some social engineers, using the tactic of Pretexting, will pretend to be a customer or another employee from a different department or branch seeking assistance. Posing as a peer and slipping in the occasional gripe or office gossip gathered on social media, the target might let his guard down and allow for a freer flow of information.
A cigarette is also a social engineer’s best friend. In the tactic known as Tailgating, a social engineer might wait near the smoking area where employees often go for breaks. Assuming he’s just another fellow-office-smoking mate, real employees will let him through the back door without question.
On the phone:
A social engineer might call and pretend to be a fellow employee or a trusted outside authority like law enforcement to make you feel comfortable. He might learn the corporate lingo or use other techniques like recording the “hold” music a company uses when callers are left waiting on the phone.
Online:
Social networking sites such as Facebook, LinkedIn, and blogs have inadvertently made social engineering attacks easier because it now only takes a matter of minutes to put together detailed information to make a social engineering exercise seem credible.
With online scams, social engineers leverage both fear and curiosity, such as sending phishing emails, conducting tech support scams, or luring vulnerable people with romance/dating scams.
Information is the Currency of Social Engineering
Social engineering relies heavily on the 6 Principles of Influence established by Robert Cialdini. What this means is that criminals will need to spend considerable time getting to know a place or a person they’re targeting. They will gather and analyze all the information to see which area of influence you are more vulnerable to.
The problem is this:
More and more details about our lives are splashed all over the internet so what used to take months to collect, now often take days or even a few hours.
The more or generous or carefree you are with your personal information online, the more strangers (in addition to your friends) know about you—and the more “usable” information you have possibly given a social engineer to target you with.
How to make yourself less of a target.
Here are some tips, provided by experts, to help you lower your Internet profile and reduce the amount of personal information about yourself.
Never give out information by clicking a link or when someone calls you. When the retailer Target was hacked, they announced they were offering free credit reports. Social Engineers “targeted” customers with a scam email offering the free credit report
Don’t put anything on social media or online that you wouldn’t want hackers to know. That’s a slice of personal history that gives a Social Engineer plenty to work with and the more they can prove they know (about) you, the more trusting you become.
Keep watch over what you’re tagged in on other’s profiles. You may not be actively posting on your social media accounts but your friends, family, and coworkers may be doing the work for you. Keep a close eye on where and how you’re tagged online – adjust your privacy and permission settings to retain control.
Don’t be a social engineering victim.
Online awareness is the number one defensive measure against social engineering.
“People inherently want to trust, that’s what a successful social engineering attack comes down to,” says Chris Blow, offensive security architect at property and casualty insurer Liberty Mutual. “People don’t want to appear skeptical of another person’s actions. Most people want to be kind and courteous and are trained to be compliant, especially in a work environment.”
But we all remember the advice we heard from parents and teachers when we were young. “Beware of strangers.” That’s a good reminder for the “invisible” strangers online.
Help your employees, co-workers, family, and friends be aware of social engineering and be familiar with the most commonly used tactics