Social engineering is one of the most common ways for an outsider to get access to secure information. The majority of social engineering techniques do not even require a computer. They are techniques used to play against the human element by tricking people into giving up secure information.
Social engineering is a non-technical method of intrusion that hackers use. It relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
Social engineering can be separated into 3 different categories: Physical, Verbal, and Digital.
Physical Social Engineering
Physical Social Engineering is the act of someone physically gaining access to secure areas or information. Some examples of this are:
Tailgating is the act of an unauthorized person closely following someone with a security badge through a secured door.
- Shoulder Surfing
Shoulder surfing is the act of looking over someone’s shoulder in hopes of viewing private or personal information on their screen, including watching someone put in their password or secure PIN.
Baiting is the act of leaving a physical device in an open area, like a flash drive. This flash drive could have malicious software that once it is plugged into a computer it infects it and can also infect other computers on the network gaining access to secure information including financial information. This attack preys on people’s curiosity. It might be a brand new shiny flash drive that someone may want for themselves or maybe they are just curious about what they might find on it.
Verbal Social Engineering
Verbal Social Engineering is the act of the attacker talking to someone trying to obtain secure information by convincing the person they are speaking with to give up secure information such as passwords or financial information like account numbers, credit card numbers, and social security numbers. This type of attack does not appear to be threatening to the victim. The social engineer will usually be patient and polite and make themselves appear to be an authority in the field of information they are trying to receive. This type of attack can be in person or through the phone or even through email or instant messaging. Some examples of techniques that are used are:
Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient. For example, an attacker may call and pretend to be an IT support technician calling about a ‘helpdesk ticket’. They will request information about the computer in order to fix it. An aware person may say, “I never put in a ticket.” The attacker might reply with something like, “Ok, not a problem, do you mind if we quickly troubleshoot anyway. Just so I can tell my boss it was done and I can close the ticket? It will just take a couple seconds and I really appreciate it.” The victim might give in at this point and play along just to get off the call without letting the poor IT guy down.
Another could be a call from a charity, whether real or fake, asking for a donation. And for convenience they can take a credit card over the phone. You get the idea. Attacks like this are one of the most common verbal attacks. The reason why is because it is relatively low risk for the attacker. In the event that one person totally shuts them down and doesn’t give up any information they just simply hang up and move on to the next person.
- Quid pro Quo
Quid pro Quo is where the victim is promised something desirable for releasing secure information. For example, think about your home WiFi for a minute. It is (and definitely should be) password protected. Hacking into a wireless network that is password protected is way more difficult than gaining access to the actual network equipment. Meaning, if I were able to connect to your networking equipment through a cable I wouldn’t need a password. So a social engineer could come to the door and say that they were from XYZ Cable and Internet Company and they are in the neighborhood to see which houses were eligible for a free Internet speed boost. In order to see if you are eligible, they would need to see your network equipment and run some tests that would take only a couple of minutes. – And that’s it! They gained access, connected to your equipment, found out your WiFi password from the router and now they have full access to your home network and any information stored on any machine on that network.
Anyone scared yet??
Digital Social Engineering
Digital Social Engineering is the act of breaching security through a digital format:
Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into installing malware on his or her computer or device, or sharing personal or financial information.
Spam or any email offers should be looked at as a phishing attempt.
Malicious software which can come from a phishing email, 3rd party offer installs, or locally by a hacker who has gained access to a workstation. Malware can be viruses, key-loggers, tracking software, etc.
Scareware can be through email, or through web browsing. It will appear to be a message from some sort of law enforcement agency telling you that your computer violated some sort of law and it will be locked or confiscated if you do not pay a certain amount immediately.
Avoid Social Engineering Tactics
The first step to counteracting social engineering is to be aware of what it is and some of the techniques. If people know what form a social engineering attack is likely to take, they will be less likely to fall victim to one.
Other considerations for preventing social engineering attacks are:
- Security Awareness Training (via classroom or online)
- Be aware of possible social engineering security threats
- Physical Prevention (install biometrics, security doors, and gateways. Also, tell a tailgater that they cannot access the door without a pass, etc.)
- Verbal (never be willing to give out secure information through email or over the phone)
- Digital (never click unknown links and stay away from ‘Online offers’ through email)
- Always do your own verification (if you are ever in question of the source, ask to call back and for a supervisor’s number)
Obviously there is a lot to consider here but just by understanding what kind of threats are out there, greatly reduces the chance of becoming a victim. In future blog posts I will go into more detail about counteracting social engineering attacks and different techniques that are being used to obtain secure information.