Whilst many people might suspect and consequentially defend against physical and system based attacks, one facet of security that is often overlooked is Social Engineering.
Social engineering as the name suggests is a highly involved and developed field that plays on the engineering of human psychology to provoke results such as information that can be used in an attack. Sometimes the entire attack can be carried out through social engineering.
Social engineering in part plays on peoples propensity (especially in the UK!) to be helpful and go out of their way to ensure that the ‘customer’ has a good experience.
From an objective point of view, social engineering is a wonderful blend of science, creativity, art and psychology, a good social engineer doesn’t need to force his victim to hand over information – he makes the victim *want* to give away the information.
In a world where many systems are becoming ever more secure, the ROI of spending weeks and months plotting an attack against a system vs making a phone call or gaining physical access to the building is a thought worth considering – especially since many employees don’t get specific training to deal with the threats posed by social engineering.
Social engineering is everywhere, sales men want to elicit information to clinch a sale, media wants to persuade you to think a certain way and politicians want to make you believe in them.
One of the most common methods of attack is via phone, it has the benefit of being untraceable to the attacker (if intelligently performed) and the attack can be carried out over any distance. Often the victims are help desk operators due to the nature of their roles. Their malleable mind is trained to be of utmost assistance and to please the caller in anyway they can, so when I ring and ask them to reset a password or pretend I’m a fellow employee they act on instinct.
Personal attacks are also popular too, especially those in which people will ring or text and pretend to be from your bank and ask you to read your card and pin/password.
Whilst we as security practitioners might wonder how people ever fall for these ploys it’s important to remember that the ‘general’ public simply don’t have security and suspicion in their mind all of the time, and tend to want to believe in the good of those they are interacting with.
Social engineering is a vast and creative exploit, however defense is not so vast and the right conscious choices can make all the difference.
Whilst training employee’s is a great idea, it’s important to note that many attacks actually occur from with inside the company; disgruntled employee’s for example.
In these cases the training will be known and can be exploited. The old ‘something you are something you know’ practice is good here – if you can ensure that verification of identity is at least a two step reliant on something you are as well as a unique code or PIN then you can at least ensure a deeper level of security.
As with any system you can never make it completely secure, however a comprehensive security policy and commitment to personal and corporate education can make the difference. The fact is that social engineering can and does happen and the better educated you are the better you can deal with it.
You can read more about how social engineering happens, and an in depth look at the tactics here. In addition this paper from sans.org showcases some of the best ways to prevent social engineering here.