8.1 Social Engineering Concepts
What is Social Engineering?
- Social engineering is the art of convincing people to reveal confidential information. Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.
- Social engineers depend on the fact that people are unaware of their valuable information and are careless about protecting it.
Behaviors Vulnerable to Attacks
- Human nature of trust is the basis of any social engineering attack.
- Ignorance about social engineering and its effects among the workforce makes the organization an easy target.
- Fear of severe losses in case of non-compliance to the social engineer's request.
- Social engineers lure the targets to divulge information by promising something for nothing (greediness).
- Targets are asked for help and they comply out of a sense of moral obligation.
Factors that Make Companies Vulnerable to Attacks
- Insufficient Security Training.
- Unregulated Access to the Information.
- Several Organizational Units.
- Lack of Security Policies.
Why is Social Engineering Effective?
- Security policies are as strong as their weakest link, and humans are most susceptible factor.
- It is difficult to detect social engineering attempts.
- There is no method to ensure complete security from social engineering attacks.
- There is no specific software or hardware for defending against a social engineering attack.
Phases in a Social Engineering Attack
- Research on Target Company: Dumpster diving, websites, employees, tour company, etc.
- Select Victim: Identify the frustrated employees of the target company.
- Develop Relationship: Develop relationship with the selected employees.
- Exploit the Relationship: Collect sensitive account and financial information, and current technologies.