No announcement yet.

Social Engineering

  • Filter
  • Time
  • Show
Clear All
new posts

  • Social Engineering

    Social engineering deals with the targeting and manipulation of human beings rather than technology or other mechanisms. This is popular because the human element is frequently the weak part of a system and most prone to mistakes.
    The reality is that security starts and stops with the human element. If that element fails, the entire system fails. The end user represents the first line of defense and is the one factor that can have the greatest impact on the relative security or security of the target system. Human beings can be reactive or proactive to security incidents and can stop many issues before they become problems.

    Social Engineering is generally defined as any type of attack that is nontechnical in nature and that involves some type of human interaction with the goal of trying to trick or coerce a victim into revealing information or violate normal security practices. The attack category relies on the weaknesses or strengths of human beings rather than application of technology. Human beings have been shown to be very easily manipulated into providing information or other details that may be useful to an attacker.
    Social engineers are interested in gaining information they can use to carry out actions such as identity theft or stealing passwords, or in finding out information for later use. Scams may include trying to make a victim believe the attacker is technical support or someone in authority. An attacker may dress in a certain way with the intent of fooling the victim into thinking the person has authority or to make a claimed profession believable. The end goal is for the victim to drop their guard or gain enough information to better coordinate and plan a later attack.

    Sometimes an attacker may attempt to use reverse social engineering by posing as someone with a special set of skills that the attacker may expect the target or subject is looking for. In that way the attacker may lure the victim to initiate the communication to the attacker. This will increase trust between the victim and attacker significantly.

    Social engineers are in the same context as con artists, individuals who engage in this type of activity are very good at recognizing telltale signs or behaviors that can be useful in extracting information, such as the following:

    Moral Obligation
    An attacker may prey on a victim's desire to provide assistance because they feel compelled to do so out of a sense of duty.

    Human beings have an inherent tendency to trust others. Social engineers exploit a human's tendency to trust by using buzzwords or other means. In the case of buzzwords for example, use of familiar terms may lead a victim to believe that an attacker is in the know or has insider knowledge of a project or place. Human beings are a trusting lot. When you see someone dressed a certain way, such as wearing a uniform or hear them say the right words, it causes you to trust them more than you normally would. This tendency to trust is a weakness that can be exploited.

    Threats and Fear
    A social engineer may threaten a victim if they do not comply with a request.

    Something for Nothing
    The attacker may promise a victim that for a little or no work, they will reap tremendous rewards.

    The reality is that many people do not realize the dangers associated with social engineering and don't recognize it as a threat.

    Social engineering is effective for a number of reasons, each of which can be remedied or exploited depending on weather you are the defender or the attacker.

    Lack of a Technological Fix
    Technology can do a lot to fix issues and address security but at the same time, it can be a source of weaknes. One thing that technology has little or no impact on is blunting the effectiveness of social engineering. This is largely because technology can be circumvented or configured incorrectly by human beings.

    Insufficient Security Policies
    The policies that state how information, resources, and other related items should be handled are often incomplete or insufficient at best.

    Difficult Detection
    Social engineering by its very nature can be hard to detect. An attack against technology may leave tracks in a log file or trip an Intrusion Detection System (IDS), but social engineering probably won't.

    Lack of Training
    Lack of training or insufficient training about social engineering and how to recognize it can be a big source of problems.

    Human Habit and Nature
    Human beings tend to follow certain habits and actions without thinking. People ttake the same route to work, say the same things, and take the same actions without thought. In many cases, humans have to consciously attempt to act differently from the norm in order to break from their learned habits. A good social engineer can observe these habits and use them to track people or follow actions of groups, and gain entry to buildings or access to information.

    There is no patch for human stupidity - You can patch technology but you cant patch a human being to solve a problem.

    Social engineering play a vital role in other scenarios. One example is that of a trojan which exploit social engineering to entice a victim to open an executable or attachment that is infected with malware. A trojan is a piece of malware that relies on the element of social engineering as a mechanism to start an infection. Another example of how social engineering works is the case of scareware. This type of malware is designed to frighten a victim into taking action when none is necessary.

    Some common signs that may indicate a social engineering attack include, but are not limited to the following
    • Use of authority by an attacker, such as making overt references to who they are or who they know or even making threats based on their claimed power of authority.
    • Inability to give valid contact information that would allow the attacker to be called or contacted as needed.
    • Making informal or off-the-book requests designed to encourage the victim to give out information that they may not otherwise.
    • Excessive name-dropping as to who the attacker knows inside the organization.
    • Excessive use of praise or compliments designed to flatter a victim.
    • Show of discomfort or uneasiness when questioned.

    Last edited by Resheph; 09-08-2017, 06:25 PM. Reason: Reverse social engineering added
    Certified Security Geek