By Kevin Beaver

Social engineering takes advantage of the weakest link in any organization’s information security defenses: people. Social engineering is “people hacking” and involves maliciously exploiting the trusting nature of human beings to obtain information that can be used for personal gain.

Social engineering is one of the toughest hacks to perpetrate because it takes bravado and skill to come across as trustworthy to a stranger. It’s also by far the toughest thing to protect against because people who are making their own security decisions are involved.

In a social engineering scenario, those with ill intent pose as someone else to gain information they likely couldn’t access otherwise. They then take the information they obtain from their victims and wreak havoc on network resources, steal or delete files, and even commit corporate espionage or some other form of fraud against the organization they attack. Social engineering is different from physical security exploits, such as shoulder surfing and dumpster diving, but the two types of hacking are related and often are used in tandem.

Here are some examples of social engineering:

  • Support personnel” claiming that they need to install a patch or new version of software on a user’s computer, talk the user into downloading the software, and obtain remote control of the system.

  • Vendors” claiming to need to update the organization’s accounting package or phone system, ask for the administrator password, and obtain full access.

  • Employees” notifying the security desk that they have lost their access badge to the data center, receive a set of keys from security, and obtain unauthorized access to physical and electronic information.

  • Phishing e-mails sent by whomever to gather user IDs and passwords of unsuspecting recipients. These attacks can be generic in nature or more targeted — something called spear-phishing attacks. The criminals then use those passwords to install malware, gain access to the network, capture intellectual property, and more.

Sometimes, social engineers act as confident and knowledgeable managers or executives. At other times they might play the roles of extremely uninformed or naïve employees. They also might pose as outsiders, such as IT consultants or maintenance workers. Social engineers are great at adapting to their audience. It takes a special type of personality to pull this off, often resembling that of a sociopath.

Effective information security — especially the security required for fighting social engineering — often begins and ends with your users. Never forget that basic human communications and interaction have a profound effect on the level of security in your organization at any given time.

The candy-security adage is “Hard, crunchy outside; soft, chewy inside.” The hard, crunchy outside is the layer of mechanisms — such as firewalls, intrusion prevention systems, and content filtering — that organizations typically rely on to secure their information. The soft, chewy inside is the people and the processes inside the organization. If the bad guys can get past the thick outer layer, they can compromise the (mostly) defenseless inner layer.