Social engineering, a term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.

1 Social engineering is often the weak link in a company or corporations defensive curtain because often employees or the human firewall fall prey to weak procedures and lack of training. Often said that social engineering is the easiest way to attack a system and requires the lease amount of technical ability. The goal of social engineering is to gain access to a system or network and gain access to the information there in.

Examples of this attack often are phishing, pretexting, Trojan horses and quid pro quo. Another form of this attack becoming more popular is called a road apple, which is when a USB stick or some sort of data media and left for a person(s). That person will either try to return it or more likely their curiosity will make them run it on their system, which may install software or provide misleading information. Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and a lot of industrial companies. Trade secrets and their worth can make or break a companies success making social engineering a popular, if not very ethically correct business plan. Preventing social engineering is a difficult thing for management regardless of your location.

Human firewalls made from extensive training and procedures can still fall victim to con artists, actors and various physiological factors. All engineering relies on friendliness, frustration or helpfulness of a company employee to gain unauthorized credentials and access. Sometimes security procedures are not followed, for example, documents were thrown in the garbage and someone happened to be dumpster diving and found them.

Social engineering can be waylaid by physical security such as biometric scanning, long as the access point that required such measures isn't compromised by a “helpful” employee allowing the engineer access. In the workplace, the hacker can simply walk in the door, like sneaking into the movies, and pretend to be a maintenance worker or a person with access to the organization. Then the intruder wonders through the office until enough information and passwords are discovered and exploits the network from home later.

Another technique to gain authentication information is to stand and watch an oblivious employee type in his password and user name. Often important security information is released through pointed questions either obviously or discreetly by a person talking to or contacting the company. Most companies have procedures in case of that happening, but they are not tight enough to direct employees on the correct responses or not available at all. “If common sense was common, everyone would have some.” A sensible adage and often is the case, different experiences in ones life may lead to a person being more naive or being more cautious and security conscious. If it were true that everyone had common sense, then social engineering would not be the easiest attack to perpetrate.

One of the most common forms or most recognizable of social engineering is phishing, which is is an attempt to criminally and fraudulently acquire sensitive information, such as user names, passwords and credit card details by looking official in some way. Typically it is carried out by email or instant messaging, and often directs users to enter details at a website, although sometimes phones are used as well. The most annoying and probably most common of Internet phishing would be the mass of false emails from banking companies asking for user names and passwords. Those false emails can lead to identical sites in almost URL or in appearance and might seem genuine. The biggest problem with password driven theft is that a lot of users don't rotate passwords or use one for all of their Internet activity. People can take steps to avoid phishing attempts by slightly modifying their browsing habits. When contacted about an account needing to be "verified", it is a smart to contact the company from which the email apparently originates to check that the email is legitimate. For example, no bank would send an email asking you for verification or for you to login.

Alternatively, the address that the individual knows is the company's genuine website can be typed into the address bar of the browser, rather than trusting any emailed Hyperlinks. Usually actual official emails will contain information that is readily not available to phishers such as you user name or address. Although a recent study indicated that less unavailable user details makes little or no difference to actual users and phishing stats remain the same.

2 Another broader form of social engineering falls under persuasion. Many hackers and advertising agencies train themselves social engineering from a psychological point-of-view, emphasizing how to create the perfect psychological situation. By controlling factors and guessing responses, conversational dialog and their appearance, an attack can be an innocent seduction of information and not be discovered until too late.

Often the perpetrator will be able to diffuse intense situations with charm or impersonation and friendliness. Impersonation is the least likely persuasion tactic because of the time it takes to prepare for such an endeavor. More likely would be the disguise of a repairman or IT professional that would be there to “repair” a problem, which happens to be common enough that they would be figuratively invisible in some work environments. An example situation not in an IT environment would be a teenager not quite 19 years of age wanting alcohol. It is easy to fake age verification with a decent looking ID which could be borrowed from another person and the second piece could be a Visa.

The assumption is that while you must be 19 like you primary ID indicates, the secondary erases all doubt because what 18 year old is in possession of a Visa? In large corporations, it is near impossible to know who everyone is. If your ID looks credible enough and have a believable background story if questioned, impersonation or faking and identity is easy enough. No employee likes to get in trouble with their bosses and when push comes to shove often that attacker will get what he or she wants and have the upper hand. The best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. With men or women, flirtation and flattery may soften up the intended target to reveal further information or “break the ice” and confuse the situation enough so information can be gained.

If your goal is to protect your network, you cannot rely on technology alone. Attackers are not just preying on the unexperienced, they are also focusing in on the professional IT community. Which means “that businesses can implement as much security software as they like and they can apply all possible patches to their systems, and yet if people are using those systems, the systems are vulnerable.” 5 Attackers will always choose the path of least resistance. Social engineering is becoming the easier approach to hacking systems and breaking networks is getting more difficult and not worth the effort. Is it getting worse as time progresses? “It is a consistent problem,” 6 and as long as there are people at those workstations social engineering will be there well into the future.

Humans will always make mistakes regardless of how well trained they may be or how great a person they are. If an employee is exhausted or caught off guard the response might not be the correct one. Defending users against these types of personal approach is very difficult. Some users are naturally disposed to social engineering using one of these four attacks. The defense against an intimidation attack is the development of a “no fear” culture within a business. If normal behavior is politeness, then the success of intimidation is reduced, because individual staff members are more likely to escalate confrontational situations. A supportive attitude within management and supervisory roles toward the escalation of problems and decision-making is the worst thing that can happen to a social engineering hacker. Their goal is to encourage a target to make a quick decision. With the problem escalated to a higher authority, they are less likely to achieve this goal. Terminated employees are often a big and forgotten problem.

Even employees working for the company whom are disgruntled can be a risk to security. Employers who give hints that an employee is going to get fired might take actions that will hurt the company. For example, there have been instances where persons whom were about to fired were warned before the actual firing. Resulting in the to be fired employee to take the companies clients or the companies databases and sell user information for revenge or other motives. Preventing employee actions requires a procedure to terminate employees and one for background checks on employees provided the work environment requires one. An employee should not be told that they are fired until they are fired and escorted from the building. While that is happening a company IT professional/administrator is removing their system access. 7 If employees are under suspicion for their actions maybe a subtle audit of their computer activities should be put in place, provided their union/contract allows such a thing or does not in some cases.

The rate of success for social engineering, some would say are low and this writer would say they are high. Maybe the success of major engineering attempts are lower and their number are low as well, but the general idea of what makes social engineering is very common. For example, at a local university college a group of second years made a falsified document to trick the 1st years into installing software such as AOL onto their systems. It looked like an official assignment document, but how it got into the 1st year room was social engineering. Knocking on the door looking for a student in the 1st year room, another student followed behind while the 2nd year was “tutoring” and left the assignments. It was caught and not much damage was done, but it was an example of a semi-successful attempt.

Serious social engineering attempts cause disruptions in production and in most environments, disruptions cost money. They are a popular alternative to cracking by unskilled and the skilled crackers. Protecting a network may have all the fanciest and diversified layered security, but it will still be plagued by users and administrators. Only training and proper procedures can help reduce social engineering, but people make mistakes and damage control will always have to be administered.

References

1.)social engineering. (n.d.). The Free On-line Dictionary of Computing. Retrieved November 16, 2007, from Dictionary.com website: http://dictionary.reference.com/browse/social engineering

2.)http://www2006.org/programme/item.php?id=3533

3.)http://www.securityfocus.com/infocus/1527

4.)http://www.securityfocus.com/news/199

5.)http://ca.com/us/securityadvisor/documents/collateral.aspx?cid=157506

6.)http://www.cioinsight.com/article2/0,1397,1228942,00.asp

7.)Guide to Security +

8.)http://blog.trendmicro.com/don27t-be-gullible3a-social-engineering-revisited/

9.)http://www.microsoft.com/technet/security/midsizebusiness/topics/ complianceandpolicies/socialengineeringthreats.mspx

10.)The Game – Penetrating The Underground Society Of Pickup Artists by Neil Strauss