2. Introduction
What is 'Social Engineering'?
Social Engineering is probably most succinctly described by Harl in 'People
Hacking':
"…the art and science of getting people to comply with your wishes."
“Social engineering is the practice of obtaining confidential information by
manipulation of legitimate users. A social engineer will commonly use the
telephone or Internet to trick a person into revealing sensitive information or
getting them to do something that is against typical policies. By this method,
social engineers exploit the natural tendency of a person to trust his or her
word, rather than exploiting computer security holes. It is generally agreed
upon that “users are the weak link” in security and this principle is what makes
social engineering possible.”
Unknown Author, "Social Engineering", Wikipedia
3. An example at a glance,
“In 1994, a French hacker named Anthony Zboralski called the
FBI office in Washington, pretending to be an FBI representative
working at the U.S. embassy in Paris. He persuaded the person at
the other end of the phone to explain how to connect to the
FBI's phone conferencing system. Then he ran up a $250,000
phone bill in seven months.”
Bruce Schneier “Secret and Lies”
5. 1. Information gathering
There could be variety of techniques which is used by the
aggressor to gather sensitive information about the target(s).
Once these information are gathered, it can be used to build
a relationship either with the target or someone who is
important to the success of the attack.
Information that might be gathered includes, but is not only
limited to:
•A birth date
•A phone list
•An organization’s organizational chart
6. 2. Developing Relationship
An aggressor will first try to build up a good bonding with the
target. He makes sure that he gains the trust of the target which
he’ll later exploit.
3. Exploitation
The target could then be manipulated by the ‘trusted’ attacker to
reveal their sensitive information like password to carry out an
action (eg. re-enter your username pass for reversing Facebook
policies) this normally occurs. This action could be at the
beginning or end of the attack of the next phase.
4.Execution
Once the target has finished the task requested by the attacker,
the cycle is complete.
11. There are two types of Social Engineering attacks
Technical attacks
Non-technical attacks.
“Technical attacks are those attacks that deceive the user into
believing that the application in use is truly providing them with
security which is not the fact always.”
12. The most Technical attacks
Phishing
Phishing is a new term of the century which is used to take over a private
information from a user. Your natural response to this statement is, of course, "yea
but I am not so simply fooled." And of course you aren't. This is why phishers use a
technique called "social engineering".
This is generally used for cybercrimes but sometimes it is also done through the
telephone/mobile phone. The information which is obtained is then used to
commit crimes-such as logging into your Facebook account and posting vulgar or
illicit data on your wall or taking over full control of your bank account and then
transfer money. In phishing, the aggressor never come face to face.
The appearance and logos are almost same like the original one or sometimes same
as the original which requests a user to “verify” the information and if not followed,
it will lead to serious consequences. These kind of emails appear to have come
from a legitimate business organization.
14. Spam e-mails
This is a mass e-mail system. Hundreds and thousands of e-mails are
sent to the victim. This is tightly related with phishing attempt.
15. The non- technical attacks
“Non technical attacks are those attacks that are purely perpetrated through
the art of deception.”-peer to peer
Support staff
The attacker acts as a clean support crew to help users to fix any problem.
During this process they ask for their credentials and after this procedure
their account is compromised by the attacker.
Hoaxing
It is a trick to make the user believe that something false is real. Unlike a
fraud or con, a hoax is perpetrated as a practical funny story, to cause
humiliation or to provoke social change by making aware of something.
16. Authoritative Voice
The attacker can call up to the organization’s computer help
desk and pretend to have trouble accessing the system. He/she
claims to be in a hurry and needs his password reset right away
and also demands to know the password over the phone. If the
aggressor adds little credibility to his story with information that
has been picked up from other social engineering methods, the
crew is more likely to believe in the attacker’s fake story and do
as requested.
17. Countermeasures to prevent Social Engineering
The question might arise in your mind. How can you fully protect against
Social Engineering attack? Is there a way? The answer is almost ‘No’. For the
simple reason that no matter whatever controls are implemented, there will
always be the possibili1ty of the human exploitation being influenced by a
social, political or sophisticated behavior.
Nevertheless, as with any risk, there are ways in which we can diminish the
risks by following some useful tricks. But one can never guarantee that
he/she will never be a victim/target of Social Engineering attack.
However, you can follow the following ways to protect against Social
Engineering. Do never reveal information like:
19. Summary
The skilled application of Social Engineering can be a danger to
the protection of any organization. As a security professional, it
is vital to understand the significance of this hazard and the way
in which it can be manifested.
Only then can appropriate counter-measures be employed and
sustain in order to guard an organization on a refular basis.