How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.
Why social engineering is performed
Social engineering is a component of many -- if not most -- types of exploits. Virus writers use social engineering tactics to persuade people to run malware-laden email attachments, phishers use social engineering to convince people to divulge sensitive information, and scareware vendors use social engineering to frighten people into running software that is useless at best and dangerous at worst.
How social engineering is performed
A social engineer runs what used to be called a "con game." For example, a person using social engineering to break into a computer network might try to gain the confidence of an authorized user and get them to reveal information that compromises the network's security. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They might, for example, call the authorized employee with some kind of urgent problem that requires immediate network access. Appealing to vanity, appealing to authority, appealing to greed, and old-fashioned eavesdropping are other typical social engineering techniques.
Types of social engineering attacks
- Baiting. Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive or CD-ROM, in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
- Phishing. Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, often purporting to be from a trusted source. The message is meant to trick the recipient into installing malware on his or her computer or device, or sharing personal or financial information.
- Pretexting. Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involve an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
- Quid pro quo. A quid pro quo is when an attacker requests personal information from a party in exchange for something desirable. For example, an attacker could request login credentials in exchange for a free gift.
- Spam. Spam is unsolicited junk email.
- Spear phishing. Spear phishing is like phishing, but tailored for a specific individual or organization. In these cases, the attacker is likely trying to uncover confidential information specific to the receiving organization in order to obtain financial data or trade secrets.
- Tailgating. Tailgating is when an unauthorized party follows an authorized party into an otherwise secure location, usually to steal valuable property or confidential information. This often involves subverting keycard access to a secure building or area by quickly following behind an authorized user and catching the door or other access mechanism before it closes.
How to counter social engineering
Security awareness training can go a long way in preventing social engineering attacks. If people know what form a social engineering attack is likely to take, they will be less likely to fall victim to one. Organizations also perform penetration testing using social engineering techniques. This allows security teams to know which users pose a risk and thus can take steps to remediate that risk. The Social Engineering Toolkit (SET) is a useful tool to create social engineering attacks.
Examples of social engineering attacks
Another aspect of social engineering relies on people's inability to keep up with a culture that relies heavily on information technology. Social engineers rely on the fact that people are not aware of the value of the information they possess and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or take advantage of people's natural inclination to choose passwords that are meaningful to them but can be easily guessed.
Prevention includes educating people about the value of information, training them to protect it and increasing people's awareness of how social engineers operate.