Hacker holiday greetings: Social engineering tactics

Hackers, at least ones who are good at what they do, have an intimate and in-depth knowledge of computer systems and applications. They have high-tech tools and utilities to help them identify target systems, bypass security measures, compromise computer systems and otherwise cause mischief.

The truth of the matter is that all of the programs and exploits in the hacker's arsenal pale in comparison to their number one weapon: social engineering. Social engineering is the art of preying on human nature for the purpose of misleading or deceiving someone.

The root of the problem is that most people, at their core, are fairly nice. People have an innate desire to be kind and helpful to one another. Just as some of the best features of an operating system or application end up being exploited for malicious purposes, this built-in kindness can be exploited by less scrupulous people to gain information or access. There are a number of angles that can be used to exploit basic human nature. Here are a few of the most common:

1. Urgency. "I know that this is totally against the rules, but my job is on the line. I was working on a report using information from the CFO. The report is due this afternoon and my computer crashed. I need access to the CFO's computer so I can get the data he sent me and get this report done in time for the meeting or I will be unemployed this time tomorrow." A hacker can use a sense of urgency to get a target to empathize with them. By pretending to be a user whose job is on the line a convincing hacker might be able to dupe a help desk technician into changing a password or otherwise granting access.

   More Information Read this chapter excerpt and learn about the social engineering process. Learn how social engineering can be used with technology.

2. Authority. "Good morning. Bob Reynolds, I am sure you were told to expect me. No? I am in from the Boston office for the audit. They should have told you. Oh well, just buzz me in. I still remember my way around from the last audit." A hacker pretending to be someone in a position of power or authority can convince a front desk receptionist to buzz them into the building or a user to hand over their username and password.

3. Greed. "Good day. My name is Mr. Umbutu Zabala. I am the former Secretary of the Interior for the sovereign country of Nigeria. Sadly, our illustrious prime minister has died and the government has been replaced by depraved villains. I have $39 million US dollars that I need to get out of the country until a legitimate government can be installed again. I hope that I can trust you to help me transfer this money to your country. For your services, I will gladly pay you 10% of the total funds, or $3.9 million…" Preying on basic human greed is a tremendous social engineering tactic. While most people recognize this as a ridiculous request and would never reply, this "Nigerian Bank Scam" has been victimizing naÏve people for decades.

These are just a few examples. Unfortunately, there is little defense. You want people to use common sense and good judgment. You don't want your users granting access or giving network credentials to strangers, but you also don't want everyone to be cynical and jaded against everyone and everything. Keeping users aware of common social engineering strategies may help them to be kind and helpful, but with a healthy dose of skepticism.

About the author:
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications.

This tip originally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Threat Monitor,   Security Awareness Training and Internal Threats,   Information Security Management,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor Cut down on calls to help desk with cybersecurity awareness training How to detect software tampering How to prevent phishing attacks with social engineering tests An enterprise strategy for Web application security threats How SSL-encrypted Web connections are intercepted How a corporate Twitter policy can combat social network threats Cyberwarfare and the enterprise: Is the threat real? Software security threats and employee awareness training Newest malware threats How to defend against rogue DHCP server malware Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.