Hacker holiday greetings: Social engineering tactics

Hackers, at least ones who are good at what they do, have an intimate and in-depth knowledge of computer systems and applications. They have high-tech tools and utilities to help them identify target systems, bypass security measures, compromise computer systems and otherwise cause mischief.

The truth of the matter is that all of the programs and exploits in the hacker's arsenal pale in comparison to their number one weapon: social engineering. Social engineering is the art of preying on human nature for the purpose of misleading or deceiving someone.

The root of the problem is that most people, at their core, are fairly nice. People have an innate desire to be kind and helpful to one another. Just as some of the best features of an operating system or application end up being exploited for malicious purposes, this built-in kindness can be exploited by less scrupulous people to gain information or access. There are a number of angles that can be used to exploit basic human nature. Here are a few of the most common:

1. Urgency. "I know that this is totally against the rules, but my job is on the line. I was working on a report using information from the CFO. The report is due this afternoon and my computer crashed. I need access to the CFO's computer so I can get the data he sent me and get this report done in time for the meeting or I will be unemployed this time tomorrow." A hacker can use a sense of urgency to get a target to empathize with them. By pretending to be a user whose job is on the line a convincing hacker might be able to dupe a help desk technician into changing a password or otherwise granting access.

   More Information Read this chapter excerpt and learn about the social engineering process. Learn how social engineering can be used with technology.

2. Authority. "Good morning. Bob Reynolds, I am sure you were told to expect me. No? I am in from the Boston office for the audit. They should have told you. Oh well, just buzz me in. I still remember my way around from the last audit." A hacker pretending to be someone in a position of power or authority can convince a front desk receptionist to buzz them into the building or a user to hand over their username and password.

3. Greed. "Good day. My name is Mr. Umbutu Zabala. I am the former Secretary of the Interior for the sovereign country of Nigeria. Sadly, our illustrious prime minister has died and the government has been replaced by depraved villains. I have $39 million US dollars that I need to get out of the country until a legitimate government can be installed again. I hope that I can trust you to help me transfer this money to your country. For your services, I will gladly pay you 10% of the total funds, or $3.9 million…" Preying on basic human greed is a tremendous social engineering tactic. While most people recognize this as a ridiculous request and would never reply, this "Nigerian Bank Scam" has been victimizing naÏve people for decades.

These are just a few examples. Unfortunately, there is little defense. You want people to use common sense and good judgment. You don't want your users granting access or giving network credentials to strangers, but you also don't want everyone to be cynical and jaded against everyone and everything. Keeping users aware of common social engineering strategies may help them to be kind and helpful, but with a healthy dose of skepticism.

About the author:
Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications.

This tip originally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Threat Monitor How to stop malware in a 'Flash' How to detect system management mode (SMM) rootkits Windows registry forensics: Investigating system-wide settings Weaponizing Kaminsky's DNS discovery Debian: A niche OS with a not-so-niche security flaw Web advertising exploits: Protecting Web browsers and servers Ransomware: How to deal with advanced encryption algorithms Hidden endpoints: Mitigating the threat of non-traditional network devices Protecting exposed servers from Google hacks (and Google 'dorks') Countermeasures against targeted attacks in the enterprise Social Engineering Web-borne malware targets unexpected industries Combat social engineering the 'Carnegie' way Quiz: Anatomy of an attack Countermeasures against targeted attacks in the enterprise Stolen data ending up in Google cache, say researchers Information security book excerpts and reviews Should social engineering tests be included in penetration testing? What kind of data is compromised during a Google hack? How Russia became a malware hornet's nest Are senior level executives a target for social engineering attacks? Insider Threats Express Scripts offers reward in hacker extortion case Societe Generale bolsters internal controls, discovers second insider Information security book excerpts and reviews I am concerned that a former employee will utilize corporate information in a malicious way. Security pros focused on internal threat, training Reasearch on Coding Backdoors Presents Ugly Picture Deloitte survey finds overconfidence, lack of planning on security Data loss prevention from the inside out Insider dangers Survey finds access control problems at many firms RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) social engineering  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.