Humans will always be your weakest links for a target's security posture. The more you try to control the end users, the more they will try to bypass policies. The less controls you put in place, the less likely that the policies will be followed. This creates a double-edge sword when deciding how to protect end users from cyber threats. Hackers know this and target end users in various ways that focus on compromising a key characteristic of the average user, which is trust.
What is Social Engineering ?
Social engineering is an attempt to trick someone into revealing information (for example a password) that can be used to attack systems or networks. It is used to test the human element and user awareness of security, and can reveal weaknesses in user behavior such as failing to follow standard procedures. Social engineering can be performed through many means, including analog (for example conversations conducted in person or over the telephone) and digital (for example e-mail, instant messaging). One form of digital social engineering is known as phishing, where attackers attempt to steal information such as credit card numbers, Social Security numbers, user IDs, and passwords. Phishing uses authentic-looking emails to request information or direct users to a bogus Web site to collect information. Other examples of digital social engineering include crafting fraudulent e-mails and sending attachments that could mimic worm activity.
Social engineering is the art of manipulating people into performing actions of divulging information. Many client-side attacks are based on tricking an end user into exposing their systems to an attack. Social engineering can range from calling somebody while pretending to be an authorized employee to posting a link on Facebook that claims to be a service while really being a means to compromise the client.
Social engineering may be used to target specific high-value individuals or groups in the organization, such as executives, or may have a broad target set. Specific targets may be identified when the organization knows of an existing threat or feels that the loss of information from a person or specific group of persons could have a significant impact. For example, phishing attacks can be targeted based on publicly available information about specific individuals (for example titles, areas of interest). Individual targeting can lead to embarrassment for those individuals if testers successfully elicit information or gain access. It is important that the results of social engineering testing are used to improve the security of the organization and not to single out individuals. Testers should produce a detailed final report that identifies both successful and unsuccessful tactics used. This level of detail will help organizations to tailor their security awareness training programs.
Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
- social engineering is probably as old as speech, and goes back to the first lie.
- It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent.
- No amount of technology can protect you against a social engineering attack.
What is the Common Techniques of social engineering
- Social Engineering by Phone
- Dumpster Diving
- On-line Social Engineering
- Persuasion
- Reverse Social Engineering
- And many more….
EmoticonEmoticon