The Truth Behind Social Engineering

Intelligent criminals realize their success hinges on choosing the suitable opportunity to exploit a certain weakness. That’s why burglars avoid properties with alarm systems, car thieves hunt for unlocked vehicles and muggers don’t assault anyone walking out of a dojo wearing a white robe and a black belt. In other words, they go after the “lowest hanging fruit”.

Similarly, criminals who use social engineering tactics seek opportunities where they can employ their unique methods of manipulation and deception to exploit the weakest link of the security chain. For the social engineer, that weak link is usually the organization’s own people and procedures.

As opposed to conventional security threats that can be thwarted by physical or electronic security precautions, social engineering techniques exploit the fundamentals of human nature. Our natural tendency to help other people, our wish to prevent conflict, our worry of making errors and our dread of getting ourselves or getting others in trouble are all elements of human nature that social engineers consider to be vulnerabilities. In fact, professional social engineers are literally wagering that their natural capability to manipulate basic individual characteristics should produce a possibility in which the victim can be turned into an unwitting accomplice.

And a seasoned social engineer knows precisely who to target. Although top executives may have direct entry to the most priceless information within the group, social engineers comprehend it is more complicated and time-consuming to directly compromise executives. Alternatively they set their sites on low and mid-level workers. Receptionists, cleaning crews, tellers and even managers of remote areas are all desirable targets to a wise social engineer. After all, these are the employees that ordinarily have limited security awareness training and would be more vulnerable to manipulation and deception. These employees positions could additionally produce the criminal with access to delicate places during off-peak hours when the possibility of being uncovered is drastically lower.

Traits of a Weak Security Chain
Industry professionals and government regulators agree that institutions most at risk of succumbing to social engineering tactics have a tendency to lack (1) satisfactory policies and procedures pertaining to physical security, (2) a safety comprehension program that allows for training of staff at all levels, or (3) an recognized system of vendor and visitor tracking. These three elements are dependent on each other to properly defend against the threat of social engineering schemes. A insufficiency in one area generates a significant vulnerability in the others, thus making it possible for an straightforward entry-point for a savvy engineer to exploit.

Of course, professional social engineers know this info too. That is why tactics like the “Trustworthy Vendor” scenario – which have the potential to exploit many vulnerabilities concurrently – have a tendency to be hugely effective at organizations that possess insufficient polices & methods, limited security awareness training and no formal system of tracking approved vendors.

A Situation Study in Social Engineering
Working with only basic information-gathering techniques, it is not challenging to devise a plausible “Trusted Vendor” situation that looks absolutely believable to an unsuspecting victim.

For example, if a criminal’s intent was to covertly obtain access to delicate locations inside a financial institution, he may decide to pose as a pest inspector. First, the social engineer would need to discover which bug handle company the establishment currently uses. Setting up surveillance outside a location waiting for the pest control technician to show up would take way too long. However, contacting the establishment under the guise of a new insect control company seeking to submit a contending bid may reveal the name of the present service provider. If so, the following phase would be to get the actual pest control company’s logo off the web to create a believable uniform working with a “do-it-yourself” iron on kit.

The social engineer could then use a variety of social networks to uncover the names of most of the organization’s managers and, if fortunate, the nights individuals professionals could be out on vacation. A call could then be made to the branch receptionist late in the day under the guise that the supervisor requested he come deal with the workplace immediately. The criminal could in all probability weave a convincing tale that develops a feeling of urgency as well as generate a purpose for keeping staff members away while he is “working”. One plausible reason would be to declare administration reported a rat infestation, but wishes to keep it secret to avoid alarming the rest of the employees. Upon listening to that form of disturbing news, any suspicions that may have existed towards the pest control specialist are almost certainly changed with anxiety more than the close by rat infestation. The prison could further increase his odds of keeping away from exposure by scheduling an after-hours appointment when he’d be cost-free of prying eyes and have far more time to snoop for delicate facts.

This situation also offers a perfect possibility to perform a different favored social engineering technique, dumpster diving, without having raising any suspicions. Once all, who is going to suspect a uniformed pests management tech is executing every little thing but killing rats within a dumpster?

You may think this is only a worst case situation, but companies who specialize in sociable engineering testing can attest that this kind of predicament happens with alarming frequency.

This example illustrates that with out satisfactory safeguards in arrange to combat sociable engineering threats, numerous weak links can exist together the security chain. But it additionally demonstrates that hardy insurance policies and procedures alongside with adequate training could have thwarted the sociable engineer’s efforts.

<hardy>Reinforcing the Chainstrong>
Workers are the first line of protection towards sociable engineering schemes. Thus it is essential that management present them enough tools to combat would-be scammers, such as;

• Detailed procedures and methods that go beyond the clear threats and tackle situations special to the group
• Safety consciousness training that includes ritual role-based training for situations a lot susceptible to sociable engineering techniques
• Systematic controls prefer a shared merchant/visitor tracking system that data for nearby vendors at distant divisions
• Recurrent reminders (emails, posters, tip of the 1 week) to staff regarding the group’s commitment to safety

The most modern firewalls, intrusion discovery programs, and video surveillance can not provide a lot safety against sociable engineers who use unsuspecting staff to breach security and entry sensitive details. The greatest protection is a well-trained and well-equipped workers that realizes their role in protecting the interests of the organization. And it is up to the organization’s management to produce their staff with the training, direction and instruments to effectively fight this growing threat.