Social engineering is a con game relying on influence, social skills, and human interaction to obtain information about an organization or computer systems. In this movie, Lisa Bock looks at the ways social engineering is accomplished, such as elephone, online, dumpster diving, shoulder surfing, and simple persuasion.
- [Voiceover] Social Engineering is a con game relying on influence, social skills, and human interaction to obtain information about an organization or computer system. Logical network defenses, security appliances, and anti-malware protection get stronger every day. Over time, industry has strengthened our defenses and as a result, black hat hackers look to penetrate a softer target, the people in an organization, including employees, contractors, and customers by using a Social Engineering attack.
Cyber criminals achieve Social Engineering in many ways. Telephone, online, dumpster diving, shoulder surfing, and simple persuasion. In the right setting, someone can shoulder surf your information by simply watching what you type. You should tell them to step back if they're getting too close. Scam artists work on our emotions, and many times launch an attack that may promise gifts and prizes, important information, or threaten to take action if you do not reply.
Organizations can thwart Social Engineering attacks many times by employing user education and strong spam filters to prevent deceiving emails from getting through to the employees. There are many working parts to a Social Engineering attack, but of course at the heart of this is the victim. But the other components include motive, and that is why cyber criminals use Social Engineering. Reasons include: obtaining money, gaining access into a system, or causing damage to a system.
And method, this is how cyber criminals achieve Social Engineering, using human intervention or technology, or sometimes a combination of both. The hacker themselves must be able to pull off a believable hoax. And the tools used, they include: email, social media, webpages, phishing, or farming. And stimulus, or what is the best way to inspire someone into giving up information? Using fear, need for compliance, or appeal to his or her need for friendship, acceptance, or social validation.
A skilled hacker will most likely try to use Social Engineering before spending any time on more difficult methods to obtain a password, such as password cracking to obtain access to a system. Now getting someone to give up their password is easier than you think. Studies show that over half the individuals tested gave up their user name and password. Some gave it up freely, some for money, and some even for a bar of chocolate.
Social Engineering is one of the hardest threats to defend against. As a result, it should be part of an organization's ethical hacking exercise.
In this course, cybersecurity expert Lisa Bock discusses the methods a hacker might use, including embedding malicious links and attachments in emails and using mobile devices and social media to deploy an attack. She discusses the concept of "misuse of trust"—how hackers use charm, power, and influence to penetrate an organization—and why you need to be extra cautious with the disgruntled employee. Finally, Lisa discusses countermeasures security professionals can take to address these attacks.
Note: This course maps to the Social Engineering competency of the Certified Ethical Hacking exam. Review the exam objectives at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Visualizing the victim
- Recognizing an attack
- Using charm, power, and influence
- Manipulating with social media
- Preventing insider attacks
- Stealing identities
- Pen testing with social engineering
- Taking countermeasures