The social engineer’s goal is to trick someone into giving them what they want by preying on basic human nature. Lisa Bock explains how a social engineer will take advantage of the very characteristics that make us good employees such as being helpful, providing timely responses, and a trusting nature.
- [Voiceover] The social engineer's goal is to trick someone into giving them what they want by preying on basic human nature. In an organization, the social engineer will take advantage of the very characteristics that make us good employees, characteristics such as being helpful. We train our employees to ensure customer satisfaction. As a result, employees want to be helpful, which can lead to giving away too much information.
Providing timely responses in order avoid getting into trouble. Someone may have reprimanded the employee at some point for waiting too long for verification and offending someone; therefore, an employee might provide information without ensuring source authentication. And trusting nature. Most social engineers are extremely confident in their behavior, and if someone tells an individual that they are a certain person, and appear genuine, there is a tendency to believe someone's word.
In addition, social engineering works with some not so great qualities, such as taking shortcuts and cutting corners instead of validating someone's identity. They may just accept someone's word and give him or her what they want, and then go back to doing what they were doing before someone interrupted them. In order to conduct an effective social engineering attack, the hacker must identify a potential victim.
The exercise goes through a process, reconnaissance, establishing trust, exploiting that trust, and then departure. For example, if a hacker needs to gain access into a building, they first try to find a target like this custodian. The hacker checks out the custodian and determines that they would be a good target. To really sell the scene, the hacker might go to a nearby door and attempt to open it.
He can even pretend to try and find his access card. - Excuse me. Hi, my name's Dave. I'm from the Manitou office. My badge doesn't seem to be working. Could you let me in? - Okay. (beep) - [Voiceover] A talented social engineer will get what they want without raising any suspicion. - Thanks so much, I appreciate it. - Sure. - [Voiceover] Identification without authorization is dangerous. A social engineering exploit may very well lead to a major security breach.
In this course, cybersecurity expert Lisa Bock discusses the methods a hacker might use, including embedding malicious links and attachments in emails and using mobile devices and social media to deploy an attack. She discusses the concept of "misuse of trust"—how hackers use charm, power, and influence to penetrate an organization—and why you need to be extra cautious with the disgruntled employee. Finally, Lisa discusses countermeasures security professionals can take to address these attacks.
Note: This course maps to the Social Engineering competency of the Certified Ethical Hacking exam. Review the exam objectives at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Visualizing the victim
- Recognizing an attack
- Using charm, power, and influence
- Manipulating with social media
- Preventing insider attacks
- Stealing identities
- Pen testing with social engineering
- Taking countermeasures