Join Mike Chapple for an in-depth discussion in this video Social engineering, part of CompTIA Security+ Exam Prep (SY0-401): Threats and Vulnerabilities.
- Digital threats aren't the only issue facing information security professionals seeking to protect their organizations. Some of the most dangerous risks come from the human side of social engineering. These are also some of the hardest threats to protect against. Social engineering attacks use psychological tricks to manipulate people into performing an action or divulging sensitive information that undermines the organization's security. For example, an attacker posing as a help desk technician might use social engineering to trick a user into revealing his or her password over the telephone.
Essentially, social engineering attacks are the on-line version of running a con. There are six main reasons that social engineering attacks are successful. These include authority and trust, intimidation, consensus and social proof, scarcity, urgency, and familiarity and liking. Let's dig into each of these a little bit more. Countless psychological experiments have shown that people will listen and defer to someone who is conveying an air of authority.
Displaying outward signs of authority, such as dressing in a suit, or simply having a look of distinguished age, creates a trust among those without such symbols. One of the earliest experiments in authority was conducted by Stanley Milgram, a Yale University psychologist. He set up a situation where students believed they were participating in an experiment about learning and put them in the role of teacher. When the fake students gave an incorrect answer, the teacher was instructed to administer one of a series of increasingly high voltage electric shocks.
When the fake teachers objected to shocking the learner, the experimenter told them that they must do so. Almost two thirds of students were willing to administer the highest voltage shock. Of course, the shocks were fake, but the participants believed they were real and complied, due to the perceived authority of the experimenter. Well known hacker, Kevin Mitnick, also describes an example of authority and trust in his book, The Art of Intrusion. He tells of a social engineer who simply walked right into a casino security center and started issuing orders.
Because he did so with an air of authority, the staff complied with the commands. The second reason that social engineering works is intimidation. It's simply browbeating people into doing what you want by scaring them and threatening that something bad will happen to the individual and/or the organization. A social engineer might call a help desk, posing as an administrative assistant, demanding that they reset the password on an executive's account. When the help desk asks to speak to the executive, the assistant might just start yelling, "Do you know how busy he is? He is going to be very angry if you don't just do this for me." That's intimidation.
The third social engineering tactic is consensus and social proof. When we don't know how to react in a situation we look to the behavior of others and follow their example. It's the herd mentality. This is what happens when someone is attacked in the street and nobody calls 911. It's also how riots occur. Most normal people would never think of burning a car or looting a store, but once the crowd gets going and they see this behavior around them, many people join in.
The fourth tactic is scarcity. Making people believe that if they don't act quickly, they will miss out. You see this each time a major consumer electronics company releases a new product. Why will people wait in line, overnight, just to get a new phone? Because they want to get one before they run out. A social engineer might use scarcity to trick someone into allowing them to install equipment in an office. Perhaps they show up with a WiFi router and say that they are upgrading the WiFi in adjacent offices with a brand new technology and had one leftover router.
If the office staff would like, he can install it here. If they agree, they think they're getting early access to new technology while the hacker is actually establishing a foothold on the network. Urgency is the fifth tactic of social engineers. With this tactic, the hacker creates a situation where people feel pressured to act quickly because time is running out. For example, a hacker might show up at an office and say he is a network technician there to perform a critical repair. He needs access to a sensitive networking closet.
When staff refuse to grant access, he can say that he has another appointment and can't waste time there. If they open the door, now, he'll perform the repair. Otherwise, the network will probably go down and they'll be out of luck. The final social engineering tactic is simple, familiarity or liking. People want to say "yes" to someone they like. Social engineers will use flattery, false compliments, and fake relationships to get on a target's good side and influence their activities. The best way to protect your organization against social engineering attacks is user education.
Everyone in the organization must understand that social engineers use these tactics to gain sensitive information and be watchful for outsiders trying to use the tactics of authority and trust, intimidation, consensus and social proof, scarcity, urgency, and familiarity and liking against them and others in the organization. In this case, wariness is a virtue.
NOTE: We are now a CompTIA Content Publishing Partner. Our training prepares members to pass CompTIA certification exams and become qualified IT professionals. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Comparing viruses, worms, and Trojans
- Understanding backdoors and logic bombs
- Defending against denial of service and password attacks
- Preventing insider threats
- Detecting social engineering attacks
- Preventing wireless eavesdropping
- Understanding cross-site scripting
- Preventing SQL injection
- Deterring attacks
- Securing your network
- Scanning for and assessing threats