Join Lisa Bock for an in-depth discussion in this video Recognizing social engineering, part of IT Security Foundations: Core Concepts (2015).
- If we think or organizational security, we take a look at various components, of course, the network and we can logically secure that network using passwords, intrusion detection, and firewalls. We also implement administration and policies. But also included are the people in the organization. In the organization as a whole, people are our weakest link. Social engineering is a con game relying on influence, social skills and human interaction to obtain information about an organization or computer systems.
Famous social engineers include Frank Abagnale Jr. In the 1960s with no Internet or digital equipment, he portrayed himself as a variety of characters using techniques that built confidence and established trust which led to psychological manipulation of his victims as featured in the movie Catch Me If You Can. Kevin Mitnick starting in late 1970s he was well-known in the world of security as he had a variety of social engineering exploits, hacks, and security breaches of Fortune 500 companies and government agencies.
Who are social engineers? Well, that could include hackers, scam artists, salespeople, and ordinary people. How is it accomplished? Social engineering is accomplished in many ways; telephone, online, dumpster diving, shoulder surfing, and simple persuasion. We'll take a look at dumpster diving. In this illustration, you see someone looking into the trash for something they might find anything that might reveal sensitive information.
That is why any information that is discarded should be protected by shredding, information such as a list of names and social security numbers. Shoulder surfing, in this image you see someone online possibly entering sensitive information. Shoulder surfing is someone who would walk up behind you and take a look at you as you're entering information on a keyboard, or you're at the ATM machine and you're entering your PIN.
Be aware of this if someone is standing behind you. Ask them to leave. Phishing spelled with a P-H is an attempt to get a user to reveal personal or financial information. This uses email or instant messaging to deliver this message and persuades the victim to reveal information. Spearphishing targets specific individuals and generally has better results as it targets individuals who are more likely to respond.
In this example, we see an email that you might receive, Dear Bank Cardholder, It tells us of a problem they're having and that you must go to the website and update your information. It also includes consequences if you don't complete this activation. Now I might be prompted to do this because I'm concerned. If I lay my cursor over this, I'll see that it is not my credit card company but another site entirely. Social engineering is difficult to protect against.
Johnny Long wrote a book long ago, No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. If you search for the keywords social engineering, you'll see that there is online education on how to launch an attack. So be safe. Remember stranger danger. Don't believe everyone you meet on the web and tell them everything about you such as what is your pet's name, and your mother's maiden name? Those are used by account providers to remind you of your passwords.
Don't divulge sensitive information. Don't give credit card or social security numbers. And don't accept executable files from unknown persons that you meet on the Internet. They may be viruses or trojans.
Note: This course maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals 98-367 certification exam and is recommended test prep viewing.
- Differentiate between risks, threats, and vulnerabilities.
- Explain how to avoid worms and viruses.
- Define cookies, and explain how they preserve user information.
- Describe the WPA2 wireless security method.
- Cite the differences between public and private key encryption.
- Summarize how to use a virtual private network.
- Identify ways to minimize the attack surface.