Working with People: An Introduction to Social Engineering
Humans are inherently social creatures who have developed a world strongly based on interacting with others. Just like the world of information technology, the human social protocols are a complex series of rules and guidelines for how people behave when interacting with each other, and just like any other system, there are methods to use and abuse it once you understand the rules that govern it. Social engineering is a broad subject, but in this article we will focus mostly on social engineering as it is used to gain access to social groups and sensitive information.
Social Engineer is one of the few blogs dedicated to the topic.
Table of Contents
- 1 What Is Social Engineering?
- 2 How Effective Is Social Engineering?
- 3 General Tips for Social Engineering
- 4 The Social Engineer’s Toolkit
- 5 Spy Versus Spy: Counteracting Social Engineering
- 6 How Can You Use Social Engineering in Your Everyday Life?
What Is Social Engineering?
Social engineering is using the common tendencies of how people interact with others in order to gain information or a benefit of some kind. Effectively, social engineering can be referred to as the hacking of people. Before the Internet age, social engineering would more likely be referred to as conning, but the scope of social engineering’s applications goes beyond tricking people out of money. It is about causing people to act according to your wishes. Getting someone to say yes to a date is social engineering. So is getting your company a contract from a tough client. In regards to information security, social engineering is getting people to give up protected information.
A social engineering definition can be found here.
How Effective Is Social Engineering?
Even companies that place a high focus on securing their information networks can prove extremely vulnerable to social engineering attacks. DefCon, one of the largest hacking conferences in the world, routinely features a social engineering competition that has demonstrated over and over again that simple tactics can be used to get enough information to potentially do harm to a company. Position in the company also seems to have almost no effect on how susceptible a person is to social engineering; a big wig is just as likely to give up information as a cashier, but the big wig also usually has access to more pertinent info.
Social engineering is gaining attention for its insidious effectiveness, and is starting to get recognized in the media and the corporate world. Check out these news articles for an idea of how it is being perceived:
Smooth-Talking Hackers Test Hi-Tech Titan’s Skills – A look at DefCon hacking competitions, utilizing social engineering within legal boundaries to ferret out intelligence designed to weaken a company’s security.
Social engineering to blame in Syrian Electronic Army hijack of the Onion – The targets of these sorts of attacks aren’t always the ones you might expect, the Onion was a recent victim of a phishing scheme.
Facebook Social Engineering Attack Strikes NATO – Often, the targets are important, such as this attack against NATO. Every organization contains a human element, the target of savvy social engineers.
How a lying ‘social engineer’ hacked Wal-Mart – Many people are naturally biased to trust based on a set of subtle criteria; a tone of voice, a style of dress, even word choices can lead people to give credence to otherwise nonsensical ideas or situations, like this Wal-Mart store manager being duped into giving away company data in exchange for a non-existent contract possibility.
General Tips for Social Engineering
These are common guidelines and methods used by social engineers before and during any assignment on which they are working. These focus more on the preparation and mindset of the social engineer than the actual attack methods that are used.
Do Your Research
Take a look at this seminar on social engineering strategies.
Information is everywhere. If there is a topic you want to know about, you usually only need to glance at the Internet. Reading the news and press releases from a company can give you a firm background history from which to work. A social media site may give you insights into the temperament of a person or give you an idea of the social scene in which they operate. If you are trying to infiltrate a group or become closer to a person with any notable focus, then the Internet can be used to familiarize yourself with the topic.
Hackers may go above and beyond in this regard. If they manage to gain access to someone’s email account or messaging service, there may be records of conversations that can be used to mimic the person in electronic communications or learn about key topics that anyone on the inside should know about.
Look the Part
Imagine for a moment that you are watching a movie set in modern times and focused on the happenings in a government or business office. If there was someone dressed in jeans and a hoodie in the middle of a meeting of executives or elected officials, you would likely immediately feel the character was out of place or at least question why they were there. The same holds true whenever you want to interface with another social group, whether it is a company or a club.
Also worth noting is that looking professional – wearing a nicely tailored and well-kept business suit – can generate an obscene level of trust in your social interactions. The suit conveys a lot of subtle messages: this person is a successful member of society, they likely have money, and you can trust then a bit more than the average person. You may not gain complete trust and unlimited access, but the difference between the trust levels shown to someone in a suit and someone in casual clothing is palpable.
Learn to Read People
This article gives you a glimpse into the advancement of research into the integration of robotics and emotions.
If computers are getting to the point that they can recognize and react to the emotional displays of people, then there is no reason that a person should not be able to better do the same task. Taking the time to read on facial expression theory and other psychological articles can help point you in the right direction, but the only way to really learn is to go out and talk with people. Doing this with new people consistently will also give you practice on learning how to pick up the subtleties in a new person’s expression and tone.
Backup Your Backup Plans
Just having an idea of how to work a plan does not mean you should ignore contingency plans. Even if a failure in one portion of a plan only leaves breaking off the attempt, you should be prepared for the possibility and have a clear idea of how you will break it off. This is not going to eliminate having to think on your feet, but having a guideline for your actions can mean the difference between a smooth response and something haphazard that sends the wrong signal.
Strength in Numbers
Unlike the world of open conflict, more numbers on the side of the target can be a firm advantage. Working your way into a small firm can be a dogged task, but it can be easy to turn into “just another suit” at larger offices. It is almost always easier to work your way into social situations when the target has a larger number of people involved.
Take the Time to Do It Right
If you were to take movies and shows as fact, you would think social engineers waltz into a business with a suit and savvy and somehow manage to make their way into the confidence of the boss or gain access to sensitive areas within a few minutes. A real social engineering effort may take weeks or months to accomplish properly.
The Social Engineer’s Toolkit
A number of techniques have become common practice for social engineers. The list here is not exhaustive, and the variations on these techniques makes covering them all a task better suited for a textbook.
Phishing, Vishing, and SMiShing
This rainbow of techniques is typically meant to refer to scenarios where the attacker poses as a person or service the target already knows via electronic communications. One of the most common phishing emails is one that mimics the company’s style and email address while telling the target that their account has been locked out due to potentially malicious activity. A link is supplied to the target to reset their password. The site looks like the company’s to the smallest degree, but the reset instead sends your old and new passwords to the phisher.
The delineation between the terms is based on the attack vector. Phishing is done through the computer, vishing is done through the phone, and SMiShing is done through text messaging.
Pretexting is the art of constructing a scenario in which the target is more inclined to go along with the wishes of the attacker. The most common example of this in action might be taken from the ways people try to convince traffic cops to not give them tickets: “My friend is in the hospital”, “My wife is delivering our baby”, or “I’m on my way to stop the love of my life from getting on a plane and never coming back.” In the movie Live Free or Die Hard, a character uses the pretext of his grandfather in the hospital to get an OnStar agent to activate a car he wants to steal.
There is always a host of information for any company that is not considered protected, but social engineers can piece these bits together to create the façade that they are a member of the company or an associate. For example, instead of just sending an email to the tech support desk for a password reset, a social engineer might send it directly to one of the IT staff members with a message stating that there is a vital report wanted immediately by a big name at the company on that computer, and you need your password reset immediately.
When dealing with a pretty face, a person can become distracted and lose focus on the things that matter. Not every social engineer will be a model, but you can expect the ones that have been favored with good looks and charm to use the advantage.
Most people simply have no idea what is going on with their computers beyond interfacing with the applications they use to work. Computers also have an unfortunate tendency to break down due to misuse or just over time. In larger companies, it may not be uncommon for the IT department to be behind on fixing all the computer issues that are active. By masquerading as tech support, savvy social engineers can troubleshoot for the employee while also placing themselves in a trusted position to ask for personal information like passwords.
The Indirect Approach
Coming up to a person directly and asking them about secure, private topics may immediately trigger warning signals. If the social engineer instead approaches a person via a secondary topic and befriends them, then later probing for the information has a higher chance of success due to the longer time for which trust has developed. As an example, if the target is an avid golfer, then a social engineer might find a way to arrange for them to end up playing together. This would let the engineer strike up a conversation naturally due to the common event.
Spy Versus Spy: Counteracting Social Engineering
It is nigh on impossible to stamp out the threat that social engineering represents even when utilizing proper security methods at a business or simply trying to avoid falling victim to it yourself. Much of the research and the supported methods for handling the threat of social engineering are to educate people on the dangers of it, develop security policies based on what needs to be protected, install Data Leak Prevention (DLP) software, and do penetration testing to get a real idea of the level of security in place.
Enforce Strict Information Release Policies
Both in your personal life and in the business world, sensitive information should be treated with respect and controlled properly. That does not mean you have to give someone trouble every time they ask for personal information, but taking the time to double check that the person is who they say they are and that you can feel comfortable handing over sensitive information can be done with a high degree of trust.
To use an analogy, the human minds that reside within a social group can be thought of as computers on that social network. Where you would patch a computer, you would educate a mind. The ways in which you can be educated are numerous: you could have an article on social engineering (like this one) made mandatory reading, make social engineering news part of your company newsletter, or hold a class every couple of months. At the very least, people should be aware of the information policy on which you decide. The patch may not take on every person, but you should at least try.
Data Leak Prevention Software
An up and coming type of software is joining the ranks of applications like antivirus and firewalls on the list of things any network trying to be secure should have: Data Leak Prevention (DLP) tools. The software can monitor data in storage, in use, or going over the network, and it can perform tasks like preventing the data from sending or triggering an alert if something is sent. This is limited to just helping to prevent social engineering mishaps on computer networks, but social engineers are likely to use a combination of methods to try and gain access to the most valuable information.
Just like your hardware and software, your people can benefit from penetration testing in order to ascertain their awareness of social engineering as a threat and the information security policies that protect from it. This usually requires the aid of an outside entity to get a proper simulation of an attack from someone currently outside the company.
Social Engineering Fundamentals: Part II: Combat Strategies – An article on preventative measures against social engineering from Symantec, a notable information security software company.
How Can You Use Social Engineering in Your Everyday Life?
You may not want to con someone out of their account passwords or savings fund, but that does not mean that the methods of social engineering cannot find their place in your life. They can even be used effectively for altruistic purposes. For example, making new friends can benefit from the inclusion of social engineering information.
Social engineering as a way to gain access to secure information is a threat of which everyone should be aware. Like almost any form of science or technology, it can be used for good and for evil. Taking the time to learn social engineering methods is the best way to use them to your benefit and know how to defend against them. Unless you move to a deserted island with no technology, you are going to be subject to the designs of social engineering, so you may as well stay informed on the subject.