You may have heard that it is very difficult to protect against social engineering attacks. But what is social engineering? Here is a short overview about what it is and how it has been used to gain unauthorized access.
Social engineering is a term used for a number of methods and techniques. They all have one thing in common, they all try to manipulate people, by posing as someone else, into revealing information or performing actions. Social engineering covers a wide range of techniques, some examples are, pretending to be a manager and requesting actions from employees, posing as a new employee asking for information about the systems or claiming to be support personal and telling people to download and install an important patch.
Nowadays, social engineering can also be done using email. Phishing emails have become a daily nuisance, telling you to log into your online bank account using the link provided in the email or emails pretending to come from the police or IRS telling you to open an attachment.
Social engineering is difficult to defend against because it targets the weakest link in IT security, humans. After all, we all want to be helpful and look like we know what we are doing. This means that the defense against social engineering is education. Unfortunately, this is not easy since there are so many different ways that social engineering can be used.
A social engineering attack can be fast, just a phone call or an email, but also slow by gathering one piece of information at a time. The latter approach can be very difficult to detect, each individual piece may not be important but by putting together all information, the attacker may know all he needs to know.
Social engineering is not just limited to getting access to computers. It can be used gain entrance to server rooms, getting badges or keys for buildings or getting confidential documents.
Firewalls are very efficient in preventing unauthorized people from gaining access to your network. A lot of attackers have also realized this, social engineering is one way of getting around the firewalls and all other IT security. This is what makes social engineering so dangerous, you can have configured your firewalls and computers very securely, preventing all unauthorized access just to have some “helpful” employee giving the attacker all he wants.
Still, good IT security is important, it limits the number of people who can help the attacker and it also makes life more difficult for the attacker even if he successful with his social engineering. But you also have to inform all people about popular social engineering attacks. Increasing your staff’s awareness about social engineering is the best way of preventing such attacks.
Since there are so many different kinds of social engineering attacks it is very difficult to teach people how to detect such attempts. Social engineering by email is very common but seldom efficient, most people know that it is very easy to forge an email. Still, if it would not work at all, we would not receive so many emails pretending to come from the IRS, FBI or UPS. But educated users are unlikely to give away any sensitive data in an email. After all, even if the recipient is not an attacker, you should never put any sensitive data in an email. Most emails travel over public networks without being encrypted. Although it is unlikely, the data can be read by anyone who has access to the network.
Social engineering over telephone requires some knowledge about the organization but is also be much harder to protect against. Once again, people aware of social engineering attacks are less likely to be fooled. Social engineering in person is not very common, after all it exposes the attacker. But a sophisticated attacker is very good at reading people and knows when to look helpless and when to be aggressive. Such attacks are generally done by insiders and can be very difficult to protect against.