Manipulation, confidence and guts.
These are the three things required for a criminal to trick you into handing over sensitive information. Social engineering is described as the art of manipulation where criminals will pretend to be someone they’re not in the hope that their targets will give them access to things they shouldn’t such as sensitive information and secure locations.
A quick example would be that of the Santander Bank in September 2013:
“Police and Santander have thwarted an “audacious” cyber gang that aimed to steal millions of pounds by remotely taking control of a bank branch’s computers. One of the plotters posed as an bogus maintenance engineer pretending to be from a third party to fit a computer in a branch of Santander with a “KVM Switch” that would’ve allowed them to remote control the workstation”
If a bank is able to fall for such a scam, then it’s very likely that you could too.
It’s not very hard
As I said before, being able to carry out such an attack requires three things; manipulation, confidence and guts. The most important of the three is confidence; if you act like you belong somewhere then most people won’t bat an eye, it’s human nature.
Attackers aren’t always after money or customer data
You also need to think about other forms of information criminals may try and get their hands on. For example, if your competitor wants to know about products you’re working on then they could hire someone to use social engineering techniques on your product manager. All it takes is an attacker to form a relationship with the product manager outside of work and after building some trust, ask questions about his job.
What do you do to protect your organisation from social engineering attacks?
Here at IT Governance, we have a secure perimeter which means that non-authorised individuals are not allowed in certain areas of the building where they could potentially access confidential information. Additionally, if a member of staff sees someone they don’t know then they are expected to stop them and ask.
Of course, it’s not all about physical security. Phishing emails are also an effective method of social engineering. If an attacker can gain access to one of your employee’s email account, then they can easily send fake emails to other employees to gather information.
Learn more about social engineering and hacking
To get a better grasp of social engineering and hacking techniques, I recommend that you read the Introduction to Hacking & Crimeware Pocket Guide by Victoria Lowengart. This small guide will equip you with the knowledge you need to better understand the threats of Cyber Crime.
I also recommend that you put yourself in the mind of the attacker by reading Social Engineering – The Art of Human Hacking. This book is written by Kevin Mitnick who is one of the most famous social engineers in the world. Reading this book will help you understand social engineering attacks and how to prevent them from happening.