In my line of work, I run across many RFPs (Request For Proposals) that involve complex, multi-step, security assessments. More often than not, the engagements call for a social engineering component. In short, social engineering is the art of manipulating people so they willingly give up confidential information. Companies are often hired to run social engineering campaigns to test the weakest link in the security chain.. humans.
A common misconception is that these companies are being malicious by default. Professional social engineers will not attempt to hack your Facebook account to find out your deep dark secrets and disclose them to your employer… they are simply testing your security awareness. It’s often easier to trick someone into giving you a password for a system than to spend the effort to crack into the system.
Common social engineering techniques
An attacker walks into a building and posts an official looking announcement to the company bulletin board that says the number for the help desk has changed. When employees call for help the individual asks them for their passwords and IDs, thereby gaining the ability to access both the company’s and employee’s private information.
An attacker calls random numbers at a company, claiming to be technical support. Eventually this person will find someone with a legitimate problem. The attacker will help solve the problem and, in the process, have the user type commands that give the attacker access to their computer systems.
An attacker contacts a target on a social networking site and starts a conversation. Gradually, they gain the trust of the target and then use it to gain access to potentially sensitive information.
Depending on the size of the company, an attacker, seeking entry to a restricted area secured by unattended, electronic access control systems, simply walks in behind a person who has legitimate access. The employee will usually hold the door open for the attacker or the attackers themselves may ask the employee to hold it open for them. The employee will, more often than not, fail to ask for identification.
An attacker leaves a malware infected removable device like a USB flash drive in a obvious location (bathroom, elevator, sidewalk, or parking lot), and simply waits for the victim to use the device. An employee might find it and insert the device into a computer out of curiosity. Doing so would allow the device to install malware on the employee’s PC, giving an attacker access to the victim’s PC and, perhaps, the company’s internal network.
These techniques are malicious in nature. The difference is that professional social engineers will never exploit any information they find as a result of these attacks. The results will be documented and presented to management so measures can be taken to mitigate similar attacks in the future.
Should you be worried?
Don’t worry if your employer decides to conduct a social engineering assessment. In the long run, the results will actually help improve both the company’s and employee’s security awareness.
This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. For more on these topics, visit Dell’s thought leadership site PowerMore. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.