Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide some sort of useable data. For instance, instead of trying to find software vulnerabilities to exploit for sensitive data, a social engineer might try to trick someone into divulging an administrative password without realizing it.
Have you ever seen the crime drama Catch Me If You Can? Frank Abagnale, the main character, is a master of social engineering. He convinces people he’s an airline pilot, doctor, and attorney by forging documents and acting like he belongs. The scary thing is, it’s a true story.
What’s the problem with social engineering?
Here are some common ways social engineers try to socially engineer us
Steal badges and credentials in unlocked cars
Go to the local donation store and buy old company T-shirts
Pose as janitorial staff to get into a building
“Can you hold the door for me? I don’t have my badge.”
Pose as an IT person that needs to fix the network
Try unlocked doors around the backside of buildings
Pose as law enforcement conducting an inspection
Dumpster dive for sensitive documents
Here’s what happens when I try to socially engineer someone.
How to avoid being a victim
The best way to avoid being socially engineered is by educating yourself and your employees. Here are some points you should touch on during training:
You should be slightly paranoid (better to be safe than sorry)
Social engineers don’t sneak around. They’re confident and friendly. They look like they belong. Don’t be pressured by their convincing ways.
Never give out your username/password, badge, PIN, ID number, credit card, or schedule. In essence, never give out sensitive information about you or your company.
Ask for a contact to verify why the person needs the information they’re asking for
Don’t hold secure doors open for people you don’t know
The only way to identify if your employees have soaked in all that knowledge is to test them. You can don a disguise and test them yourself, or enlist the help of a professional (also called a pen tester), to come onsite and test your employees, experiment with your physical security, and see what interesting information they can find in your trash cans.
Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.
Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.