The Art of Social Engineering
- I'm a Social Person; Does That Make Me a Hacker?
- The Telephone: Primary Tool for Social Engineering
- Dumpster Diving
- Desktop Hacking
- And Knowing Is Half the Battle
I'm a Social Person; Does That Make Me a Hacker?
Social engineering is becoming less popular as a means of attacking a network and certainly receives little media attention. But these attacks can prove quite costly and should be guarded against. This sort of attack can allow the attacker to bypass the security mechanisms of a network without using any script or hacking tool and without even executing a single piece of code. Companies need to address the risk of social engineering with much the same vigor applied against more hardcore technical attacks.
Social engineering involves getting employees at target companies to voluntarily surrender their personal or corporate information. This is usually accomplished through nothing more than conversation, often over a telephone and without any direct contact at all. It's essentially a confidence game.
The risk of social engineering is that it can circumvent the logical security measures in place and relies simply on exploiting unsuspecting employees who can be talked into volunteering network and security information whose value and importance the employees may not recognize. This information can include the IP address of the firewall or default gateway, or even the user's own password, and such information can be used to compromise the network if disclosed to malicious hackers.
There are many methods of social engineering. In the following sections, I'll present the key ideas involved in three popular methods, as well as appropriate countermeasures and actions that firms can take to limit their exposure to these attacks. Among the methods I'll discuss are making apparently harmless telephone calls to employees of the target company, searching through the company's office trash, and casually looking at an employee's workspace to directly obtain or deduce confidential information.
Let me make clear that I'm certainly not advocating social engineering. This article isn't intended as a teaching tool for hackers; it's designed to show businesses (and individuals) how to protect against these subtle attacks.