The Dark Art of Social Engineering
"It is only one who is thoroughly acquainted with the evils of war that can thoroughly understand the profitable way of carrying it on."—Sun Tzu, The Art of War
I'm here to teach you what social engineers do when trying to manipulate the human element of a system. Only when you understand that will you know exactly how to defend yourself and your company. As a good friend of mine once said, "It's all about control."
Social Engineers Are High-Tech Con Artists
The art of the con is one of the oldest forms of social engineering. Essentially, con artists try to talk you into doing, buying, or selling stuff that you normally wouldn't. They exploit your confidence in what they're talking about, to their own personal gain. Most cons don't involve anything high-tech at all. But a talented con artist who knows something about networks, computers, and security would be a dangerous individual indeed. These hybrid con artists are popularly known as social engineers.
Before I regale you with stories of social engineering, let me first tell you why I would even know of such things: I'm a professional hacker. My job is to discover all your corporate secrets, all the sensitive data, all the things that would cripple or destroy your company if they were ever to fall into the wrong hands. To neglect the human component of the system that is your company and just focus on the network or the computer infrastructure would be an incomplete view of your total security—and the security of the data you may believe is vaulted away.
But you're not here to listen to me ramble on about my credentials; you're here to learn exactly how social engineering manifests itself. Put yourself in the situations I discuss here. Ask yourself if you would have said or done something differently.
First, let's focus on what the social engineer is going to attack. The target isn't a firewall or website (well, not yet); instead, it's a living, breathing human being. Humans are a bit harder to fool than bits and bytes, but not if you know how to handle them.
Some computer systems have sophisticated intrusion-detection systems (IDS) that allow them to pick up on any hacking activity destined for your network. If a hacker were to perform an attack against your IDS-protected web server—for example, in a denial-of-service attack—the IDS can detect and stop the attack before it does any damage to your network.
People also have an internal IDS. Have you ever spoken with someone whom you just didn't trust, didn't believe they were telling you the truth, or just didn't feel comfortable around? Perhaps you couldn't put your finger on what it was that bothered you about this person, but it was just a feeling you had. This is your own IDS telling you that something is up. When someone tries to lie to you, or just isn't being forthcoming about the reason for talking to you, little signs in the person's body language, tone of voice, speed of comprehension and response send up red flags that something is not right.
One of the keys to getting someone to give you information you need is to make sure that you don't trip their IDS. I'll outline a few techniques that attackers use to get past those defenses.