Social engineering is generally considered one of the weakest aspects of organizational security. Attackers know that and cybersecurity professionals know that, but many other folks just don’t “get it”.
The Internet Security Glossary entry for “Social Engineering” says it is a:
Euphemism for non-technical or low-technology methods, often
involving trickery or fraud, that are used to attack information
systems. Example: phishing.
Deprecated Term: [documents] SHOULD NOT use this term; it is too vague.
Instead, use a term that is specific with regard to the means of
attack, e.g., blackmail, bribery, coercion, impersonation,
intimidation, lying, or theft.
Perhaps because of the non-technical or low-tech nature of social engineering, cybersecurity techies often shy away from addressing it. Unfortunately, that means social engineering attacks such as those listed above along with tailgating and pretexting are often major vulnerabilities. Some of these are pretty obvious such as blackmail and bribery; phishing has been addressed repeatedly on this blog. Let’s look at a few other techniques social engineers use:
“Impersonation” has the standard meaning of pretending to be someone else, but in this context, it can have dangerous implications. The core of the issue here is that we want to trust what we see and hear and we want to trust others. That’s not a good attitude when it comes to security, but it is human nature.
If we see someone in the appropriate uniform and accessories with an official-looking ID, we seldom doubt what we see. What looks like a delivery person or utility worker could easily be an impersonator. We see it in the movies or on television or in movies because it can and does happen in real life.
If you want to verify an ID, don’t call a number on the back of an ID card, but rather look up (or better have available) the real number. Generally, a better approach is to accompany a visitor while he or she is present.
It is easier to impersonate online or on the telephone. Caller-ID and email sender fields can be spoofed. Phishing is a common example. Another is the “IRS” on the Caller-ID. Take each with a grain of salt.
Tailgaiting often occurs where secure doors are not watched by humans. The basic idea is that someone entitled to access a room or building opens a door or gate and allows someone else to follow without any real ID validation. An attacker could look like a co-worker laden with gifts or food. Boxes of cakes or donuts seem to be popular. Other tailgaters have pretended to be disabled or pretend to have misplaced an ID.
Pretexting is a special case of impersonation. In this scenario, the attacker pretends to need access or information for a particular need. In this case, the attacker creates a backstory or pretext to support the impersonation. The pretext may be simple or complex. Complex backstories are more difficult to pull off and are this generally reserved for large-value targets. An example preying on our nature to be nice is the “I need your help” scenario. Consider a caller that asks for information purportedly necessary to complete a major proposal or to finish a contract so the company can get paid.
Social Engineering techniques can be simple or detailed. The only meaningful defense is to be constantly aware of the situation(“situational awareness”) and be wary of anything unexpected or unusual.