“Social engineering” may sound like politicians re-designing society, but instead it’s a technique bad actors use to get access to sensitive data.
In preparation for a recent trip I searched Amazon for free Kindle books on cybersecurity. Near the top of the list was Social Engineering: Hiding in Plain Sight. The book is not long, but it’s quite interesting. The author, Patricia Arnold, talks about types of social engineering, techniques, and countermeasures. She also discusses a study she did about people’s responses to particular attempts at social engineering.
I like her term for social engineering — “hacking humans”. It accurately reflects, in an albeit informal way, what social engineering is about. The basic concept rests in deception. She says, “[t]he goal is to take advantage of the human factor in the security chain. Incorporating low-tech phases into an attack is a critical part of the social engineering process.”
The book defines different types of social engineering attacks (including phishing, pharming and Impersonation). By dividing attacks into these categories, she makes it easier to discuss the attacks themselves and the countermeasures people and organizations can take against them.
The author has clearly researched the topic well. For instance, she discovered that not only are new employees more susceptible to social engineering attacks (little surprise there); but that a whopping 60% of them fall for those attacks. Likewise, she says contractors fall for 40%. It is no wonder then that social engineering is the first choice of most serious attackers.
In the second part of the book, Arnold details a study she performed related to social engineering. She talks in great detail about the design and results, and she provides the actual survey she used. One interesting finding was that 84% of the respondents felt that they had been approached by “someone who intended to get their personal information for fraudulent purposes”. This really emphasizes the breadth of the issue.
As part of her findings she also said “Overall, I feel the survey results indicate that there is a strong sense of uncertainty that a training course could assist with.” I had not expected to find anything about training in the book, and while she is not in any way endorsing Learning Tree or its courses, we do have a Course 2012 Social Engineering Deceptions and Defenses. If you are interested in social engineering and defending against it, I recommend that course. We do touch on social engineering in Learning Tree Course 468, System and Network Security Introduction, but clearly not to the extent of Course 2012 or Arnold’s book do.
Social engineering is an interesting topic. I suggest you become familiar with it so you don’t become a victim. If you know someone has tried to get sensitive information from you using social engineering, let us know about it in the comments below.