Social engineering is not a technical kind of hack as such. It’s more about relying on the inevitable insecurity of the human mind and playing on human emotions to gain access to a system or network. Let’s say that I wanted to social engineer my way to gain unauthorised access to your corporate network. I could use one of the below techniques.
Probably one of the most common social engineering attacks is Phishing. This is when you receive an email from a fraudulent individual – posing as a trusted corporation. For example, let’s say you bank with Santander and you received an email from Santander telling you that they have a message for you but before they can pass the message on, they need your account number and you’ll need to answer some secret questions. This is Phishing – it is as it’s name suggests – the hacker is ‘fishing’ for some personal information about the user that they can use to gain access to their bank accounts, emails or any other kind of system. Phishing plays on the individual being less than savvy when it comes to using the web – and they therefore unwittingly provide the requested information.
Another type of social engineering attack is to leave a USB or a CD laying about – somewhere that it’s likely to be found. The hacker might even write a juicy title on the CD. He will do this to take advantage of humans natural curiosity. The person that sees the disk (with the interesting title) will be very tempted to put it into their computer to find out what it’s all about (after all, no one is claiming ownership of it). Once the CD or USB is inserted into the computer, it will then install malware on the system.
There are no technical security provisions you can put in place to avoid social engineering attacks. To prevent them, security training should be provided to all staff, outlining the risks of social engineering attacks. You can also conduct a penetration test on your systems to ‘test’ the users. This will help you identify those that need further training.
This article was brought to you by Netshock. Netshock is your technology blog, providing technology news, guides and insight.