It is a hard one to protect against, as attackers prey on the kindness of strangers, but there are some tips to prevent your company being a victim to social engineering ploys.
Ever been conned? Would you know if you had been? Social engineers practice a subtle art. Their techniques, when applied properly, leave victims none the wiser as to how they may have let an attacker in.
Sophisticated social engineers take advantage of the security vulnerabilities in human nature, and not software, in order to penetrate otherwise well-protected networks.
The thief
One such master of deception is US-based Kevin Mitnick, who has been imprisoned three times for computer crime. After his release from a five-year prison stint, Mitnick hung up his criminal spurs and now runs a specialist consultancy, Defensive Thinking, dedicated to protecting unsuspecting employees from the whims of the social engineer.
As one of the United States' most prolific cyber-criminals, Mitnick pulled off some pretty impressive con jobs. He'd trick people into disclosing all sorts of information: passwords, modem numbers, and general technical information. We asked Mitnick what the social engineer may be looking for when they ring an unsuspecting employee from an organisation they're targeting.
"Its largely... calling someone and tricking them out of their password," he says. "But there are a lot more sophisticated attacks where people just need bits and pieces of information."
Say you wanted to target a software company â€" which Mitnick has been known to do, siphoning off source code from DEC in the '80s and later from Nokia, Sun Microsystems, Motorola, and NEC â€" you wouldn't just ring up the administrator and say "give me your password".
An attacker with skill would target the low-hanging fruit â€" perhaps a workstation on the company's LAN â€" using a run-of-the-mill technical vulnerability. Social engineering could then be used to find out which machine on the network contained what the attacker was after, saving them countless hours of fumbling about on the LAN while running the risk of tripping some sort of alarm or raising suspicions.
Hello,
This is part of my research. I would like to write a thesis in computer security, specializing in Social Engineering. Could you provide me with some examples of good titles?
Thanks in advance,
Christian