The goal of my paper will be to explore the topic of
Social Engineering in all its facets. But what really is
social engineering? Is it a term that can be applied in any field other
than Information Technology? Your Dictionary references
Webster’s Dictionary, which defines social engineering as thus (Your
Dictionary, 2006): A deceptive process in which crackers
“engineer― or design a social situation to trick others into allowing
them access to an otherwise closed network, or into believing a reality
that does not exist. Â However, in a much broader sense,
social engineering can indeed take place outside of a technical field or
applied to describe a non-I.T. related situation, because in reality, the
act essentially involves deceiving another individual into divulging
information that should be kept secret. The following definition better
describes social engineering in this light (Social engineering
(security), 2009): Social engineering is the act of manipulating
people into performing actions or divulging confidential information.
While similar to a confidence trick or simple fraud, the term
typically applies to trickery or deception for the purpose of information
gathering, fraud or computer system access; in most cases the attacker
never comes face-to-face with the victim. Â Â The goal of
this paper aims to explore these many situations that others might not
classify as an social engineering act to steal information, and in
addition to that goal, explore similar objectives throughout: to create a
conversation about social engineering by generating awareness, discuss
the many different kinds of social engineering methods, cite examples of
real world social engineering events & the people responsible, and
finally, cover a list of best practices to avoid social engineering
attacks. Â Â Â Â Â Â Â Â So now that we have established
a “working definition― by which to base the foundation of this
discussion on social engineering, the next logical step would be to
mention a few of the well-known techniques employed in social engineering
acts (Granger, 2001). A very widely recognized form of social
engineering occurs over the phone, which gives all the anonymity in the
world a person with malicious intent could ask for. Those that are
particularly vulnerable to this type of threat are help desks, customer
service reps, and of course, the common victim: the innocent individual
minding their own business at home, on the comfort of their couch. But
just because most of these attacks are known to occur over the
phone, does not mean that you are safe when actually using the phone
yourself. What do I mean by this? IT’s known as shoulder
surfing (Dwyer, 2008), or when someone else gleans your PIN number
or ATM number by simply standing over your shoulder at either a large
airport or phone booth. Another great example of why social
engineering isn’t just something to worry about at the workplace is how
often thieves thrive on another technique known as Dumpster
Diving, which involves hackers or anyone with malicious intent
attaining information such as: calendars showing when employees might be
out of town, policy manuals detailing how internal systems are protected,
or even hard drives that can be restored & vital information
discovered (Berg, 1995). But my favorite form of social
engineering has to be the form described as Quid Pro Quo.Â
(Wikipedia, 2009) Imagine, if you will, that the “attacker― attempts
to randomly ring up someone claiming to be returning their technical
support call; eventually, said attacker will find someone who is grateful
to have been called back, who will have no problem following whatever
instructions the attack doles out… which will most likely be either a
series of malicious commands or the giving up of valuable information
(such as a credit card number or name and password).
google_ad_channel = "7940249670, " + AB_cat_channel +
AB_unit_channel;
google_language = "en";
google_ad_region = 'test';
       While there are certainly many more techniques that
could be discussed, I would like to focus the next section on elaborating
on the techniques described above with specific, real world scenarios of
social engineering taking place. A very fascinating example of an
attacker making the victim believe that he is of a higher
authority is described by McAfee Avert Labs and SANS analyst Lennny
Zeltser (Kumar, 2009): Apparently, yellow fliers were placed on
vehicles in a parking lot, and the fliers claimed that the vehicles were
in violation of parking regulations. The fliers further stated that the
owner could visit a certain website to get more information and pictures
about the offense. Â Now you can imagine the result of
this very clever form of social engineering: said victim sees the fliers
and once they reach home, attempt to visit the designated website –
only to be told to download a toolbar or some other form of disguised
malware, which in turn infects their PC with even more malware.Â
Kevin Mitnick, who was once one of the most wanted hackers in the U.S.
in the late twentieth century, wrote a book entitled The Art of
Deception (Mitnick, Amazon, 2009). In his book, he describes
several examples of social engineering, and in one he describes how
someone could wait for a snow storm to occur, and then calling the
network center posing as a… you guessed it, snowed-in employee. In
other similar examples, Mitnick gives a smaller example of how someone
could get a police officer to divulge when he might be out of town, and
by scheduling a court date at that specific time; get out of the speeding
ticket (Mitnick, Social Engineering Books, 2006). Â
       A few of these examples of social engineering are
really quite startling. How can one hope to avoid falling into these
tricks when many of them are so clever? There are a few “best
practices― that can be taught which will help falling into the social
engineering traps. Some may be ideal for teaching fellow employees and
others might just be applicable to the individual, helping him or her to
live a more secure life in regards to their important information’s
safety.        Some of the best techniques to teach
employees, as identified by US-CERT (United States Computer Emergency
Readiness Team), are as follows (McDowell, 2004): Be
suspicious of any phone calls, visits, or email messages from individuals
asking about employee or internal information. Always ask any
individual claiming to be of a legitimate organization to verify their
claims; this is especially true if they could use your position
as a gateway to attain privileged information (for example, you work at a
help desk). Almost never reveal sensitive information over
the internet. Never. Before doing anything with any amount of
sensitive information, consult a higher authority or person with full
knowledge of your company’s security policy. Always shred any
company documents before discarding them. Even the slightest bit of
information can give an attacker inside knowledge as to who works at the
company, their operating hours, or phone numbers. Richard
Steinnon of the website CIO Update decries what is often touted as the
“best defense against social engineering:― training. He stipulates
that if you determine a mandatory training in order to sharpen peoples’
awareness is needed in order to avoid social engineering attacks… then
you already have a hole in your defenses. Ultimately, the very best
defense against a good social engineering attack is: enforce policy
(Stiennon, 2009). Â Â Â Â Â Â Â Â Â Â Â In conclusion, I have
covered a wide ranging of topics all of which involve a discussion
centered on Social Engineering. What began as an initial exploration
into the definition of Social Engineering, the discussion then progressed
into examples of the varying types of social techniques that attackers
employ to trick others into divulging sensitive information.Â
Many common examples of real world attacks were also covered and how
devastating their implications can be to the victims; corporations or
individuals are not safe against any sort of Social Engineering attack.Â
Chief among those who used to be considered the most dangerous of all,
Kevin Mitnick, wrote a book describing in detail how wide-ranging Social
Engineering attacks can be. And finally, I briefly covered some
“best practices― to avoid such social attacks from occurring to you
or future employees. While it may seem obviously to a technically
inclined individual, everyone can be a victim of these kinds of attacks
when not following the most basic of policies. Being intelligence with
information essentially keeping it to yourself. But rest assured that
there are those out there who are constantly inventing new and dangerous
ways in which to trick innocent people into giving away important
information. And it’s only with constant diligence and a re-
affirmation to confidentiality can we hope to avoid the trap known as
Social Engineering. Â Â Works Cited Berg,
A. (1995, November 11). Social Engineering. Retrieved April 19,
2009, from Packet Storm Security :
http://www.packetstormsecurity.org/docs/social-
engineering/soc_eng2.html Dwyer, J. (2008, January 12).
Picking Pockets? Nah, Surfing Shoulders. Retrieved April 19,
2009, from New York Times:
http://www.nytimes.com/2008/01/12/nyregion/12about.html *Granger,
S. (2001, December 18). A True Story. Retrieved April 19, 2009,
from Security Focus: http://www.securityfocus.com/infocus/1527*
Kumar, L. (2009, February 4). Real World Social Engineering.
Retrieved April 19, 2009, from McAfee Avert Labs Blog:
http://www.avertlabs.com/research/blog/index.php/2009/02/04/real-world-
social-engineering-to-spread-malware-online/ *Major, S. D. (2009).
Social Engineering: Hacking the Wetware! Information Security
Journal: A Global Perspective , 40-46. * McDowell, M. (2004).
Tips. Retrieved April 19, 2009, from US-CERT.GOV: http://www.us-
cert.gov/cas/tips/ST04-014.html Mitnick, K. (2009).
Amazon. Retrieved April 19, 2009, from Amazon:
http://www.amazon.com/Art-Deception-Controlling-Element-
Security/dp/0471237124 Mitnick, K. (2006). Social Engineering
Books. Retrieved April 19, 2009, from Social Engineering:
http://www.social-engineering.eu/books/artofdeception/ Social
engineering (security). (2009, April 16). Retrieved April 19, 2009,
from Wikipedia:
http://en.wikipedia.org/wiki/Social_engineering_(security)
Stiennon, R. (2009, October 19). The Best Defense Against Social
Engineering. Retrieved April 19, 2009, from CIO Update:
http://www.cioupdate.com/trends/article.php/3638951/The-Best-Defense-
Against-Social-Engineering Wikipedia. (2009, April 16).
Retrieved April 19, 2009, from
http://en.wikipedia.org/wiki/Social_engineering_(security)
Your Dictionary. (2006). Retrieved April 19, 2009, from
http://www.yourdictionary.com/hacker/social-engineering
http://www.articlesbase.com/information-technology-articles/social-
engineering-874981.html