• You can buy the most expensive firewall
equipment, install the best anti-virus software,
add the greatest intrusion detection system, but
there is still a “weak link” in your security plan
that you may have overlooked; People.
• In this presentation, we will discuss and educate
you in some common social engineering tactics
so that you will be able to identify this type of
“intrusion” and protect yourself and your
organization’s network against those who
specialize in exploiting the weaknesses of
people rather than those of the software.
What exactly is “Social
• In the field of computer security, social engineering is the
practice of obtaining confidential information by
manipulation of legitimate users.
• Social engineers exploit the natural tendency of a person
to trust his or her word, rather than exploiting computer
security holes. It is generally agreed upon that “users are
the weak link” in security and this principle is what
makes social engineering possible.
• A social engineer will commonly use the telephone or
Internet or even personal relationships to trick people
into revealing sensitive information or getting them to do
something that is against typical policies.
-Social engineering (computer security) From Wikipedia, the free
Who is the Social Engineer
• Social engineers don’t even need to be
particularly technically savvy; it’s their
“people skills” that get them in where they
aren’t supposed to be. They use charm,
intimidation or trickery to convince others
to disclose information that compromises
the security of the network.
– Example Kevin Mitnick became famous (and
went to jail) because of his mastery of the art.
– Telephoning a user and posing as a member
of the IT team, who needs the user’s
password and other information in order to
troubleshoot problems with the network or the
– Telephoning the IT department and posing as
a high ranking executive in the company,
pretending to have forgotten his/her password
and demanding that information immediately
because of a pressing business urgency.
• e-mails purporting to be from a user’s bank or
credit card company and asking them to go to a
Web site where they’re directed to fill in account
information, are forms of social engineering.
• e-mail attachments that contain malicious
payloads (that, for instance, use the victim's
machine to send massive quantities of spam).
• Has forced software vendors to disable automatic execution
of attachments, users now have to explicitly activate
attachments for this to occur. Many users, however, will
blindly click on any attachments they receive, thus allowing
the attack to work.
• Some social engineers base their success on research
abilities. Such activities as “dumpster diving” (going
through discarded paperwork to find credentials and
other useful information) can also be considered a form
of social engineering. Some hackers may develop
elaborate schemes to pose as building repair personnel
or even temporarily take jobs as janitors to gain initial
access, while others do all of their work from afar and
never set foot near the physical site. A determined
hacker may put days or weeks of effort into gaining the
trust of a target employee. This may be done in person,
over the telephone or via e-mail or IM.
Face to Face Tactics
• Social engineering also applies to the act of
– Developing a personal relationship with a user or IT
team member with the intent of “sweet talking” the
person out of confidential information that can be
used to break into the network.
– Even the general office worker could pose a threat to
a company. In a Infosecurity survey, 90% of office
workers gave away their password in exchange for a
cheap pen. (taken from ?????_______________)
Reverse Social Engineering
• is a term used to refer to hackers who create some sort
of problem on the network or the user’s computer and
then come to the rescue (like the cases we occasionally
read about where a person sets a fire and then rushes in
to put it out, becoming an instant hero to the victims).
This helps the social engineer gain trust quickly, and
makes it easier for him/her to get desired information out
of the victim. For example, the social engineer might
then send an e-mailed attachment that contains
malicious code through which he can gain control of the
victim’s computer. Because the victim now “knows” (and
trusts) the engineer, the victim doesn’t exercise the
same caution about opening the attachment as would be
the case if the attachment were from someone else.
• Training users about security policies and
ensuring that they are followed is the
primary defense against social