Social engineering or people hacking is a term used to describe the act of tricking a person by an act of deception. For example, someone could call a business and trick an employee into thinking they are from IT. Then, they could ask the individual to confirm their password so they can gain access to the network or visit a web page so they can steal information.
In his book, Ghost in the Wires: My Adventures as the World's Most Wanted Hacker, Kevin Mitnick described how he used social engineering to gain unauthorized access to networks and phone systems. See: What computer books would you recommend reading?
Social engineering examples
Below are examples of how someone could use social engineering to gain access to your network, steal confidential information, or get something for free.
- Fellow employee - Pretending to be a fellow employee who is having problems accessing his or her account and needs a security, login, or other account details.
- Fake IT - Fake IT support requesting remote access to a computer because of a fake problem or security threat.
- Pretend Spouse - Pretend to be a spouse calling a company about problems accessing his or her spouse's account and needing account details.
- Bogus student - Bogus student calling support staff indicating a website is not working. When a staff member visits the supposed problem page, it gathers computer and network information or tries to infect that computer with a trojan or other malware.
- Fake customer - Fake disgruntled customer complaining about products they didn't purchase who demand a refund or compensation without proof of purchase.
- Pretend maintenance man - Someone prints a pretend badge that gives the appearance they are a repairman who is visiting to fix a computer, printer, phone, or another system. After gaining access to the building, they get access to confidential documents or computers that would allow them access to the network.
- Fake client - An e-mail from a fake client that sends a business proposal with an attachment containing malware used to gain remote access.
- Malicious USB or CD - Leaving a USB flash drive or CD with malware in a company parking lot with an attractive label to get someone to plug it into their computer. For example, an infected USB flash drive that says "Payroll" on the drive.
- Swatting - Pretending to be someone in danger when calling the police department to get them to send the S.W.A.T. team to someone's house.
Preventing social engineering attacks
All employees, staff, students, or family members on the same network need to know all of the potential threats they may face. It's important that anyone else who may have remote access, such as a third-party IT company or contractors, also be educated.
Most companies have (or should have) security measures, such as a code that is required to access account details. If a customer or someone calling saying they're the customer cannot produce that information, the account details should not be given to them over the phone. Providing the information to avoid conflict with the customer would result in an employee immediately losing his or her job.
Always be wary of what you cannot see
Most of the social engineering attacks are over the phone, e-mail, or other forms of communication that do not require face to face communication. If you cannot see whom you are talking to, assume the person you're talking to may not be who they say they are.
Security or front desk
Not all social engineering attacks happen over the phone or the Internet. An attacker could also visit the company with a pretend badge or form of identification. Every business should have a front desk or security guard who is also aware of all security threats and knows no one can pass without proper authorization. They should also realize that if these precautions are ignored (e.g., someone says they forgot their badge) that it would result in them losing their job.
It's also a good idea to have more sensitive areas, like a server room, require additional security, like a badge reader, that only allows authorized employees to access the room. Also, employees that access a building or room using a badge should realize they too should not allow anyone to come through the door at the same time as them.
Finally, keep all entrances to a building safe. For example, if a business has a smoking door where people go out for a smoke break, it should be protected and watched. Someone could pretend to be an employee out smoking and enter when other smokers come out.
Some people are not afraid to dumpster dive to find confidential company information or other information that would allow them access to a network. Any papers your employees throw away should be shredded.
Properly discard company equipment
Make sure any equipment is properly destroyed or discarded. Most people may realize that a computer hard drive (even when erased) may have sensitive data that can be recovered. However, not many people know that devices like copiers, printers, and fax machines also contain storage and that sensitive data can also be recovered from these devices. Unless you feel it is safe that someone reads everything you've ever printed, scanned, or faxed (not likely), make sure to discard the device.