The weakest link in any security system is the human element. Tricking humans into voluntarily divulging secrets or performing counterproductive activities is the easiest way to subvert protective measures. In the world of information security, social engineering is this feat of trickery.
Social engineering is described by Thornburgh as the “…psychological manipulation and exploitation of people into performing actions or divulging confidential information.” When applied to network technologies, we refer to it as Con-Artistry 2.0. This is because, at its heart, social engineering is a confidence trick.
As with any con, there is a procedure that is used by potential intruders. Mitnick and Simon, in their book the Art of Deception, described social engineering as a cyclical process composed of four interrelated steps:
- Step 1: Research- Specifically this step consists of research into the target. Such research may include learning the “lingo” of the target but may also include basic Google searches for background information. Also included in this step is public information from sources such as SEC filings and press clippings as well as “dumpster diving.”
- Step 2: Development of Rapport and Trust- The thieves make contact with the target and establish trustworthiness. Methods of creating trust include invoking an authority figure by using insider information, misinterpretation their identity and referencing people they know.
- Step 3: Exploiting Trust- Using this newfound trust, the attacker asks the target to provide information or to perform an action.
- Step 4: Utilizing Information- Repetition of former steps is continued until the ultimate goal is reached.
Understanding these steps can help corporations protect themselves as well as understand that not all threats to security are high tech. Sometimes picking up a phone can be as dangerous to the bottom line as a robber with gun.