Using manipulation and deceit to trick victims into giving out confidential information
Social engineering is a technique used by hackers and non-hackers to get access to confidential information. With social engineering, attackers use manipulation and deceit to trick victims into giving out confidential information.
Some of the social engineering methods attackers use include:
- Sending messages that contain dangerous attachments (e.g., malware) with text that encourages people to open the attachments
- Pretending to be the main administrator of a local network and asking for the victim's password in order to perform a maintenance check
- Telling a victim over the phone that he/she has won a prize, and asking for a credit card number in order to deliver it
- Asking for a user's password for a certain Internet service, such as a blog, and using the same password later to access the user's computer. This technique works because users often use the same passwords for many different accounts.
Protective Measures
Practices
- Do not give out confidential information to anybody: Never give your password to anybody, not even an administrator. Only give your credit card numbers to trusted individuals or organizations.
- Change your passwords frequently: This keeps attackers from being able to use your password to access different accounts at different times.
- Follow your company's security policies: These policies are designed to protect you and the infrastructure of the organization.
- Don't automatically trust unknown people: If you see an unknown person lurking or wandering around your office or building, alert responsible security or other personnel. Don't trust somebody just because he is wearing an official uniform or claims to be acting in a certain capacity.
Settings
- Disable automatic opening of attachments: This keeps your email application from automatically opening attachments that contain malware.
Legal
As with other hacking techniques, social engineering can be prosecuted in the United States. One of the most famous examples is Kevin Mitnick, who served five years in prison for using social engineering to enter the websites of multinational corporations.
Ethical
Social engineering uses deception to wrongfully gain information; therefore it is a violation of the trust that social and business interactions depend upon.
References
- Social Engineering (Computer Security)
(Wikipedia) - Kevin Mitnick (Wikipedia)
Links
- Case Study of Industrial Espionage Through Social Engineering (National Institute of Standards and Technology: Computer Security Division) PDF
Print view
Email to a friend
Submit to Reddit
Save to del.icio.us
Submit to Digg.com
Stumble It!