Social engineering, as listed in the Merriam-Webster online dictionary, can be defined as follows:
“…management of human beings in accordance with their place and function in society…”
Today’s news reports, books, blogs, and various other forms of media describe specific events where social engineering is utilized to perform illegal, unauthorized, or fraudulent activities. In fact, according to Symantec Corp.’s 2014 threat report, the number of spear-phishing attacks increased by 91% in 2013.
These attacks may include (but clearly is not limited to) the theft of non-public personal information, financial information, confidential corporate (inside) information, and physical assets of value.
To launch a successful attack, being able to manage the emotions, reactions, and feelings of a human being is critical to “success.”. The successful social engineer has to analyze the place and function of people and other physical controls intended to stop these activities from occurring in the first place. Society, in this case, is an organization.
Take a look at other definitions of “social” and “engineering” and it becomes even clearer as to why each and every society, or organization, is at risk:
“…marked by or passed in pleasant companionship with one’s friends or associates…”
“…tending to form cooperative and interdependent relationships with others of one’s kind…”
Why are there so many cases of successful social engineering attacks?
We are human beings. By our very nature we like to congregate, to make friends, to be accepted by others. We depend on each other in order to further our society as a whole. We like to help each other succeed. In addition, the attackers are becoming increasingly vicious in their attempts to play on our emotions. This CSO article outlines how attackers have shifted from almost playful tactics to more insidious methods by playing on people’s fears.
“…calculated manipulation or direction… (as it pertains to social engineering)”
This is the icing on the cake for “successful” social engineers. Because we are social beings at our core, we can easily be manipulated. We trust. We believe in each other. As a result, our actions and reactions can be directed to serve the needs of someone with a nefarious motive.
Do I have you the least bit worried? Have I caused you to step back, even for a moment, and think about how this all applies to your own organization? I hope I have. If you have any influence over the control structure within your organization, now is the time to act. DefCon 22 challenged participants to use social engineering methods to attack some of the largest corporations in America. The rate of success varied, but all companies (including Home Depot, Macy’s and CVS) were shown to be vulnerable to these types of attacks.
As much as it may be counterintuitive to you, to protect your organization, you must think like a criminal. How would you engineer your own organization? What does your organization have of “value” to others? How would you attempt to penetrate your own physical security?
This blog series “Tales of a Social Engineer,” is intended to help you add at least a few tools to your organizational repertoire, be they actual social engineering techniques or just other ways to think about controls (physical security or otherwise) and threat/risk management. In addition to discussing techniques which I have previously utilized, I also hope to take a look at some of the root causes/issues which I have been able to take advantage of and subsequently utilize to “succeed” in my efforts to expose vulnerabilities that exist in many organizations.
As noted above, we humans are cooperative, interdependent beings. To that end, I hope that you will make this series of tales just that, a cooperative effort.
– Jeff Bamberger