What do sleazy salespeople and social engineers have in common? They are masters of ill-gotten gains. They try to milk you of valuable things you have taken for granted yet they can benefit from. How can you tell sleazy salespeople and social engineers apart? One thing is obvious — the other not so much. You know when you are about to be taken advantage of by a sleazy salesperson. Social engineers, on the other hand, are in and out without you even thinking about it. If there has ever been a predictable and consistent risk to sensitive information assets, it is social engineering. And there is no end in sight.
What It Is
Social engineering is nothing more than exploiting human beings for malicious purposes. In the context of information security, social engineering is used to gain entry into buildings, data centers, wiring closets and even the network itself in order to access systems and sensitive information. Social engineers are posers. They claim to be someone else in order to escalate their privileges and become a trusted part of your organization. Then, overly-trusting and gullible people facilitate their misdeeds. So do weak HR policies, IT processes and physical security controls. The Web has become an excellent facilitator of social engineering as well. From physical theft to identity theft — practically anything can happen as the result of social engineering and there is a lot riding on it from a business risk perspective.
We have all heard of social engineering. Some of us have even experienced it. It is sort of the dirty secret of information security yet it is often off the radar of management. You would think that something creating such a large risk to any given organization would get the attention of the right people. But it hardly happens. Even when controls are put in place, they are rarely enough to stop a good social engineer. Perhaps worst of all, the effectiveness of controls and procedures are never validated. They are put in place and left alone under the assumption that all shall be well. Hence the continuing cycle of exploitation.
Where You are Likely Weak
So how exactly is social engineering carried out to exploit weaknesses in your business? As with hacking, there are a million ways to do it. That said, it is typically the same set of simple oversights and weaknesses that create the foundation needed for a social engineer to take advantage. In my work performing security assessments, I see some really interesting things related to social engineering — many of which are really basic. That’s the thing about social engineering: it’s not any elaborate hacking of complex systems — it is taking advantage of human and procedural weaknesses that we do not think about.
For starters, employees are typically told what they can and cannot do with their computers, building access badges and so on. Everything from the employee handbook to new employee orientation looks nice and formal but it is not enough — especially since it is typically done once and forgotten about. Sure, employees are often the last line of defense against social engineering; however, telling employees what to do and not do is one thing, but expecting them to remain vigilant all day every day when they have a thousand other things going on is just not realistic. That is the fatal flaw.
There is also an assumption that just because a person is in the building that they are legit. Even if it looks like he or she is doing something out of line, there is a psychological phenomenon called bystander apathy that keeps people from intervening. People — your employees — become apathetic and believe that “it is not my business” and someone else surely knows that this is going on. This facilitates a lot of social engineering misdeeds.