The IT Law Wiki
Register
Advertisement

Definitions[]

Social engineering

[is] the art of gaining access to buildings, systems or data by exploiting human psychology, rather than by breaking in or using technical hacking techniques.[1]
[is a]n attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks.[2]
[occurs when] an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems. An attacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher and even offering credentials to support that identity. However, by asking questions, he or she may be able to piece together enough information to infiltrate an organization's network. If an attacker is not able to gather enough information from one source, he or she may contact another source within the same organization and rely on the information from the first source to add to his or her credibility.[3]
[is a]n attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user to attempt to gain access to systems illicitly.[4]
[t]he act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.[5]
manipulating a person, overtly or otherwise, into performing actions or divulging confidential information. It can be in person or through cyberspace, such as grooming targets on social media.[6]

Overview[]

It refers to techniques designed to fool human beings into providing information or taking an action which leads to the subsequent breach in information systems security. The term is intended to make a distinction from computer engineering or software engineering, in that social engineering uniquely attacks the human component of an information system.

Social engineering is possible because the human beings who install, configure, operate, and use IT systems of interest can be compromised through deception and trickery. Spies working for an intruder may be unknowingly hired by the victim, and more importantly and commonly, users can be deceived into actions that compromise security.[7]

Humans are a weak link in the security chain, and this concept has been exploited by criminals in both the physical and cyber worlds. Email, web browser, and instant messaging (IM) applications are some of the more commonly used communications channels for delivering social engineering attacks.

How it works[]

There are five steps to ensure a successful social engineering attack.[8]

First, the individual or target is chosen and all relevant information concerning that target is collected. Such information can include job advertisements, published reports, company brochures and any other publicly-available information, with the aim of gathering enough to heighten the perceived legitimacy of the attack. Social engineering can be performed through many means, including analog (e.g., conversations conducted in person or over the telephone) and digital (e.g., e-mail, instant messaging). One form of digital social engineering is known as phishing, where attackers attempt to steal information such as credit card numbers, Social Security numbers, user IDs, and passwords.

Social networking websites can reveal a large amount of personal information, including resumes, home addresses, telephone numbers, employment information, work locations, family members, education, photos, and private information. Social media websites may share more personal information than users expect or need to keep in touch.

Examples of social engineering include telephoning the IT help desk and pretending to be an employee and asking for your password to be reset in order to gain unauthorized access to an employee's computer account and the network; or sending an e-mail impersonating a victim's bank in order to get the victim to click on a phishing URL and provide their bank account password into the fake attacker-controlled website.

Social engineering may be used to target specific high-value individuals or groups in the organization, such as executives, or may have a broad target set. Specific targets may be identified when the organization knows of an existing threat or feels that the loss of information from a person or specific group of persons could have a significant impact.

Second, the collected information is then analyzed and a vulnerability, which can be used to reach an objective, is determined.

Third, access to the individual is then established.

After this preliminary work has been completed, then the attack can take place.

Finally, once the attack is completed all evidence of the attack can be destroyed.

Countermeasures consist of three steps that work in tandem: protection, detection and reaction.[9] Since protection can never be guaranteed, a greater emphasis should be placed on detection and reaction. This should increase the chances that an organization will know when a security breach has taken place and how to address the threat.

References[]

  1. Joan Goodchild, "Social Engineering: The Basics" (Dec. 20, 2012) (full-text).
  2. NIST Special Publication 800-61 (rev. 2), Glossary, at C-1.
  3. Avoiding Social Engineering and Phishing Attacks.
  4. Information Technology Security Handbook, Annex 1, Glossary.
  5. Criminal Justice Information Services Security Policy, Glossary, at A-11.
  6. Australia's Cyber Security Strategy, at 17.
  7. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues, at 78.
  8. Bruce Schneier, Secrets and Lies: Digital Security in a Networked World (2000).
  9. Id.

See also[]

External resources[]

  • "The Threat of Social Engineering and Your Defense Against It" (full-text).
Advertisement