Simply stated, “Social Engineering” as it relates to cybersecurity is tricking someone into giving up information or violating security procedures. It is non technical in nature relies heavily on human interaction. Most of the major breaches heard about in the press used social engineering tactics as a component of the attack.
Authors of virus software use social engineering to get users to open malware infected emails. Phishing is used to convince people to give out sensitive information. Some scammers use scareware to get individuals to purchase useless and sometimes dangerous software.
Often social engineers try to gain the confidence or trust of the authorized user of a system to get them to reveal sensitive information that could compromise system security. They take advantage of people’s natural desire to be helpful. An example would be to contact an employee with an urgent issue that requires immediate access to the network or system. It also includes just snooping or looking over a coworkers shoulder.
There are several defined types of social engineering:
Baiting: Leaving media such as a usb drive or CD rom laying around for some curious individual to find to load onto their workstation which then automatically installs malware.
Phishing: Using disguised fraudulent email that appears to be from a trusted source. The purpose is get the recipient to install malware on the system or share sensitive information.
Spear Phishing: A phishing attack aim at a specific target or individual.
Pretexting: Pretexting would is lying to obtain information. An example of pretexting is an attacker pretending to need personal or financial data to confirm the identity of the target.
Quid pro quo: The attacker offers something the target might like (free gift) in exchange for sensitive information.
Shoulder Surfing: Just what it sounds like. Looking over a person’s shoulder while they entering sensitive information such as login credentials.
Dumpster Diving: Going through an organizations trash to obtain information.
Tailgating: Unauthorized person following authorized person into otherwise secure location.
The best method to combat social engineering is employee awareness and education. Make certain individuals are aware of security policies and the potential threats and consequences when personal, company, and or client data is exposed to the wrong people