Everyone should be very familiar with the idea of social engineering and be aware of what a social engineer is trying to do. Social engineers are people who make their living taking advantage of others. Social engineering works because we as humans are wired to help people.
It may be goodwill, or it may be social pressure, but there is no doubt that it exists. If someone comes up to us and asks us to watch their cart in the grocery store, chances are, we do it. If someone asks us for directions, we tend to want to help them. If someone asks us to hold that door because they’re carrying a heavy box, we help make their day a little better; it’s in our nature.
But what about when holding that door meant they just walked in to a secure area? “Tailgating” is an incredibly popular social engineering technique, because it works so often.
What makes social engineers effective in the real world is that they are aware of that hard-wired behavior, and they have learned to take advantage of that. They can take our human nature and turn it against us, and those tricks often work when trying to socially engineer a business. Think about your office. How often do you see the food delivery guy; someone delivering a sandwich or a pizza? When was the last time you checked to see if that delivery guy was actually delivering food? Sometimes the most simple social engineering tricks work the best. Some guy in a blue polo with a black baseball cap with a $10 pizza can give a social engineer almost unlimited access to an office. At that point, it’s as simple as slipping a thumb drive into the back of a computer as they walk around “looking” for who they were supposed to deliver the pizza to begin the social engineered attack.
These attacks can also happen over the phone, too. Jim from IT is on the phone, and he wants your log-in information. There are a few things you need to consider in a situation like this:
- Is there even a Jim in IT?
- Why would IT be calling for your log-in information?
Start asking these types of questions when sensitive information is being asked for over the phone. And these phone attacks are especially dangerous, as you do not get the luxury of seeing who you’re speaking to. Stopping these sorts of attacks at the office is simple if the habit of questioning people is developed. If you see someone walking around without an escort, ask them who they are there to see, and when they answer, take them to that person. Or if they can’t answer, go ahead and escort them back to the security desk. Unsure of someone on the phone? Ask to call them back, so you can verify who they are. Shutting down a physical social engineering attack is as simple as that.
This is an excerpt from the Global Knowledge white paper, Human Vulnerabilities in Our Current Threat Landscape.