Social Engineering is one aspect of Ethical hacking. It involves exploring flaws in humans; how are we as people vulnerable to be socially engineered, such that an attacker can gain advantage to compromise the system that we are trying to protect.
It is a century old tactic. Unknowingly, we encounter it in our homes and are familiar to it.
Social Engineering is the psychological manipulation of people into performing actions or divulging confidential information.
Classic Example of Social Engineering
Trojan Horse is a classic example of social engineering. It dates back to 1188 BC; some thousand years ago. The 10 year old war came to a cease. The Greeks were attacking the city of Troy. As an offering to the city, the Greeks built a horse and filled it with some of their elite soldiers and pretended to sail away from Troy.
The Trojans carried away the horse as a token of their victory to their Fortress. They celebrated and went to sleep. As night fell, the Greek came out of the Horse and took control of the city. The Greeks fooled the Trojans into thinking the Greeks left the horse as a gesture of defeat. Trojans thought they had won the war. This is a classic pattern of social engineering.
The Attacker being the Greeks, fooling the victims (trojans) into believing the gesture they made, letting their guards down letting them feel relaxed. When Trojans were at their unprepared, the true intent of the Greeks became clear.
Soft Center within the hard shell
We spend a lot of amount and resources on firewall system, access control, and antivirus to protect our system. But, behind the control are the humans that are vulnerable. Humans have access to resources, but can be easily engineered to exploit the hard shell systems (firewall, access control and antivirus). It also referred to as the MnM problem.
We, humans have a lot of weaknesses that makes it easier for attackers to exploit us. Let’s discuss some major human weaknesses.
Most of us are familiar with this email. Some of us might have fallen for it too. Me myself back in 2010 fell for it 😅 This is one of the widely used technique in which the attacker tries to exploits the greed nature of human.
Here the attacker tries to create fear to the victim and also implied an urgency (48 hours in total). Urgency is another weakness of human.
In in an urgent situation, a human tries to act different than he/she normally would. There will be no time for proper judgement and this behavior also makes it easier for an attacker to exploit us. We see urgency in our daily lives too.
The image below is a perfect example of Helpfulness as a human weakness.
Types of Social Engineering Attacks
There are two types of attacks used in Social Engineering.
Computer based: Phishing emails, Malicious Software Update, Viral Hoax
Human bases: Impersonation, Shoulder surfing, Tail gating
Counter Measures to Social Engineering
Defend against attackers both Electronically and Socially
Become resilient against such attacks
- Defense in both browser and email clients
- Physical security (chip based id cards, smart security personnel, card enabled gates)
- Separation of duties and least privileges (Introduce concept of duties; involve more than one person to complete a task, Only give access that is needed to perform a legitimate purpose)
- Logging, Auditing & Monitoring
A company can spend hundreds of thousands of dollars on firewall, intrusion detection systems and encryption, and other security Technologies, but if an attacker can call one trusted within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted (Kevin Mitnick)
As humans, we need to be self aware and remain safe. Hope this post gave a new perspective to what we are facing daily. Remain Safe & Protected 🥷🏻