Social Engineering

Unlike the other attack types, social engineering does not refer to a technological manipulation of computer hardware or software vulnerabilities, and it does not require much in the way of technical skills. Instead, this type of attack exploits human weaknesses—such as carelessness or the desire to be cooperative—to gain access to legitimate network credentials. The talents that are most useful to the intruder who relies on social engineering techniques are the so-called "people skills," such as a charming or persuasive personality or a commanding, authoritative presence.

Social engineering is defined as obtaining confidential information by means of human interaction (Business Wire, August 4, 1998). You can think of social engineering attackers as specialized con artists. They gain users' (or even better, administrators') trust and then take advantage of the relationship to find out user account names and passwords or have the unsuspecting users log them onto the system. Because it is based on convincing a valid network user to "open the door," social engineering can successfully get an intruder into a network that is protected by high-security measures such as biometric scanners.

Social engineering is, in many cases, the easiest way to gain unauthorized access to a computer network. The Social Engineering Competition at a DEFCON annual hackers' convention in Las Vegas attracted hundreds of attendants eager to practice their manipulative techniques. Even hackers who are famous for their technical abilities know that people make up the biggest security vulnerability on most networks. Kevin Mitnick, convicted computer crimes felon and celebrity hacker extraordinaire, tells in his lectures how he used social engineering to gain access to systems during his hacking career.

These "engineers" often pose as technical support personnel—pretending to work as either in-house staff or for outside entities such as the telephone company, an ISP, the network's hardware vendor, or even the government. They often contact their victims by phone, and they usually spin a complex and plausible tale of why they need the users to divulge their passwords or other information (such as the IP address of the user's machine or the computer name of the network's authentication server). For more information about social engineering and how to tell when someone is attempting to pull a social engineering scam, see the preview chapter, Everything You Wanted to Know About Social Engineering—But Were Afraid to Ask, at the Happy Hacker Web site, located at www.happyhacker.org/uberhacker/se.shtml.

Protecting the Network Against Social Engineers

Administrators find it especially challenging to protect against social engineering attacks. Adopting strongly worded policies that prohibit divulging passwords and other network information to anyone over the telephone and educating users about the phenomenon are obvious steps that administrators can take to reduce the likelihood of this type of security breach. Human nature being what it is, however, some users on every network will always be vulnerable to the social engineer's con game. A talented social engineer is a master at making users doubt their own doubts about his legitimacy.

The "wannabe" intruder could regale the user with woeful stories of the extra cost the company will incur if they spend extra time verifying his identity. He could pose as a member of the company's top management and take a stern approach, threatening the employee with disciplinary action or even loss of job if they do not get the user's cooperation. Or the social engineer could try to make the employee feel guilty by pretending to be a low-level employee who is just trying to do her job and who will be fired if she does not get access to the network and take care of the problem right away. A really good social engineer is patient and thorough. They will do their homework and will know enough about the company they target or the organization they claim to represent to be convincing.

Because social engineering is a human problem, not a technical problem, prevention must come primarily through education rather than technological solutions.