|< Day Day Up >|
Social engineering is one of the most threatening forms of hacking attacks: traditional technology defenses that security professionals are accustomed to using fall flat on their face when it comes to social engineering. Rebuilding and upgrading an information technology infrastructure (system hardening, firewall deployment, IDS tuning, etc.) protects against network and other technology attacks. However, users cannot be rebuilt or retrofitted. True, they can sometimes be trained, but it is often easier (and thus cheaper) to "train" an IDS to look for attacks than to train the help desk operator to fend off sneaky persuasion attempts. Sometimes humans can be removed from the security loop, but eliminating IT users is not an option for most companies.
As appealing as it might seem, it is impossible to patch or upgrade users. Humans are the weakest link in the security chain ”especially poorly trained and unmotivated users. Even in tightly controlled environments, assuring that technical security measures are in place is easier than assuring that users don't inadvertently break a security policy, especially when subjected to expert social engineering assaults.
Social engineering attacks are simply attacks against human nature. A human's built-in security mechanisms are often much easier to bypass than layers of password protection, DES encryption, hardened firewalls, and intrusion detection systems. In many cases, the attacker needs to "just ask." Social engineering exploits the default settings in people . Over the years , such "defaults" (or "faults") have proven time and again that social engineering can breach the security of corporate research and development projects, financial institutions, and national intelligence services. Some of those defaults ”such as a helpful response to an attractive stranger ”are known to be unsafe, while some are condoned by our society as polite or useful.
Social engineering is not simply a con game; while it might not be apparent at first glance, social engineering is more than prevarication. In fact, many attacks don't involve a strictly defined deception, but rather use expert knowledge of human nature for the purpose of manipulation.
|< Day Day Up >|