Somebody has once accurately called social engineering 'hacking the mind'. It is an arithmetic average of social engineering proper (exerting pressure and manipulating people) with cracking (breaking into IT systems). The combination of these two mechanisms results in a powerful tool, the destructive power of which many still remain unaware of.

Somebody has once accurately called social engineering "hacking the mind". It is an arithmetic average of social engineering proper (exerting pressure and manipulating people) with cracking (breaking into IT systems). The combination of these two mechanisms results in a powerful tool, the destructive power of which many still remain unaware of.

Albert Einstein once said: Only two things are infinite - the universe and human stupidity, although I am not entirely sure about the former. Many people connect this saying to manipulation and social engineering. Although in the former case this could perhaps still be justified, I would be much more sceptical here speaking about the latter - the key role here is played more often by ignorance rather than by actual stupidity. It's unawareness of certain rules which is the basis of success of so many social engineering attacks against companies; on the other hand, the behaviour of employees could be called stupid only if they openly and consciously accepted the methods employed by the social engineer attacking their company.

Figure 1. What bystander would discover the password "hidden" in such a print-out?

This lack of awareness is the source of power of social engineering. If an experienced cracker cracks network security of a company, someone will certainly try to explain the whole incident with the lack of knowledge of competence in administrators of users of the network. However, when the company is attacked by a social engineer - the victims of its attack will not only remain unaware of the fact they are being manipulated, but also not associate certain facts with each other even long after the incident. Although it sounds cunning, social engineering attacks are subtle. Kevin Mitnick - the most famous social engineer (and not, unlike what the media picture him to be, a cracker) in the world - has always repeated in his interviews that many times he obtained information simply by asking for it. In the right way, of course.

Social Engineering

The theoretic foundation of social engineering attacks is social engineering proper, that is - the political science of exerting pressure, persuasion and manipulating people. Every attack involving social engineering one can find traces of certain fundamental principles:

• The reciprocity principle - everything positive (help, support, a gift) received from the other person generates in one immediate and irresistible will to reciprocate.

• The social proof of equity principle - "10 thousand customers cannot be wrong!". According to this principle, it is easier to convince one to something if (s)he is proven that others think or behave in the same way too.

• The nicety principle - if one likes someone or finds him/her nice, one will be much more eager to fulfil the other's requests.

• The authority principle - one has no courage to oppose someone smarter, more experienced or higher in the hierarchy than us. This mechanism works even if one is certain that the decision or action taken by that person is wrong.

• The engagement and consequence principle - once one has become engaged in something, (s)he will consequently strive to achieve the intended goal.

• The inaccessibility principle - one's perception of value of an item grows when it is temporarily or permanently inaccessible. There is also an Inverse inaccessibility principle - things which are frequent, obvious and easily accessible have little worth in one's eyes.

• The worth and gain principle - it is worth fighting for valuable things (in both material sense and e.g. honour, good name, fame). If the social engineer causes in one the impression of such aspects of life being threatened, (s)he can easily manipulate one to take actions one would never take out of one's own will.

These principles are used very often in social engineering in general (in media, politics, professional life). When it comes to social engineering attacks, they most commonly involve various combinations of them.

However, one should keep in mind that the most popular mechanism employed by social engineers while attacking companies is simply lying.

Ambiguity of Terms

Some people acknowledge the need of making a clear distinction between two forms of social engineering: totalitarian influencing of whole nations (or large groups of people) and information manipulation against an individual (or a small group of people). In the latter case one sometimes encounters the terms socioinformatics and sociohacking.

On the other hand, other people believe that even though computing and totalitarianism (as well as: marketing, media, business etc.) set very far apart as domains of knowledge go, one can treat exerting pressure on people in these different fields as equivalent and/or identical mechanisms. Therefore, they use the same term in all these contexts - social engineering.

The term social engineering seems to be the most popular that's what is used in this article, even though it has as many advocates as opponents.

The Level of Danger

The awareness of danger originating from social engineering is still underestimated and marginalised by most companies.

Where do I get such sensational data? I will quote my own example, which in my opinion illustrates the scale of the problem well. In addition to writing articles I also work as a lecturer. The training centre I work for organises, as the only one in the region, courses from the field of social engineering. Within a year, for two organised courses, we have got problems getting ten customers - and I live and work in a city (Katowice, Poland) with three hundred thousand citizens and 50-80 thousand companies (a similar situation exists in other European cities). This I believe is a sufficient proof of almost abstractly low awareness of threats from this domain.

When attacking, a social engineer approaches the weakest link of every company - the person. Social engineering attack the subconscious level of human mind - spheres the activity of which one often does not realise; reflexes and automatic mechanisms. Attacks like that cannot be prevented by firewalls, anti-virus software or even hundreds of thousands spent on IT security. The only possible protection here is regular training through sociotechnical courses, which will eliminate unawareness I have mentioned earlier in the article.

As I shall show later in the article, only at a superficial glance the danger does not involve us personally - in reality however it lurks in every company, every city and every moment.

A d v e r t i s e m e n t

sum:

0 €