Okay so a few years ago a group of strangers walked into a big shopping form and walked out with access to the firms entire corporate network, you may be asking yourself how did they do it. They did it by obtaining small amounts of information bit by bit from a number of different employees in that firm.
First they did research about the company for two days before even attempting to set foot on the premises. For example they learned the key employees names by calling HR. Next they pretended to lose their key to the front door, and a man let them in, then they ” lost ” their identity badges when entering the third floor secured area, smiled and a friendly employee opened the door for them.
The strangers knew the CFO was out of town so they were able to enter his office and obtain financial data from his unlocked computer, they dug through the corporate trash finding all kinds of useful documents. They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. The strangers studied the CFO’s voice so they were able to phone pretending to be the CFO in a rush, desperately in need of his network password. From there they used regular hacking techniques to gain access into the system.
In this case the strangers were network consultants performing a security audit for the CFO without any of the employees knowledge. They were never given any privileged information from the CFO but were able to obtain all the access they wanted through social engineering.
Most definitions of social engineering include; The art of getting people to comply with your wishes; A hacker that uses psychlogical tricks on legitimate users of a computer system in order to gain access to the computer system. Now these are for the most part true however in reality social engineering can be any and all of these things depending upon where you sit.
The one thing that everyone seems to agree upon is that social engineering is generally a hackers clever manipulation of the natural human tendency to trust. The hackers goal is to obtain information that will allow him or here to gain unauthorized access to a valued system and the information that resides on that system.
The most common type of social engineering attacks are performed on the phone, a hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack because hackers are able to pretend they are calling from inside the corporation by spoofing their number as one that is used inside the corporation.
Help desks are particularly vulnerable because they are in place specifically to help, a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Most help desk employees are minimally educated in the area of security and get paid peanuts, so they tend to just answer questions and go on to the next phone call. This can create a huge security hole.
A final, more advanced method of gaining illicit information is known as “reverse social engineering”. This is when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around. If researched, planned and executed well, reverse social engineering attacks may offer the hacker an even better chance of obtaining valuable data from the employees; however, this requires a great deal of preparation, research, and pre-hacking to pull off.
Loading ...
0 Responses to “How To Social Engineer”