Social engineering is greatly different from other attacks, unlike most other types of attacks social engineering can appear to be nothing more than everyday business to you, and may never be detected. Social engineering in summary is the practice of trying to control or influence another person's actions and decisions. When used in an attacking scenario social engineering can make a user give information that they normally would not, or to do something that is against policy such as install programs, email information, etc. The most common use for social engineering as an attack would be to get a user's login information to various computer systems, or customer information such as their address, and social security number. Often performed via telephone, social engineering has little to no risk to the attacker, but a larger risk to the victim.
This obviously can have a widespread effect. Your systems can be compromised, your customer's information can be disclosed, and you may never even know that it occurred. We will analyze your polices on information disclosure, teach you what to watch (and listen) for, and show you how individual separate attacks can combine to get the end result desired by the attacker.
Here are some examples of social engineering:
Some of these seem like harmless requests, however they can provide critical information needed to gain access to your systems. Often a social engineer attempting to get into your systems will contact multiple people in the organization to get bits and pieces of information, that separately are harmless but together can provide access or greatly help the attacker get into your system.
Why protect yourself from social engineering?
Social engineering attacks are not that much different from an attacker gaining access to your systems, or building. In fact social engineering can be used to ultimately get access to those resources. This obviously can result in theft of equipment, customer information, or product information (intellectual property). Just like any other security enhancement you will find that you get a better Return On Investment (ROI). However social engineering training can actually help boost employee moral. Social engineering awareness training can make your employees more confident that they will not be tricked into revealing information, this can also make your employees more aware of other security threats and be more likely to report those issues. This improves security all around, which improves your ROI even more.
Last Updated: 03/10/2008 02:57 AM