Lying… trickery… duping… all words for the same thing. Words that have taken on a new meaning in the world of the on-line… connected… human! Words that have evolved into high stakes games on misinformation, fraud and identity theft. Words that have taken on the new moniker of social engineering!

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques; essentially a fancier, more technical way of lying (wikipedia.org, 2010). So what does this all mean? Well how many times have you answered the phone and the person on the other end of the line starts asking you questions about your mortgage? Wanting to help you reduce your rates! They start by asking benign questions and then move onto more personal information… such as your date of birth or heaven forbid your social security number. You’re happy to give away that information in exchange for $200 dollars off your monthly expenditures!

Or how about that cold call asking if you’re in charge of the network infrastructure at your place of employment? Or perhaps they want to know about what routers you use or the brand of toner purchase. Sure they may be mere cold calls… BUT they could be so much more. Social engineering in not about knocking at one door to see who answers but rather it’s about gathering as much information and using the information gathered in previous calls to further the manipulators efforts to make inroads into an organization.

In his book the Art of Deception, Kevin Metnick goes to great lengths to illustrate the ways in which we can be tricked into revealing information that may be common place within an organization but to an outsider can be very damaging if used inappropriately. In an interview in 2006 with Tom Espiner, Kevin Metnick shared his thoughts on what signs to looks for in a possible social-engineering attack.

Mostly, it’s gut instinct–if something doesn’t look or feel right. If someone is calling on the telephone, but they refuse to give any contact information, that’s a red flag. If they make a request that’s out of the ordinary, that’s a red flag. If they make a request for something sensitive, that’s when verification is necessary, depending on company policy (Espiner, 2006).

Honestly, the Art of Deception should be required reading for anyone responsible for security in any kind of organization… especially IT and HR departments! Social engineering needs to be addressed. Still and all, no matter what technical measures you introduce, people will do and say careless things under insecure conditions (Coffee, 2006). Employees need to be educated to the various forms phishing another social engineering practices both when using the Internet as well as answering the phones (Heese, 2007).

At the end of the day, humans have a need to help others. It ingrained within each of us. We have to get in touch with our inner selves… That part of us the screams out that something is wrong. We need to listen to that voice and heed its warning.

Resources:

Coffee, Peter (2006, August 14). Security Success Depends on Good Management, Retrieved on July, 6th, 2010, http://www.eweek.com/article2/0,1895,2001478,00.asp

Espiner, T., (2006, June 14th), Kevin Mitnick, the great pretender, Retrieved on July, 6th, 2010 from http://news.cnet.com/Kevin-Mitnick,-the-great-pretender/2008-1029_3-6083668.html

Heese, W., (2007, February 21), Computer system security policies – key trends, Retrieved on July 6th, 2010 from http://weblog.randomdog.net/?p=942

Various, (2010, July 4th), Social Engineering (security), Retrieved on July6th, 2010 from http://en.wikipedia.org/wiki/Social_engineering_(security)