Social Engineering

What is a Social Engineering?

The act of someone coercing you expose information or violate established security policies. This normally takes the form of questions about employees, practices, or identity validation exceptions resulting from some fictitious crisis (e.g. forgotten password reset response, CIO’s email address, co-workers phone number, etc…)

Who is susceptible?
Everyone is at risk. Human nature is to aid someone needing assistance. A Social Engineer prays on that physiological need to bait the employee to breach security, often leaving the employee with a feeling of accomplishment (doing good).

What is the Risk?
Exposure of potentially sensitive information that can be used to gain access to more important information, fulfilling the reconnaissance portion of the attack prerequisite.

Protective Measures:

Social Engineering is hard to resist if the person is skilled.  Watch this video from John Sileo for techniques on how to identify and avoid being socially engineered 

Safety Tips:

1.  Never provide any information without first properly identifying the user.  If necessary, call them back using the organizational directory to verify validity.

2.  Listen for audio clues (e.g. hesitation) that this person doesn’t have the appropriate access, or is searching for information they should know.
 
3.  If this occurs at work, never be afraid to transfer the call to a supervisor if you have concerns.  Always report attempted Social Engineering attempts to the Organizational Helpdesk Immediately.