Social Engineering: Implications for Your Security

Social engineering – the calculated manipulation and exploitation of people has historically been associated with cyber security issues.  Computer hackers found they could best get access to secure networks by targeting the weakest link – the human factor.

The same techniques used to get an employee to give up their password or provide other information to facilitate entry into a network can be used to gather information to compromise a person’s personal security as well.

Social engineering can use any one of a combination of several vectors to approach the target – telephone, email and in person being the three primary ones.

The example of the Colombian kidnapping gang that use Facebook to target their victims that we discussed in the last post is applicable here.  While there is limited information currently available on that incident it appears the the victims were cultivated over a period of weeks or months via the use of social engineering techniques on Facebook. The information available on Facebook gave the kidnap gang a foundation with which to build their approach.  Knowing something about their victim – his lifestyle, interests and hobbies would help them develop an online relationship and build rapport that would put him at ease.

Understanding and recognizing the techniques employed in social engineering is the best defense against them.  Here are some of the primary ones you may encounter:

Elicitation: Elicitation is a method of extracting information from an unwitting person by framing questions and statements in such a way that the person gives more information than they normally would or would intend to.

Pretexting:  The social engineer presents himself as someone other than who he really is in order to get information or drive a certain course of action.  In some cases this may mean the social engineer portrays himself as an authority figure.  In the case of the Facebook Kidnap Gang the kidnappers presented themselves as beautiful, available young women.  The anonymity of the Internet facilitates this immensely.

Influence and Persuasion Techniques:  By artfully exploiting human desires to be liked, reciprocity and obligation and the introduction of fear social engineers can compel people to reveal sensitive information or perform a certain action on their behalf.

This is a broad overview of social engineering – in particular how it relates to personal security.  Using clever techniques criminals can not only commit fraud and information theft, they can also facilitate violent crimes like kidnapping.  These tactics may be directed at the victim himself/ herself or at unwitting third parties like coworkers and domestic staff.  The first step to countering these techniques is being able to recognize them.

Advertisements

One Response to Social Engineering: Implications for Your Security

  1. Pingback: Digital Forensics, Inc. Social Engineering: Implications for Your Security « Protective … | Digital Forensics, Inc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: