Social engineering refers to all techniques aimed at talking a target into revealing specific information or performing a specific action for illegitimate reasons.
Social engineering in IT
Though such form of trickery has always existed, it has significantly evolved with ICT technologies. In this new context, social engineering techniques in IT can be looked at from two different angles:
- either by using psychological manipulation to get further access to an IT system where the actual objective of the scammer resides, e.g. impersonating an important client via a phone call to lure the target into browsing a malicious website to infect the target's workstation;
- or using IT technologies as support to psychological manipulation techniques to achieve an objective outside the IT realm, e.g. obtaining banking credentials via a phishing attack to then steal the target's money.
The increasing use of IT technologies has naturally led to an increase in the use of such techniques, as well as to their combination, to such a point that most cyber attacks nowadays include some form of social engineering.
Social engineering Techniques
This entry will cover some of the most common techniques: pretexting, baiting, quid pro quo and tailgating. Phishing attacks also rely upon social engineering; this topic has been covered in a previous entry: Phishing/Spear phishing.
This technique the use of a pretext - a false justification for a specific course of action - to gain trust and trick the victim.
- Example: the attacker claims to work for IT support and requests the target's password for maintenance purposes.
Proper identification and authentication processes, policies and trainings should be in place to circumvent such attacks.
Baiting involves luring the victim into performing a specific task by providing easy access to something the victim wants.
- Example: a USB flash drive infected with a keylogger and labelled "My private pics" left on the victim's doorstep.
Security policies such as an air gap and the blocking of non-authorised software and hardware will thwart most attempts, though staff should also be reminded not to trust unknown sources.
Quid pro quo
Quid Pro Quo, "something for something" in Latin, involves a request for information in exchange for a compensation.
- Example: the attacker asks the victim's password claiming to be a researcher doing an experiment, in exchange for money.
Quid pro quo attacks are relatively easy to detect given the asymmetrical value of the information compared to the compensation, which is opposite for the attacker and the victim. In these cases the best countermeasure remains the victim integrity and ability to identify, ignore and report.
Tailgating is the act of following an authorised person into a restricted area or system.
- Example: the attacker, dressed as an employee, carries a large box and convinces the victim, who is an authorised employee entering at the same time, to open the door of the data-centre using the victim's RFID pass.
Access to non public areas should be controlled by access policies and/or the use of access control technologies, the more sensitive the area the stricter the combination. Th obligation to wear a badge, the presence of a guard and actual anti-tailgating doors such as mantraps with RFID access control should be sufficient to deter most attackers.
Any organisation should identify its critical assets and implement the appropriate security policies and protocols. When necessary, these should be reinforced through the use of technology.
Nevertheless, the single most efficient countermeasure to social engineering attacks remains common sense. In this light, ENISA recommend the following:
- frequent awareness campaigns: posters, presentations, emails, information notes;
- staff training and exercising;
- penetration tests to determine an organisation's susceptibility to social engineering attacks, reporting and acting upon the results.