Posted: August 15, 2018
Social Engineering is a low-tech method used for gaining access to resources whether they are physical, technical, monetary, or informational (e.g. trade secrets, confidential). Phishing is one example of Social Engineering
What is Social Engineering?
Social Engineering is the art and science of getting people to comply to your wishes. Another often used definition is the use of psychological tricks on legitimate users of a computer system to gain information needed to gain access to the system.
Consider the following; Eddie Murphy and Leonardo DiCaprio’s characters in Beverly Hills Cop and Catch Me If You Can or Sasha Baron Cohen’s Borat character. If you remember the Wild Wild West series, think of Artemis Gordon who often resorted to impersonation to trick his intended targets.
Motivations for Social Engineering
There are multiple reasons why an entity or individual might want to engage in social engineering that might include, espionage, sabotage/terrorism, greed, monetary gain, breaching a physical barrier, as a challenge, or to gain information.
Some Examples of Social Engineering
How Does it Work?
Why It Works
What You Can Do to Prevent it
As an Employee, you can take the following steps to avoid being compromised:
In your Personal life, the following steps can help you avoid being victimized.
Real Life Example of Social Engineering in Action
Back in 1985 a childhood aquaintance of mine was determined to attend the July 13 Live Aid Concert at John F. Kennedy stadium in Philadelphia free of charge. Little did I know at the time, but I was about to get my first introduction into social engineering in action.
My acquaintance’s first order of business was to scan the list of performers and focus on some of the lesser known artists. He identified Billy Ocean as his point of entry, although he knew nothing about this performer at the time.
He then contacted the promoter of the Live Aid Concert claiming to be Billy Ocean’s cousin and was acted indignant that he had not yet received his backstage passes. Rather than confirm his identity, the promoter referred him directly to Billy Ocean’s manager.
My acquaintance then contacted the manager directly and acted equally indignant that he not yet received the tickets to his “cousin’s” concert. The manager did not challenge him in any way and agreed to send him backstage passes.
He received the backstage passes and free parking passes, and ended up taking one of my brothers as his guest. They attended the concert and mingled freely with celebrities attending or performing (e.g. Phil Collins, Chevy Chase, Jack Nicholson and Don Johnson among others). With surprisingly little effort and virtually no road-blocks – mission accomplished.
Moral of this story:
This entire situation would have resulted in a much different outcome had the promoter called the manager directly to verify my acquaintance’s claim that he was the artist’s cousin. The manager should have been provided a list of family and friends directly from Billy Ocean. Even without the list, the manager could have easily contacted Billy Ocean directly and confirmed the relationship (or lack of). The manager could have also tested this con artist by asking him personal details regarding Billy Ocean that his “cousin” should have known. Due to time constraints, simple negligence or possibly a lack of awareness, no preventive measures were taken, and having had such a quick and easy win, the propensity to continue this nefarious behavior was reinforced in my acquaintance.
A con-artist was born and subsequently this behavior has continued. This individual has since successfully posed as a member of the press to gain access to a press box and free parking at sporting events and has interviewed professional athletes in this guise. He has also successfully posed as an EMT, maintenance worker and pizza deliveryman to gain admission to sporting events and concerts. He was offered a job as an executive chef at a resort after having charmed the owner into believing he was the head chef at a posh Miami Beach hotel. He has also successfully talked his way into a major studio in Los Angeles as well as private membership only clubs up and down the East Coast.
Unfortunately social engineering is alive and well and we should all take measures to ensure we are not a victim or accomplice to it.
Bruce is a senior consultant with Compliance Point located in Texas serving clients on audit related initiatives. He retired from Fidelity Investments after 11 years of being responsible for disaster recovery and interfacing with internal and external auditors by preparing for reviews (SSAE16, ISO27002, SOC1, SOC2), and managing access programs (terminations, transfers, elevated access reviews) for Fidelity. Bruce is a holder of the CISSP, CISA, CISM and CIPP certifications and holds an MS Degree in Financial and Investment Management from Drexel University. Bruce has also previously held both secret and top secret clearance while working in the defense Industry and has authored two articles on Mainframe Security.