Social engineering - The art of deception at the heart of your network

What some may consider criminals are actually security professionals who attempt to gather confidential organizational information using the same conventional and unconventional methods employed by telesales, recruiters, or at worst, hackers and industrial spies.

Experienced Social Engineers use guilt, intimidation, and emotions to convince people to hand over information that is either not considered to be confidential by the holder or is perceived to be the information which would be commonly requested by the person who is posing as the confidant. Targets can include 'sys admins' telephone operators, helpdesk clerks, accounts departments, secretaries and anyone else who holds any information at all, whether considered to be important or not.

Even information such as common abbreviations used internally such as CAR (customers account records) can subconsciously deceive the target in an organization of 100's or 1000's of people into believing that the person on the other end of the telephone is knowledgeable of internal procedures and even though they have never spoken or met, there is no reason to mistrust. The company is large and therefore for the clerk to chat on a daily basis with people that he/she has never met before would be quit common, this added to the usage of internal jargon just adds to the ruse.

The request from a supposedly new network engineer for the password of a secretary or a clerk as he is carrying out some remote changes on his or her PC on the request of a senior VP/Director of IT who is of course a trusted source, is quite common. This then gives limited access to the network but gives sufficient access to what is perceived or not to be confidential information especially if the target is in a responsible PA position for example.

So how can you prevent this? Simple, awareness campaigns that encourage a greater knowledge of information and systems around your employees whether administration staff or upper management, both can fall into the category of not knowing or not needing to know about security. Simple tactics explained the need for everyone to seek some form of authentification from callers or verbal requests made by anyone other than trusted people in person. Security awareness is sometimes aimed at everyone other than the security department.

So the next time someone you have never met before requests information over the telephone and appears to be legitimate through their knowledge of the internal procedures, seek a little authentification from them or their superiors, no one will ever criticize you for this.