Social engineers have been around since the beginning of the human race, or at least since we learned to communicate with one another – although they might not have been called that until recently. But hey, the new title sounds so much classier than “con man (or woman).”
Social engineering in the digital age has been recognized for years as one of the top factors in network intrusions and data breaches. Like all other aspects of technology, it has evolved at a rapid pace, and today’s social engineers are much more sophisticated and have many more techniques in their repertoires than back in the days when a teenaged Kevin Mitnick was hacking DEC. In this article, we’re going to take a look at where social engineering is today and who’s doing it – including the well paid professionals who social engineer business computer users at the behest of their own bosses, to test their security awareness and compliance.
The primary goal of hackers, crackers and attackers is to get into digital “places” where they’re not supposed to be. The objectives vary: to plant viruses or malware, to steal passwords, identity or data, to overload the system or network and bring its usefulness to a screeching halt. But whatever the desired end result, it’s all about obtaining access – unauthorized access. There are two basic ways to get inside somebody else’s network: through technological means (hacking the code) or through social engineering (hacking the humans).
To say that one is the “easy way” and the other is the “hard way” would be a misnomer, because the relative difficulty is dependent on an individual hacker’s particular skills. There are plenty of talented code jockeys who can worm their ways in by commandeering the keyboard, but whose ability to communicate with real, live people and persuade them to do anything at all is nil. There are also masters of manipulation who can convince an Eskimo he needs an air conditioner, but is incapable of any but the most rudimentary programming tasks. The latter are perhaps more to be feared than the former.
At its best (or worst, depending on your perspective), social engineering is both an art and a science. Social engineers are motivated by the same things that have driven criminals into the con game throughout history: the desire for money or things that don’t belong to them, the need to prove they’re smarter than their victims, the desire for control and power over other people, or even simply for amusement. Some social engineers use their skills to support themselves while others do it “just for fun.” At the crux of social engineering is the ability to deceive people into giving you something, whether that’s their money, their love/friendship, or their computer passwords.
Computer users – including the administrative variety – are only human, and social engineers play on people’s weaknesses. Whatever the motive, the techniques used by social engineers today are comprised of a mix of ancient tried-and-true methods and new, creative ways of convincing people to give up the goods, which in this case means information that they can use to view, steal or tamper with digital assets. The first step is to gain your trust.
A good social engineer can do that in different ways. He (or she – women are often the best social engineers because most people are naturally less suspicious of a woman they don’t know than a male stranger) can build rapport by establishing empathy with you, becoming the instant soul mate who understands and relates to all of your problems and/or accomplishments. The flip side of that is the social engineer who elicits empathy or sympathy from you, confiding in you about his/her troubles or sharing – with a little carefully enacted embarrassment – a moment of great pride or happiness that is just too great to keep bottled up inside.
Modern social engineers use all the traditional tricks of the trade: creating artificial time constraints (“I only have until 2:00 p.m. to get this done”), appealing to the natural human tendency to want to help (“I am going to be in soooo much trouble if I don’t get this done”), stroking the target’s ego (“You are so much better at this than I am”), offering a quid pro quo (“If you will please bend the rules this time, I’ll make sure the boss knows it was your help that got this done on time”).
Although creating rapport with the target is usually the most effective way to get many people to divulge secrets, especially in the long term, another social engineering approach takes the opposite tactic and attempts to intimidate the victim into revealing the needed information by invoking a real or made-up important-sounding job title (“I’m a HIPAA investigator and I need access to this right away”), by pretending to be there on behalf of the “big boss,” or even by appearing to be physically threatening.
How, then, do today’s social engineers differ from their predecessors? It’s not necessarily that they’re smarter, but they do have more and better tools to work with, and that can make a big difference. The good news is that reliance on those tools may, in some cases, make them lazy about honing the people skills that are at the heart of social engineering.
Whereas the old time con man had to be able to quickly “read” his mark (target) and instantly adapt his approach to the victim’s personality and situation, today’s social engineer often has the target’s entire life history at his fingertips, thanks to all the personal information that’s available in public records that are easily accessible on the Internet and social networking sites where people share the most intimate details about their lives with “friends” they’ve never met and wouldn’t recognize if they saw them on the street.
By getting to “know” a person through Facebook posts or tweets, the social engineer can construct a persona that is sure to put that person at ease. We trust people who are like us and/or who like us. Armed with the knowledge of our experiences, beliefs, and “likes,” the social engineer can convincingly pretend to fit into both categories. If we already share so many common interests and preferences and values, why not share a little more – including company information that’s supposed to remain confidential or even our login credentials – with a friend who we know would never abuse the information?
Even if you’re circumspect about what you post on social sites and so paranoid you never accept friend requests without first subjecting the potential friend to a grueling two-hour interview, the social engineer’s research skills may still give him the ammunition he needs to crack through your defenses. It’s not just personal info that’s out there; most companies have web sites that provide an amazing amount of “insider” information, such as organization charts, blogs written by high level executives and so forth from which the social engineer can cull little tidbits that allow him to realistically portray a “higher up” in the organization who has the authority to compel you to give him the information he wants.
Think you’ve been diligent in “cleaning up your act” by removing incriminating or sensitive information about yourself from the web? Don’t be so sure. Good researchers (and a truly good modern day social engineer is by definition a good researcher) can utilize caching engines, site archives and web sites such as Wayback Machine to dig up data that has been removed from web sites. Remember that what happens on the Internet stays on the Internet… sometimes forever.
Of course, the cream of the crop of social engineers will have a lethal combination of skills – they are both people smart and tech savvy. This type of social engineer can pwn the world. He can, for example, use his tech skill to spoof caller ID to make it appear like he’s calling you from someplace he’s not in, in order to convince you he’s someone he isn’t. There are many ways he can utilize technological means to lay the groundwork for his social efforts. For instance, he might use an RFID reader to collect information from your ID badge or other cards that will then lend credence to his claim to be from IT or another trusted or organized agency or position.
In thinking about social engineers, we often focus on the “social” part because that’s what sets them apart both from other types of engineers and from other types of hackers. But let’s not forget what “engineer” really means. Some definitions given by Merriam-Webster include “one who builds complicated … systems” and “one who runs or is in charge [of an engine].” Social engineers build elaborate deceptions that allow them to take charge of and control a human interaction toward their own ends.
Not all social engineering is bad, though. There are certified professional social engineers who work in the security industry, doing human-focused penetration testing of organizations’ networks. Their job is find the “weakest links” in the human security chain so those who are vulnerable to the social engineer’s wiles can be trained to better resist. And on a personal level, we all use a sort of social engineering all the time. Parents use social engineering techniques on their children and kids do it to their moms and dads. Teachers do it to students, doctors do it to patients, bosses do it to employees (and vice versa) and we all do it at least now and then to our spouses. Politicians do it to us all too.
Social engineering at its core is just about persuading people to do what you want them to do. Sometimes this is with the best of intentions – but sometimes it’s not. It’s important to educate computer users to recognize the signs that they’re being socially engineered, and give them clear cut policies and procedures for handling such attempts. Some of your users may not be interested in such training, or may not believe they need it. That’s where your own “white hat” social engineering skills can come in handy.