- 21 Eki 2015
- 477
- 1
Social Engineering Defined And How It's Used
When you navigate on the net and hit a Google search with the terms "social engineering definition", there are countless pages returned, some of which are plagiarized, and others provide Its meaning In their very own wording. Or do they In fact define It In Its entirety? For the most part, no! Check It out for yourself, and you'll find that the majority of online sources say something (not verbatim) along the lines of: "A technique to grab confidential Information, and/or Infect a computer with malware to gain unauthorized access". Whilst this Is certainly true, It barely covers the basics of what social engineering entails as a whole.
I've been SEing for over 30 years and to this day, I'm at a loss as to how major security firms fail to understand precisely what's Involved In the art of human hacking. For Instance, Webroot who's been around since the late 90s, says: "Social engineering Is the art of manipulating people so they give up confidential Information". Really? Is that all there Is to It? Moreover, Kaspersky explains It In a similar fashion, with the addition of: "To lure unsuspecting users Into exposing data, spreading malware Infections, or giving access to restricted systems". Do they honestly believe that social engineering Is solely relative to this alone? Enough said. Allow me to explain It to you In the next topic.
The 'True Meaning' Of Social Engineering:
It's all the above pertaining to online sources failing to get It right, Inclusive of Webroot and Kaspersky, that's prompted me to write this article on "The true meaning of social engineering", namely to give you a very good understanding on exactly what It Involves and how It's used. My definition Is: "Social engineering Is manipulating the person or entity on the other end Into doing something they're not supposed to do". When you think about It, It's really as simple as that.
Whether It be obtaining confidential Information by deceiving the store manager Into giving up an employee's date of birth, refunding a cell phone from Amazon by manipulating the representative and claiming that you didn't receive It, or simply pretending to be a cleaner by getting an employee to hold the security entry door open for you, thereby gaining unauthorized access to a restricted building- they're all relative to one thing, "social engineering". That Is, "manipulating" the person on the other end to achieve your objective.
The "result" of your social engineering attack, Is of no relevance. It's the "method" that's used to achieve the result, that's classed as social engineering. And the "method" Is the "manipulation". It doesn't matter "what your goal Is", but what does matter Is "how you achieve It". And It's this that gives social engineering Its name! To give you a general Idea on the "manipulation" side of SEing to ultimately get what you're after, I'll demonstrate a couple of social engineering examples In point form.
Example One- Obtaining A Free Cell Phone:
In this example, we'll be social engineering a cell phone from an online company, by manipulating the representative to Issue a full refund. It doesn't matter whether the company Is on a large scale with 10,000 employees, or a family business of 5 staff members- they're all vulnerable to human exploitation. Here's how It works.
You've contacted the company saying you've received the package but the device Is defective. Obviously It Isn't, but that's the excuse you're using to social engineer them.
After going through a few troubleshooting steps and you've told them the phone Is still not functioning, the representative has asked you to send It back for a full refund.
Instead of sending the phone, you've placed dry Ice In the box that matches the Item's weight. This gives the Impression as though the phone Is enclosed In the box.
You have also made a slight tear at the bottom of the package, just enough to match the size of the phone, and sealed It with different colored tape.
The package Is then sent and by the time they have received It, the dry Ice has sublimated and the tear on the package Is consistent with the phone being stolen during transit.
As such, they've cross-checked with the carrier and after a few Investigations, are satisfied that the phone was stolen. You have been Issued a full refund thereafter.
You now have a brand new cell phone and a refund, which means you didn't pay a single dime for the phone.
See how the "method" was used to achieve the successful outcome? It tampered with the packaging, hence manipulated the person on the other end Into doing something they were not supposed to do- and that was to provide a full refund for the cell phone. You now have the device plus your money back, ultimately resulting In a free phone! Let's checkout another example as per below.
Example Two- Gain Unauthorized Access To A Restricted Building:
You've researched the company for an entire week, by sitting In your car and taking note of how employees are dressed and how they enter the building through the main entrance.
You've noticed that there's a coded-entry system and the only way In, Is by punching an access code Into the keypad. Obviously you don't have a code.
During your observation over the entire week, you've Identified that every employee starts work at precisely 9:00 am.
It's around 8:05 am on a Monday morning and you're going to perform your SE, by pretending to be a part of the company's workforce.
Given you're aware of the office staff's attire, you've dressed accordingly In a suit and tie, picked up your briefcase and drove to the premises.
All of a sudden, there's a perfect opportunity to hit your SE- a group of 10 employees are making their way to the entrance.
You decide to join the group, and pretend to be on your cell phone with someone discussing a particular business report.
As one employee enters their PIN code In the keypad of the entry door, you politely ask If he can hold It open for you.
Due to your pleasant manner, and you're dressed to fit the nature of the workforce, the employee gladly obliges.
You've now gained access to the building, and have an array of opportunities to do as you please.
As with the first example above, you can clearly see how your "method" (by dressing appropriately) was used to manipulate the employee (by having your hands full) to do something that he was not supposed to do. And that was to allow you access to a restricted building.
In Conclusion:
So now you're fully aware, that social engineering Is all about the "method used" to manipulate a given person/entity Into performing an action that they're not supposed to do- no matter what the end result may be. In both of the above examples, the "Intention of the SE", Is completely different- one Is to obtain a free cell phone and the other Is to gain unauthorized access to the building. Each objective, regardless of Its difference, succeeded due to the "method used". Of course, In the last example, "research" also played a significant role to formulate the method effectively.
Excerpted
