What is Social engineering meaning - Social engineering Defination

  Social engineering meaning  

Defination

Social engineering is the ability to acquire confidential information about a system after establishing trust with an insider.

It is more a human skill than a computer technology,and it is more of an art than a science. People who are very good at manipulating others usually succeed in social engineering. Hackers use this device to establish relationships with the people who have access to confidential information.

⮚ Social engineering is one of the most common security threats because it is relatively easy to employ. At the same time, it is considered a low technology break-in tool. By low technology, I mean that social engineering uses just the basic tools to hack into a system, rather than any computing skills.

⮚ Social engineering uses principles such as trust, respect, fear, and greed to set a trap to manipulate people who have system access privileges. People who employ social engineering skills always remain undercover, so they are very difficult to identify. A successful social engineer is a smooth operator who obtains the desired system access without raising suspicion.

⮚ Social engineering works in most cases because it is a human trait to trust other people.Human beings are the most vulnerable components of any security model. No matter howsecure the system is, this security is compromised if a user is tricked into giving up the password.

⮚ A skilled hacker knows that humans are the weakest link within a security model. Hackers try to use their social engineering skills before employing any other methods of attack on a system. Social engineering is a skill that is hard to gain; once mastered, though, its ill effects are almost impossible to counter with any security strategy.

There are two common types of social engineering—human-based and computer-based -

◆ Human-based social engineering refers to a direct person-to-person interaction.

◆ Computer-based social engineering refers to using a computer to retrieve the desired information.

Human-Based Social Engineering

There are different types of human-based social engineering skills,including -

❖ In-person - An in-person hack occurs when a social engineer physically enters  or uses the system. For example, a social engineer might enter the premises of the organization as a guest or as marketing personnel. Then, he or she might try to sell a service or pretend to meet an employee of the organization. Once the social engineer gains access to the premises, he might try to move around the work desks or the cubicles where people work to gain access to information or  eavesdrop on employee conversations to obtain relevant information. Social  engineers can also use other devices, such as microphones, to over hear  conversations.

❖ Dumpster diving - Dumpster diving is a process in which a social engineer goes through an organization’s trash to find valuable information. Dumpster diving usually works because many businesses forget to destroy valuable information before throwing it in the trash. Notes, confidential mail, and important files might be available in the trash.

❖Third-party authorization - A social engineer might obtain relevant information about an important member within an organization using in-person or dumpster diving techniques. Once the social engineer gains such information,he or she can manipulate other people in the organization to share key information. For example, a social engineer might obtain information about the vice president of a company and then call help-desk personnel to request access to sensitive information,claiming that the vice president has authorized him to obtain the information. This usually works if the social engineer is effective in manipulating  and playing on people’s psychology or when the vice president is not around.

❖ Impersonation - Impersonation is more advanced than third-party authorization. Using this skill, a social engineer gains details about an employee in an organization. Once the social engineer obtains the necessary details, he or she impersonates that employee by calling the help desk or another employee to obtain sensitive information. Impersonation requires greater skill than third party authorization.

❖ Technical support -  A social engineer might routinely check on the employees of a given organization by stating that he is from the organization’s technical support group.This way, the social engineer gains access to the sensitive infor- mation of the organization one step at a time. The social engineer might notobtain all of the information within one call, but he or she definitely plans to obtain the necessary information in a limited number of calls.

❖ Shoulder surfing - Shoulder surfing is a continuation of the in-person technique. After  gaining access to the organization’s premises, the social engineer tries to look over people’s shoulders when they are entering sensitive information, such as a password, on a computer.

Computer-Based Social Engineering

There are different types of computer-based social engineering skills, some of which include - 

❖ Using Web Sites -  A social engineer might set up a Web site through which he or she might claim to offer cash prizes or sweepstakes. In this situation, people would have to participate in events that are sponsored through the Web site to win. Many such events require an e-mail address (as a user name) and a password. Unfortunately, many people use a single password for multiple accounts because it is easy to remember. The hacker knows that the person who wants to participate in the sweepstakes will probably use the same password that he uses to access the network in his organization. Using this technique,  the social engineer can gain access to many passwords without any effort.

❖Using e-mail attachments - An e-mail attachment is another computer based technique hackers employ to obtain information. E-mail attachments often contain viruses that affect a system. The infected system might send back sensitive information to the social engineer, who in turn might send an e-mail with  a catchy or relevant subject line. This increases the probability that the recipient will open the e-mail attachment, which will activate the virus and infect the system. Some examples of such viruses are the I Love You virus and Anna Kournikova virus.

❖Using Pop-Ups - A pop-up window is another computer-based social engineering skill that a hacker might use to obtain sensitive information. For example, a pop-up might appear while you are on the Internet, stating that the connection to the network has been lost. The pop-up might suggest that you have to enter your user name and password to reconnect. If you do so, the information is sent back to the social engineer.