Social engineering can be described as psychological hacking, through which attackers can gain information or unauthorized access by manipulating people. For example:
- Impersonation is widely used, either by phone or in person. The attacker could pretend to be a repairman to gain access to a facility or the attacker could pretend to be an employee that has forgotten his password and in order to get the IT Help Desk to reset the account to a password the attacker knows. It should be noted that not all social engineering is low-tech.
- Social engineers make use of phishing emails and trojan horses in order to gain personal information and/or login credentials. The psychological part of these technological attacks involves getting people to install the software or follow the instructions in the email.
Social engineering works because human nature is predictable.
- People want to be helpful, so they give out too much information.
- People are lazy or busy, so they do not take the time to thoroughly verify identification.
- People are focused on what they are doing, so they do not notice someone tailgating them into a building.
- People are afraid of getting in trouble, so they give information they should not to someone who appears to be in charge.
Because social engineering uses highly-successful psychological techniques, it is difficult to guard against. The most successful security measures that a company can take are creating security policies that take social engineering into account and educating all employees about both the policies and social engineering.
Security policies need to be tailored towards the individual company; however, there are some basic universal countermeasures that can be adopted.
- Sensitive information must never be provided to anyone whose identity is not verified.
- Passwords or other credentials must never be reset/reissued unless the employee can prove his or her identity.
- Anti-malware software must be installed on all computers to help prevent technologically-based social engineering attacks.
- Incident management procedures must be clearly documented so that security personnel can react appropriately if there is a successful or unsuccessful attack.
- Policies must very clearly state that employees are never to give their credentials (e.g., password, smart card, ID badge) to anyone for any reason.
Once the policies are in place, employees must be educated about the policies and the reasons behind them. They must also have clear instructions for reporting suspicious behavior or events. This training should be conducted regularly, to help keep employees alert and up to date on new procedures.