Social engineering: Mitigating a stealthy risk


Social_Engineering_300x200By Jos Maas

Can an organisation get victimised by social engineering? And if so, what can that organisation do about it? Social engineering is everywhere and used constantly by everybody. Mostly in a quiet, harmless matter and not intended to harm an organisation or person. However, these skills are also used more and more by professionals for criminal activities.

Social engineering is hard to detect if you are not trained. This article will inform you about proactive security and how you can use it to see and moreover prevent a social engineering attack.

What is social engineering?

Before I explain proactive security to you, it is important to understand social engineering, in the context of information security. This refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access. It differs from a traditional ‘con’ in that it is often one of many steps in a more complex scheme.

Techniques and terms related to physical security

All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases are exploited in various combinations to create attack techniques. Three of them are listed here:

1. Pretexting

Pretexting is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. An elaborate lie, it most often involves some prior research or set-up and the use of this information for impersonation to establish legitimacy in the mind of the target. This impersonation can be to act like a doctor, new co-worker, lost patient, etc.

This technique can be used to fool a security guard or staff member into disclosing information about areas of interest, security measures, authorisation levels and other information to gain access to highly attractive areas.

Examples of highly attractive areas can be but is not limited to the patient administration/archives, maternity unit, medical supply areas, IT department/areas, logistics and financial department.

The information can then be used to establish even greater legitimacy under tougher questioning when accessing one of these targeted areas of high risk and/or attractiveness.

Pretexting can also be used to impersonate co-workers, Security police, bank, supplier, tax authorities, clergy, insurance investigators – or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim.

The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet to create a pretextual scenario.

2. Diversion theft