Skip to main content
Updated date:

Social Engineering Awareness

Dan earned his CompTIA (CIOS) certification in 2010 and worked in the computer repair/networking industry for several years.

social-engineering-awareness

I bet you didn't realize your computer or network is being hacked by a frequent customer or acquaintance. Not all of them are bad, but reconnaissance carried out by malicious people, hiding in plain sight, is often where an illegal hack begins.

Illegal computer hacking, quite often, does not require knowledge of the inner workings of computers. Information relevant to a successful computer hack can be gleaned by walking into a business, looking around at notes, and speaking to employees via casual conversation—this is typically known as infiltration. Names, job titles, phone numbers, and anything that might help imitate an employee could be used as a next step.

Phishing, a tactic initiated by way of fraudulent e-Mails, telephone calls, private messages, or text messages can also be used by cybercriminals—as a way to extract basic and even private information from computer users. With phishing, computer users are tricked into believing that the person contacting them is trustworthy. Phony technical support e-Mails, for instance, can lead computer users to divulge private information or give away credit card information.

The following examples are not necessarily cut and dry, although there are times they've been carried out directly as noted. Furthermore, infiltration could be sufficient to obtain illegal access to a system without phishing, and phishing could be sufficient without infiltration. Other times, combos are used.

Deploying the Hack

  • Information gathered in an infiltration effort can be used in various ways. Armed with names of employees and company help desk assistants, for instance, a hacker can call in imitating the employee, asking the computer assistance clerk to change a login password. The imitated employee then obtains the password via the phone and gains access to the desired system.

    The help desk clerk might even get tricked into changing and giving away an administrator password while the perpetrator imitates an administrator—allowing privilege escalation on a number of user accounts. Why get access to only one employee's computer when an opportunity exists to change access controls across the board, obtaining access to all users' data?

  • Another method that a perpetrator could utilize while armed with basic employee information, is to call in imitating actual IT support. The perpetrator could trick the user into downloading and installing a malicious software program, not even designed by the perpetrator themselves.

    Computer programmers design malicious software packages and sell them via underground markets. Sometimes the software is designed to exploit a known vulnerability and sometimes it's customized to a buyer's needs. A cybercriminal requires no knowledge of how the malware package works under the hood, but only how to install and use it, just like any program. After convincing the user on the other end of the phone to install it—creating the illusion of a fixed problem, access is obtained by the hacker.

  • Sometimes phishing attacks aren't aimed at anyone specific. In a spear-phishing attack, for example, the perpetrator will target specific computer users and use information obtained via infiltration or digging through trash cans left outside.

    A technician connected with a company network expansion or project could obtain much information in day-to-day project tasks and waste bins—with sensitive information inside. When sufficient information is gleaned, he could contact one of the employees while imitating a trusted source, and attempt to learn more information or achieve the final goal.

Forming Security Policies

Technically, any system can be hacked, so there's always room for improvements in security. With regard to social engineering, however, employee education is the most helpful.

Have a plan so that your employees are not duped when contacted by personal outside the company. The best antivirus software or password policies are not going to protect a company from gullible employees tricked into giving away sensitive information.

Auditing the overall security of a computer network in a thorough, professional manner, might not lie in the budget of a needy organization. However, alternatives exist such as computer security DIY books and internet tutorials.

It's not rocket science, but learning about the non-technical aspects of security can go a long way. Be careful who you trust, and be careful what you click!

This content reflects the personal opinions of the author. It is accurate and true to the best of the author’s knowledge and should not be substituted for impartial fact or advice in legal, political, or personal matters.

© 2021 Dan Martino

Related Articles