Social engineering is normally a low-tech attack carried out by someone who is confident. It is where an attacker uses his (or her) social skills to engineer an attack. Whereas normally hackers go after technology, social engineering goes after people (staff). It is normally delivered by one of the following:
- Letter
- Phone
- In person
Most hackers or viruses go after technology and to some extent can be stopped with antivirus scanners, firewalls and encryption. Many companies spend a considerable amount on the digital equivalent of ten-foot security fences, including biometrics, firewalls, antivirus scanners and encryption, but fail where it matters most – human error. Paradoxically, advanced security software can often lead to a lax attitude towards security among staff but, as the old maxim goes, 'security is only as strong as its weakest link'.
How can it be prevented ?
Mainly through employee IT security-awareness training which teaches staff to question, slow down and identity the end caller or visitor.
Real life story
This happened in 2011 at a private running club in London. It may seem minor but change the settings and it could be applied to an attack on a business.
- At 18:00 two runners are seen approaching the club
- As they should be, they were running in a t-shirt, shorts and trainers
- Both entered the club's car park
- They rang the bell since they didn’t know the door-code
- The door was opened and they both went straight into the changing rooms
- Two minutes later they left the running club with bags
- One member of the club didn’t recognize them, followed them and took a note of the car's number
- It was 18:00 when they returned ... why did they return at this time?
- It was summer so why were they not sweating?
- If they were members why didn’t they know the pin-code?
- If they were members why did they not shower or stay for longer?
- If they were strangers why were they let in?