Social engineering describes the process by which an attacker gains access to a facility or system by manipulating someone to grant them access they shouldn’t have in the first place.
When speaking of social engineering, there are many examples you are familiar with in the wild… the presidential election in 2016 for instance was manipulated by a foreign power. The encounters in the field are almost infinite.
That being said, social engineering is probably the gravest threat to your organisation.
When an attacker wants access to your stuff they will make use of that as a last resort. Systems today are so well protected that getting in through the “front door” is often more complex than gaining access to a building or facility just by going there, and making the door man believe the work for the telecommunications company and are here on a maintenance contract. Yes, the attacker will wear the proper attire and have the necessary documents with them… only they are forged.
Above is probably a very good visual of a seemingly harmless incident of social engineering… but where is the telco guy going to go now that he has passed the door man? Well, to the most sensitive parts of the building or course, where you’re IT is housed… and the attacker will be so convincing towards the doorman that he will probably show him the way to that are of your building, and most likely even unlock the room for them.
If you don’t know the concept of social engineering, here is a visual: a few years back I was invited to monitor an incident at a university.
The young man in his early 30s and heard the University on a Friday afternoon and went directly to the secretary‘s desk. He had previously scouted out that all other personnel would have left at that time; including the system administrators.
He was able to produce all necessary paperwork, and was dressed appropriately even wearing a jacket with a renowned computer logo on the front and back
The secretary didn’t know any better, and how could she? Since the paperwork checked out, despite the fact that it was altogether fraudulent, she sent him to the server room and even unlocked the door for him.
Her office was a little bit off from the main Corridor so she didn’t notice when over a period of approximately two hours he manage to clean out the server room of pretty much every piece of equipment that was hooked up to the universities network.
It took until Sunday of that weekend until a professor noticed that he wasn’t getting any emails sent, and couldn’t receive any emails either.
He then contacted the universities system administrator through his private telephone line with an attempted to remotely connect to the Universities network, which obviously failed.
Both the professor and the administrator met at the universities main building, and entered the server room to find it empty.
The thief had even taken every single patch cable.
You see, social engineering, and the consequences thereof, may not be underrated in your risk management strategy; particularly the risk involved in cyber.