Basics of social engineering

Social engineering is a technique that an attacker or penetration tester uses to convince a person into revealing sensitive (confidential) information. Social engineering can be performed against the corporate help desk, administrative team, IT staff, executive team, and so on. Any employee with access to valuable corporate information is definitely a prime target; the challenge is to manipulate the victim into believing everything you are saying and to gain their trust. Once the victim's trust has been obtained, the next stage is to exploit it.

The following are the various ways in which social engineering can greatly impact an organization:

  • Create a loss in revenue due to the exposure of confidential information, which will lead to customers losing trust in the company.
  • Loss of privacy since corporate data is stolen and may be leaked online.
  • Lawsuits and arbitration can happen due to a breach of corporate policies.

The following are the pillars on which social engineering is built:

  • Human trust is an essential component of all social engineering attacks.
  • An attacker (social engineer) usually asks for some sort of help or assistance and the victim tends to comply due to a sense of goodwill and sometimes due to moral obligation.
  • Lack of security awareness training for employees makes the company an easier target.

Implementing security policies is definitely good practice to ensure the safety of all corporate assets and employees. However, security policies are not always effective in preventing a social engineering attack. Let's imagine that a penetration tester calls at the help desk of an organization, pretending to be one of the senior managers requesting to change the password of their corporate user account. The help desk staff may not ask the caller to provide further verification regarding their identity and may just perform the task and provide the new password to the user account over the phone. The attacker can now use these user credentials to gain access to email accounts and the remainder of the corporate network.

There is usually no method for ensuring complete security from social engineering attacks since no security software or hardware is able to completely defend against such attacks.

In the next section, we will discuss the different types of social engineering attacks.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.150.89