Introduction
This chapter has the sole aim of introducing the reader to the concept of social engineering. There are various definitions, some vague and others precise, and these will be discussed in order to explain what the concept of social engineering is really about. Everyday examples will be used to show the reader the various forms of social engineering used, highlighting how such techniques are not necessarily confined to the realm of criminal activity.
To further understand the social engineering concept, this chapter will then discuss some of the excellent examples from various movies. With the assistance of poetic license, writers have been able to create wonderful examples of how social engineering could potentially be used. Although these examples are of course fictitious, they are in fact based on very real techniques, providing criminal minds with inspiration as well as providing entertainment.
Certain individuals have pioneered social engineering techniques, resulting in some being made famous and others fairly notorious. The exploits of both historical and modern day social engineers, such as Kevin Mitnick and Frank Abagnale, will be covered. This will demonstrate how single individuals have used these techniques to achieve extraordinary breaches of seemingly robust security.
This chapter will conclude by focusing on the negative side of social engineering and how it has been used to commit crime. The various attacks discussed demonstrate the true reality of the situation: Social engineering attacks are routinely being used by organized criminal groups and they are a highly effective means of assault.
Defining social engineering
Social engineering has many definitions depending on which book you read or to whom you speak. The Oxford dictionary defines it as:
The application of sociological principles to specific social problems…
Despite being partially relevant, in truth it falls far short of accurately describing what “real world” social engineering truly is.
Another possible definition of social engineering might be:
The art of intentionally manipulating behaviour using specially crafted communication techniques.
This definition reduces social engineering down to the absolute basics of leveraging communication in all its possible manifestations with the objective of exploiting the human factor. Therefore, where there is interaction there is always the capacity and potential for social engineering. The most fundamental example of this would be the act of lying. Although the historical roots of individuals committing immoral acts is beyond the scope of this book, it is important to note that social engineering is as old as communication itself.
The SANS Institute’s definition1 provides an alternative explanation, which is certainly closer to the mark with:
Social engineering is the ‘art’ of utilizing human behavior to breach security without the participant (or victim) even realizing that they have been manipulated.
The important part of this definition is the context within which the concept is applied. You could define social engineering as the techniques used to elicit information or manipulate behavior but that doesn’t do it justice in the context of information security, which is the focus of this book. When it comes to securing your business’ sensitive information social engineering then becomes:
The art of eliciting sensitive information and/or manipulating individuals into performing actions that may result in a security breach.
You could argue that eliciting sensitive information is in itself a security breach, but what is meant in this definition are breaches of network or physical security or indeed both. This definition and the context of business information security is the basis for all information within this book.
Considering the use of the word “art” in the previous definition, is social engineering regarded as an art form? The authors of this book believe the answer to that must be yes. Social engineering is not an exact science, often involving the application of very creative thinking. This book aims to present very logical and structured models to aid in social engineering assessments, however, it does not mean that social engineering can be completely reduced to an absolute “if A set of actions then B.” The models presented in this book help to ensure value for the client through accurate and thorough assessments. However, once these models have been followed the social engineer can apply all manner of creative spins on the scenarios, providing of course that they don’t then contradict the advice of the models used in the first place.
The various social engineering techniques aim to exploit vulnerabilities in human nature rather than those of a computer system. The terms, “human hacking” and “hacking wetware” have been used in obscure security articles and some “cyberpunk” inspired novels to describe social engineering methods. A typical social engineer may use myriad psychological techniques to manipulate their target, these can range from leveraging emotional states through to clever sentence structure and personality profiling. The techniques used vary greatly and so social engineering can be thought of as an eclectic collection of manipulation techniques. However, it is not just limited to psychological trickery. Social engineers may use props and disguises and even go to the great lengths of creating entire scenarios involving many different stages to achieve their objectives. The techniques can also be applied to other platforms such as telephone calls or e-mail, not just face-to-face encounters.
Arguably one of the finest examples of individuals that engage in social engineering techniques are successful sales persons. The average sales person has one simple objective: to sell their service or product to their client. In order to do this the sales person will not simply ask the client if they would like to buy, but rather leverage every possible available technique to influence the client’s decision. A very simplistic example would be the use of open rather than closed questions. A closed question can be answered with a simple “Yes” or “No” whereas an open question requires a lengthier, often less absolute answer. For example, the sales person may say:
“So how many would you like to buy?” rather than “Would you like to buy it?”, or “How can I help you?” rather than, “Can I help you?”
There are even various sales models and methodologies focused simply on overcoming client objections to successfully close a sale. However, the parallels between successful social engineers and successful salesmen go far beyond the standard sales process.
The very best salesmen will research their potential client, perhaps simply to find something they have in common to talk about. Mentioning your latest golf exploits at the end of the meeting may well gain favor with a client that has a keen interest in the sport. Some sales persons may take this even further by actually profiling their client, reading any available information associated with the subject to provide a better “sales pitch.” This initial reconnaissance is mirrored in the first stages of a social engineering attack with the target company and the staff research. Social engineers will harvest as much information as they can to increase the chances of perpetrating a successful attack. Consequently, both salesmen and social engineers will take full advantage of getting to know their targets very well.
Additionally social engineers may try to impersonate individuals to elicit sensitive information from their targets. Similarly, the successful sales person may also try impersonation in an attempt to gain a foothold for the sales process. For example, impersonating staff members simply to get a direct telephone number to a particular department or specific staff member or to elicit information on competing sales companies. Social engineers will contact the target company to elicit similar information to aid in further attacks. The only difference is the ultimate objective with the salesman wanting a sale and the social engineer wanting to gain access to sensitive information or to gain information they can use to attack the company in some other way.
Therefore it can be said that salesmen make the best social engineers, with their natural confidence, positive attitude, and experience of effective influencing techniques. Their sole purpose is to sell you a concept or an idea. However, when that concept changes from buying something to giving up your password, you’d best be on your guard, buyers beware!
There are a plethora of individuals in everyday life that use social engineering techniques, not just clever sales persons. In fact you may have used the techniques many times yourself, perhaps to convince a friend to do something or prise some snippet of information out of a colleague. Indeed numerous agencies, departments, organizations or groups are known to employ such techniques as part and parcel of their standard “trade craft.” For example:
• Law enforcement agencies, in order to draw information out of alleged criminal suspects
• Private investigators, to elicit information
• Lawyers, when questioning the witness
• Grifters and Hustlers, when tricking their mark
• even children, when trying to manipulate their parents
• organized criminals when attacking businesses.