Thursday, July 21, 2011

What is social engineering?

Posted by OurTech Team | Thursday, July 21, 2011 | Category: |








I once asked this question to a group of security enthusiasts and I was shocked at the answers I
received:
“Social engineering is lying to people to get information.”
“Social engineering is being a good actor.”
“Social engineering is knowing how to get stuff for free.”
Wikipedia defines it as “the act of manipulating people into performing actions or divulging
confidential information. While similar to a confidence trick or simple fraud, the term typically applies to
trickery or deception for the purpose of information gathering, fraud, or computer system access; in most
cases the attacker never comes face-to-face with the victim.”
Although it has been given a bad name by the plethora of “free pizza,” “free coffee,” and “how to pick
up chicks” sites, aspects of social engineering actually touch many parts of daily life.
Webster’s Dictionary defines social as “of or pertaining to the life, welfare, and relations of human
beings in a community.” It also defines engineering as “the art or science of making practical application
of the knowledge of pure sciences, as physics or chemistry, as in the construction of engines, bridges,
buildings, mines, ships, and chemical plants or skillful or artful contrivance; maneuvering.”
Combining those two definitions you can easily see that social engineering is the art or better yet,
science, of skillfully maneuvering human beings to take action in some aspect of their lives.
This definition broadens the horizons of social engineers everywhere. Social engineering is used in
everyday life in the way children get their parents to give in to their demands. It is used in the way teachers interact with their students, in the way doctors, lawyers, or psychologists obtain information
from their patients or clients. It is definitely used in law enforcement, and in dating—it is truly used in
every human interaction from babies to politicians and everyone in between.
I like to take that definition a step further and say that a true definition of social engineering is the act
of manipulating a person to take an action that may or may not be in the “target’s” best interest. This
may include obtaining information, gaining access, or getting the target to take certain action.
For example, doctors, psychologists, and therapists often use elements I consider social engineering
to “manipulate” their patients to take actions that are good for them, whereas a con man uses elements of
social engineering to convince his target to take actions that lead to loss for them. Even though the end
game is much different, the approach may be very much the same. A psychologist may use a series of
well-conceived questions to help a patient come to a conclusion that change is needed. Similarly, a con
man will use well-crafted questions to move his target into a vulnerable position.

Currently have 0 Comments:


Leave a Reply