Learn in-depth information about social engineering techniques and countermeasures in the course Certified Ethical Hacker: Social Engineering, available as a stand alone download or with your INE All Access Pass!
Not Like in Hollywood
When we think of hacking, we often picture a grim fellow opening a laptop, typing really fast and bam! he’s infiltrated the Pentagon. Watching those films when you know one or two things about system and network security is a hilarious experience! If you have been following the Certified Ethical Hacker series, you would know better by now. Hacking is not for the faint-hearted, not just because of the technical difficulty (indeed there are several needed skills to be developed), but because of the resilience needed. I’m talking about the fact that a successful hack comes after many failed attempts in most scenarios.
Because hacking into systems as an outsider is so difficult there’s a key toolkit that every hacker needs to master as much as they master sniffing, session hijacking, application hacking, or any other technical specialty- I’m talking about Social Engineering.
It's a Dark World
A highly empathetic person might have a hard time with the concept of Social Engineering. It’s pretty much abou abusing people’s trust and weaknesses, but if you think about it, a certain degree of empathy paired with a cold stomach might as well do the trick. The fact is, systems and their security will continue to evolve, but humans are still humans. From the old times when con artists would sell colored water at a fair claiming miraculous powers, to our modern social engineers convincing people to “download a security application,” few things have changed when it comes to human mind manipulation.
Statistics are shocking proof of this: more than 90% of total email traffic is malicious. According to TrendMicro 91% of successful breaches started with a “spear phishing” attack. In a study conducted by Frierich-Alexander University 78% participants clicked on a malicious link even though they knew about the risks of clicking on an unknown link sent via email.
Think about it, if you want to get into a network why spend countless hours building your penetration strategy entirely from the outside rather than grabbing the “low-hanging fruit?” The saddest thing is, people are the low-hanging fruit because of emotional factors such as: empathy, fear, laziness and insecurity. What makes us human also makes us vulnerable.
Because of the above facts, I’ve known hackers who spend a good amount of their time (myself included) reading psychology books to understand the human mind. This is an effort worth your time and something recommended to all security professionals.
No Patch Has Been Made For The Human Mind, but Impact Can Be Minimized
There’s no real “patch” to guard people’s minds from attackers, but there are ways to minimize the risk. These ways encompass technical controls, policy controls and user awareness training. However, it goes without saying that even after investing in all of this, an organization concerned with their security needs to have proactive monitoring of their systems and network, and a good incident response strategy. If you’re a valuable target, chances are you’ll be Socially Engineered.