2.1 Definition
The term “social engineering” as it pertains to computer and network security is not new—it has been around since at least 1995 when Al Berg used it in his article “Cracking a Social Engineer” in LAN Times—but it has not yet made its way into all standard dictionaries. The 2015 editions of the Merriam-Webster, Random House, and Cambridge Free English dictionaries only define social engineering in terms of the social or political sciences, not security. Among the information security community, however, social engineering refers to “the practice of fooling someone into giving up something they wouldn’t otherwise surrender through the use of psychological tricks” (Vacca & Curry, 2013). Curry goes on to state that social engineers “rely on the normal behavior of people presented with data or a social situation to respond in a predictable, human way” and explains that this kind of attack relies on “presenting trusted logos and a context that seems normal but is in fact designed to create a vulnerability that the social engineer can exploit” (Vacca & Curry, 2013).
In his book Ghost in the Wires about his exploits as a hacker, Kevin Mitnick defines social engineering as “the casual or calculated manipulation of people to influence them to do things they would not ordinarily do” (Mitnick & Simon, 2011). He gives a clear example of a typical method of obtaining unauthorized information as a part of his breaking into U.S. Leasing’s computer network:
I would call the company I’d targeted, ask for their computer room, make sure I was talking to a system administrator, and tell him, “This is [whatever fictitious name popped into my head at that moment], from DEC support. We’ve discovered a catastrophic bug in your version of RSTS/E. You could lose data.” This is a very powerful social-engineering technique, because the fear of losing data is so great that most people won’t hesitate to cooperate. (Mitnick & Simon, 2011)
Accurate as this example is, it only depicts one aspect of social engineering: pretexting—setting the conditions (a story, subtle or explicit clues, name-dropping, internal buzz-words and terminology, etc.) for a victim to believe that the attacker comes from a legitimate background. The other forms of attack that fall under the classification of social engineering, including the definitions pit forward in this article are:
- •
Baiting—leaving Trojan horse style equipment or software lying in the open with an enticing title or appearance as bait.
- •
Phishing—using a scam email to deceive a victim.
- •
Piggybacking (or tailgating)—following someone into a secure environment, with or without them detection.
- •
Quid Pro Quo—giving someone something in return; exploiting a person’s goodwill.
- •
Shoulder Surfing—watching someone enter knowledge-based credentials and remembering them for future unauthorized use.
- •
Vishing—using an interactive voice response system to trick a victim into inputting personal information over the phone.
According to (Granger, 2010), regardless of the specific attack method, the basic methods of persuasion used are “impersonation, ingratiation, conformity, diffusion of responsibility, and plain old friendliness….the main objective is to convince the person disclosing the information that the social engineer is in fact a person that they can trust” (Granger, 2010). An additional supplement to the information-gathering process and development of a plausible background prior to pretexting is dumpster diving—sifting through discarded files for sensitive information.