Chapter 5. Social Engineering

In This Chapter

  • Introducing social engineering

  • Examining the ramifications of social engineering

  • Understanding social engineering techniques

  • Protecting your organization against social engineering

Social engineering takes advantage of the weakest link in any organization's information security defenses: the employees. Social engineering is "people hacking" and involves maliciously exploiting the trusting nature of human beings to obtain information that can be used for personal gain.

Social Engineering 101

Typically, malicious attackers pose as someone else to gain information they otherwise can't access. They then take the information obtained from their victims and wreak havoc on network resources, steal or delete files, and even commit industrial espionage or some other form of fraud against the organization they're attacking. Social engineering is different from physical security issues, such as shoulder surfing and dumpster diving, but they are related.

Here are some examples of social engineering:

  • False support personnel claim that they need to install a patch or new version of software on a user's computer, talk the user into downloading the software, and obtain remote control of the system.

  • False vendors claim to need to make updates to the organization's accounting package or phone system, ask for the administrator password, and obtain full access.

  • Phishing e-mails sent by hackers gather user IDs and passwords of unsuspecting recipients. The hackers then ...

Get Hacking For Dummies®, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.