Security awareness is crucial for organizations as technical controls can only offer protection to a certain degree. In targeted attacks, organizations may find that attackers do not only attempt to penetrate an organization by way of technical control bypass or exploitation, but also by exploitation of employees; in the security industry, we refer to this skill set as social engineering. Social engineering, for lack of a better explanation, can be summarized as manipulation of individuals to attain an end goal that is usually not aligned with the victim’s best interests. In other words, social engineering is crafty lying with a technical focus on psychological human behavior. Before we go on to discuss the impact of social engineering on organizations, it is worthwhile to discuss the mechanics of social engineering.
Primarily, social engineering relies on the use of cognitive-biases to manipulate victims in to disclosing information or performing actions for the social engineer that are typically against their best interests or at least not something the individual would perform without manipulation. For the not so psychologically inclined, a cognitive bias is essentially the human tendency to make systematic errors in reasoning. Now that we have an idea for what social engineering is, we can explore common attack vectors and technique employed by social engineers in the next few blog entries to come.
(Editor’s Note: This is Part 1 of a 5 part series on social engineering.)