Hackers, at least ones who are good at what they do, have an intimate and in-depth knowledge of computer systems and Windows applications. They have high-tech tools and utilities to help them identify target systems, bypass security measures, compromise computer systems and otherwise cause mischief.
The truth of the matter is that all of the programs and exploits in the hacker's arsenal pale in comparison to their number one weapon: social engineering. Social engineering is the art of preying on human nature for the purpose of misleading or deceiving someone.
The root of the problem is that most people, at their core, are fairly nice. People have an innate desire to be kind and helpful to one another. Just as some of the best features of an operating system or application end up being exploited for malicious purposes, this built-in kindness can be exploited by less scrupulous people to gain information or access. There are a number of angles that can be used to exploit basic human nature. Here are a few of the most common:
- Urgency. "I know that this is totally against the rules, but my job is on the line. I was working on a report using information from the CFO. The report is due this afternoon and my computer crashed. I need access to the CFO's computer so I can get the data he sent me and get this report done in time for the meeting or I will be unemployed this time tomorrow." A hacker can use a sense of urgency to get a target to empathize with them. By pretending to be a user whose job is on the line a convincing hacker might be able to dupe a help desk technician into changing a password or otherwise granting access.
- Authority. "Good morning. Bob Reynolds, I am sure you were told to expect me. No? I am in from the Boston office for the audit. They should have told you. Oh well, just buzz me in. I still remember my way around from the last audit." A hacker pretending to be someone in a position of power or authority can convince a front desk receptionist to buzz them into the building or a user to hand over their username and password.
- Greed. "Good day. My name is Mr. Umbutu Zabala. I am the former Secretary of the Interior for the sovereign country of Nigeria. Sadly, our illustrious prime minister has died and the government has been replaced by depraved villains. I have $39 million US dollars that I need to get out of the country until a legitimate government can be installed again. I hope that I can trust you to help me transfer this money to your country. For your services, I will gladly pay you 10% of the total funds, or $3.9 million…" Preying on basic human greed is a tremendous social engineering tactic. While most people recognize this as a ridiculous request and would never reply, this "Nigerian Bank Scam" has been victimizing naÏve people for decades.
These are just a few examples. Unfortunately, there is little defense. You want people to use common sense and good judgment. You don't want your users granting access or giving network credentials to strangers, but you also don't want everyone to be cynical and jaded against everyone and everything. Keeping users aware of common social engineering strategies may help them to be kind and helpful, but with a healthy dose of skepticism.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.
