Social engineering
Social engineering (English: Social engineering or abbreviated soceng) is a psychological manipulation of someone in carrying out an action or revealing confidential information. Social engineering is generally carried out by telephone or the Internet. Social engineering is one of the methods used by hackers to obtain information about their targets, by requesting the information directly to victims or other parties who have that information. |
Social engineering concentrates itself on the weakest chain of computer network systems, namely humans. And worse, this security hole is universal, does not depend on the platform, operating system, protocol, software, or hardware. That is, each system has the same weaknesses in human factors. Every person who has access to the system physically is a threat, even if that person is not included in the security policy that has been prepared. Like other hacking methods, social engineering also requires preparation, in fact most of the work involves preparation itself.
Behind all the security systems and security procedures that exist, there are still other factors that are very important, namely humans.
In many references, human factors are considered as the weakest chain in a security system. A good security system will be useless if it is handled by a less competent administrator. In addition, usually on a network that is quite complex there are many users who do not understand security issues or do not care enough about it. Take for example in a company, a network admin has implemented a security policy well, but there are users who ignore the security problem. For example, the user uses a password that is easy to guess, forgets to log out when he gets home from work, or easily gives access to other colleagues or even to his client. This can cause an attacker to exploit this vulnerability and steal or damage important company data. Disposing of waste that for us is useless, can be used by other people. For example: salary slip, atm slip. We dispose of these items because we don't need them, but there is information in them that others can use.
Or in the case above, an attacker can pretend to be an interested party and request access to one of these careless users. This action is classified in social engineering.
- Method
The first method is the most basic method in social engineering, which can accomplish an attacker's task directly, that is, the attacker simply asks for what he wants: password, access to the network, network map, system configuration, or room key. Indeed, this method works the least, but can be very helpful in completing the task of the attacker.
The second way is to create a false situation where someone becomes part of the situation. Attackers can make excuses that concern the interests of other parties or other parts of the company, for example. This requires further work for the attacker to find more information and usually also has to gather additional information about the target. It also means we don't have to lie all the time to create the situation, sometimes the facts are more acceptable to the target.
For example like this: a person pretends to be a ticket agent who calls one of the company's employees to confirm that his vacation ticket has been booked and is ready to be sent. Orders are made with the name and position of the target in the company, and need to match the data with the target. Of course the target doesn't feel like ordering a ticket, and the attacker still needs to match the name, and the employee number. This information can be used as initial information to enter the system at the company with the target account. Another example, can pretend to be conducting a hardware survey from a particular vendor, from here can be obtained information about network maps, routers, firewalls, or other network components.
The popular way now is through e-mail, by sending an e-mail asking the target to open an attachment which of course we can insert a computer worm or a Trojan horse to make a back door on the system. We can also paste computer worms even in JPG files that seem "innocent" though.
These methods usually involve personal factors of the target: lack of responsibility, praise and moral obligations. Sometimes the target feels that the actions taken will cause little or no adverse effects at all. Or the target feels that fulfilling the attacker's wishes pretending to make him complimented or get a better position. Or he feels that doing something will help others and that it is indeed his duty to help others. So we can focus on persuading targets to voluntarily help us, not by forcing them. Then we can guide the target to do what we want, the target believes that he is in control of the situation. Target feels that he made a good decision to help us and sacrificed a little of his time and energy.
Psychological research also shows that it is easier for someone to fulfill a desire if they have already dealt before, before the core request try to ask the target to do the small things first.
Post a Comment