social engineering is really very intresting topic to discuss and write on.there are few good books written on it like the art of deception by kevin mitnick.there is also one good site from fravia which contains some good papers from +ORC and others.so here i will try to discuss it in short.
social engineering can be defined as "using humon factor to retrive any sensitive information about an organisation or a person."
as you all might be agree the best way to gain access to any system is to get the correct login creditail.so suppoes an organisation has spent millions of $$ in securing their infraustructer from any attack.they deployed most advanced (and costly) IPS,firewalls and IDS which have up-to-date signture to protect from even many undisclosed exploits.they have a well defined password policy,password can not be username,spous name etc.but all this effort is useless if such organisation can not control one major factor i.e. humon factor.
in genral human are tends to avoid any problem,they avoid taking risk and they want to be safe,they want to live without any problems.so this is the factors on which the entire social engineering attacks depends.lets have a look on following case senarios:-
1)suppoes one networking person who is responsible to maintain the entire network within a company gets a call which seems to be come from a person whos is on very high position in company.that person demands to reset the password for one of the worker because he need imediate access to his system.
now in this case if everything went allright then that network person will reset the password.so now suppoes if this is a call by any malicious user who want to access the system then he now has the new password and he can play with it.
2)another technique is called dumpster diving.genrally most of the people used to throw their bills,credit card statments and other corporate stuff without properly destroying them in the hope that it is not usefull to them.but such information can help any malicious user in gaining some information about the target.such information help in Reconnaissance.there are many details which can be obtained by such documents like phone number,employee name,address etc.
3)Suppoes you are using your credit card to pay the bills of your shopping.there is another person standing near to you who is constaly monitoring you and with few exception he can easily get you credit card number and PIN.they can even use camera or binoculars.
4)another form of social engineering is phishing.we all get tons of mails in our inbox which used to be come from paypal or some bank or some lottery site claming that your accoutn information is changed or you won so so million dollars in lottery.
5)consider some worms or viruses like I LOVE YOU and others.they also used socail enginerring attackes becase they were exploiting humon element of security.
6)another way is cleaning crew.cleaning crew has access to each and every section in many companies.in some companies i have seen that they even dont need any access card to log their entries.in such case it is possible that an attacker can have access to your organsation as a cleaning crew member and once he got the access he can put a small device in your network to capture all your data.
so such thing can happen very easily within any organisation.you must need to take approprite measures to prevent your organisation from such kind of attackes.following thing must be usefull in preventing from socail engineering attacks:-
1)update your organisation's security policy to prevent it from such attacks.whenever someone ask for any password change make sure such thing get logged.
2)give proper training to your employee ,not to reveil any confidential information to any irrelvent person.
3)do not type your password in front of someone.
4)properly destroy all your waste data so that they can not be read easily.
5)every person need to have a access card.no two person can enter using one access card.genrally people dont care they just kept the gate open so that someone can easily enter without access card.
any comment and suggestion is welcome :)
