Subrahmaniam Krishnan-Harihara, Vasanthi Nagappan and Prof Andrew Basden
It is widely recognized that technical security by itself does not offer sufficient protection against security breaches. Of all the different kinds of security breaches, technical security is perhaps least effective against social engineering because this form of attack depends on the manipulation of people. Social engineering is the human approach to violating security. It involves obtaining sensitive information or access rights to assets through deception or impersonation. It is also probably the most difficult type of breach to deal with. Although social engineering may not be as widely known as other security breaches, it can have very serious consequences for an organization. Social engineering takes advantage of human error or carelessness, and even the genuine human desire to be helpful and trusting. It is a popular form of attack because there are no technical barriers to overcome and also because it may result in the attacker obtaining valuable information which can then be used for other breaches. In many cases, the victim of social engineering doesn’t realize that he/she has been manipulated.
While each social engineering attack is unique, the commonality is the pattern. Most social engineering attacks take the four step process of information gathering, developing a relationship, exploitation and execution (Mitnick & Simon 2002). In the first step, several techniques may be used by the social engineer to gain knowledge about the intended target. This may include information such as phone numbers, birthdates, designation or the company’s organizational chart from public sources such as phone books, web pages etc. This is followed by building a rapport with the victim, which over time could develop into a relationship of mutual trust and friendship. Developing a trust is crucial because it could facilitate the exchange of favours or, the attacker can abuse the trust for the purpose of carrying out a breach. Actually obtaining the sensitive information or access required is the third step in the process and when that has happened, the attacker can carry out the final step of actually perpetrating the attack. In some cases, it might also iterate into further cycles or the actual attack may have several cycles.
The underlying process of social engineering is, therefore, thoroughly psychological because it is mainly about creating illusory pretexts, wherein the victim believes that the context upon which the attacker calls him/her is genuine and that he/she genuinely requires the information that can be furnished only by the victim. The genuineness of the entire situation is established by the attacker through a display of confidence, authority, the right credentials and good communication. By empowering the victim with praise and by presenting oneself as a trustworthy and legitimate person, the attacker can then proceed to gain all the information required in a confident manner.
Social engineering is a psychological process by which an individual can gain information from another (target) individual. In a social attack, the attacker often uses mental imagery and cues over direct, logical arguments to trigger the target into revealing the required information or performing the required activity. Because of the intense mental process through which this is done, the target individual often feels compelled to comply with the attacker. Success for the attacker depends on making this feeling strong enough so that the intended victim is persuaded to forego established procedures. A social engineer preys on certain qualities of human nature, all of which have a psychological basis. These qualities are the desire to be helpful, the tendency to help people, the fear of getting into trouble, the willingness to cut corners, the fear of job loss or personal embarrassment and the desire for prestige, thereby securing information release (Turner 2005, Peltier 2006).
Social engineering, as a security attack, needs to be given adequate attention because of its ability to take advantage of human weakness of trust and helpfulness. A successful social engineering attack can lead to other serious offences such as identity theft and industrial espionage. This is not only at the organizational level, but also at the individual level. This paper will aim to study this human element of security because this is an area most prone to attacks, as opposed to the technical means of providing security. It is evident that to understand social engineering, it is important that the psychological process be studied. This paper will, therefore, attempt to explore the psychological element of social engineering. In doing so, this paper will seek to identify the causes of social engineering and what could be done by organisations to counter it. A qualitative analysis of data collected for the study will be presented to evaluate the level of awareness about social engineering. Finally, recommendations for building awareness about social engineering will be provided based on a review of current psychological research into the subject. The authors expect that this paper will be valuable to information security professionals seeking to build effective security programmes covering both technical and non-technical aspects of information security.
Mitnick K D and Simon W L (2002) ‘The Art of Deception’ Wiley Publishing, Indianapolis, Indiana, USA
Peltier T R (2006) ‘Social Engineering: Concepts and Solutions’ Information Security and Risk Management. EDPACS 33(8), p 1-13
Turner T (2005) ‘Social Engineering: Can Organizations Win the Battle?’ available online http://www.infosecwriters.com/text_resources/pdf/Social_Engineering_Can_Organizations_Win.pdf [retrieved: 04 February, 2011]