Page 637 - StudyBook.pdf
P. 637
Operational and Organizational Security: Incident Response • Chapter 11 621
Hackers using social engineering to acquire information will often misrepresent
themselves as authority figures or someone in a position to help their victim. For
example, a hacker may phone a network user and say that there is a problem with
the person’s account.To remedy the problem, all the caller needs is the person’s
password.Without this information, the person may experience problems with
their account, or will be unable to access certain information. Since the person will
benefit from revealing the information, the victim often tells the hacker the pass-
word. By simply asking, the hacker now has the password and the ability to break
through security and access data.
Social engineering often involves more subtle methods of acquiring informa-
tion than simply asking for a password. In many cases, the hacker will get into a
conversation with the user and slowly get the person to reveal tidbits of informa-
tion. For example, the hacker could start a conversation about the Web site, ask
what the victim likes about it, and determine what the person can access on the
site.The hacker might then initiate a conversation about families and pets, and ask
the names of the victim’s family members and pets.To follow up, the hacker might
ask about the person’s hobbies. Since many users make the mistake of using names
of loved ones or hobbies as a password, the hacker may now have access.While the
questions seem innocuous, when all of the pieces of information are put together, it
can give the hacker a great deal of insight into getting into the system.
In other cases, the hacker may not even need to get into the system, because
the victim reveals all the desired information. People enjoy when others take an
interest in them, and will often answer questions for this reason or out of polite-
ness. Social engineering is not confined to computer hacking.A person may start a
conversation with a high-ranking person in a company and get insider information
about the stock market, or manipulate a customer service representative at a video
store into revealing credit card numbers. If a person has access to the information
the hacker needs, then hacking the system is not necessary.
The best way to protect an organization from social engineering is through
education. People reveal information to social engineers, because they are unaware
they are doing anything wrong. Often they do not realize they have been victim-
ized, even after the hacker uses the information for illicit purposes.Teaching users
how social engineering works, and stressing the importance of keeping information
confidential, will make them less likely to fall victim to social engineering.
www.syngress.com
