The firewalls are impenetrable—all the security holes have been
patched. The network is secure. Your passwords are all unique,
random-sequenced, long, and unbreakable without all the world’s
supercomputers crunching beyond the life of the universe.
The phone rings. A friendly voice who says he’s calling from a
vendor’s site asks for assistance. Or perhaps this caller has
self-identified as a magazine journalist doing surveys, and the first
questions concern only cafeteria quality and who hauls the refuse. Then
he asks what browser types and versions you use. Then there's a segue
into questions about other software used by your coworkers.
It’s good to be helpful.
The problem is that this particular caller is a hacker who aims
to tailor viruses to launch at your enterprise’s systems.
This is one simple, low-tech approach from an array of such
activities called “social engineering.” Social engineering is not much
different than market research, but unfortunately it can have a
malignant purpose. It’s “social” because information is gathered from a
human being rather than as the result of system cracking. It is the
exploitation of the natural human tendency to trust and to be helpful.
The goal is to gain information that allows unauthorized access to
systems or the information that they contain.
At DefCon, the hacker’s conference held annually in Las Vegas,
the ease and benefits of social engineering were demonstrated this
last August through a contest in which participants had twenty-five
minutes to gather as much information as possible from seventeen
companies including Microsoft, Google, BP, Apple, Proctor and Gamble,
and others. Out of fifty people called at these firms, only five—all
women, interestingly enough—refused to give up any information. Only
one company failed to yield any information—no one answered the phones
The appeal of the approach is that little technical skill is
required; only a smooth skill to schmooze is necessary. The term
“social engineering” was popularized by consultant Kevin Mitnick, a
former hacker who served five years in prison for his exploits. Mitnick
understood that it was often far easier to trick someone into
surrendering information about a system than to hack into the system
Social engineering attacks can appear quite innocent on the
surface, but given the powers of aggregation through data mining and
compromises at other firms, a well-orchestrated attack can reveal a
great deal about a company or an individual. This is not to say that
every caller is suspicious, but it’s wise to be aware that sometimes
casual inquiries are not as friendly as they appear.