Social Engineering is the practice of employing techniques of psychological manipulation, with the goal of convincing people into performing actions for divulging confidential information.
Social Engineering can utilize many different vectors and techniques for attacking the target in scope. Phishing is one of the most commonly used techniques of Social Engineering.
Phishing is the technique of crafting elaborate malicious emails with the sole intention of either gathering information from the target by having them click on a fake link and enter credentials, or convincing the target download a malicious crafted file, with the sole purpose of gaining access and control of the targets computer.
Social Engineering can take many different approaches to a successful attack, while at the same time also leveraging many different vectors. One of these vector examples is for example if the target utilizes a 3rd party provider, an attacker could impersonate that 3rd party company with the goal of infiltrating the main organization.
Assessing the business environment, studying the behavior of employees and clients who arrive at the buildings and offices, checking for patterns of security and also dressing up according to the environment to better blend in and not be identified as an attacker. All of these mentioned, are common techniques utilized for Social Engineering.
If the environment and surrounding areas of the target in scope is a professional environment, where they commonly dress in suit and tie, the Social Engineer must dress according to the pretext to utilize, while at the same time trying to blend in and prevent getting noticed and caught in the act.
Social Engineering can be utilized to test many different things within the environment of the organization:
- Employee awareness for unidentified people
- Check for the due process of verifying who the Social Engineer claims to be
- Checking how much access a Social Engineer could get
- If the Social Engineer achieved credentials or confidential information, what could be achieved with this information
- Testing how far into the facilities could the Social Engineer gain access to
In all organizations, the human element is usually the weakest link in terms of the information security. Most of these attack techniques and vectors could be easily remediated with proper and regular employee awareness training.