How Do Social Engineers Think

You can have the most sophisticated defenses in place with the most cutting-edge, leading-edge technology promising peace of mind. Somehow, somewhere, a weak link will exist. The most advanced video monitoring system does no good when blind spots exist between the cameras. Video systems that are blocked by trees and other vegetation does not help. Visual monitoring systems are no good if the security hired to do their job does not remain vigilant at all times. And we've seen enough movies where the video feed has been duplicated and looped to provide an all clear picture on the smooth and capable interloper commits a daring theft.

Social engineering works on the same premise. By influencing employees and individuals into providing sensitive information, the hacker is able to use that data against the individual or the organization in question. It is the employee who poses as the chink in the armor. The vulnerability that can be exploited far easier than bypassing sophisticated software designed and created to mitigate information breaches. Just a simple e-mail asking employees to provide their passwords in order to test a system, or getting someone to click on a link diverting them to a malicious site. It is believed by using social engineering there is a rate of success greater than 50% in getting an individual to provide information if it seems the message has arrived from someone they know, such as a partner or a customer, or even a vendor.

Certain individuals are more desired than others within an organization due to the information they post on their public accounts, including social networking. There is a great deal of personal information that can be gleaned, while keeping complete anonymity behind the scenes. When someone believes the person on the other end is trustful, especially when they reveal personal information only a friend or colleague would know, the level of trust is heightened.

Even very simple techniques as passing out free USB flash drives outside an organization or within a coffee shop can lure unsuspecting employees who grab your free gift and plug it into their home or work system. There have even been schemes such as Trojan viruses burned onto a CD, then delivered to companies as a demonstration CD. Once the employee inserted the CD and executed the seemingly innocent material, they were instantly infected and the damage was done.

Other types of social engineering bypass an individual's curiosity and target any loopholes found in technology. Spoofing a caller ID is one such technique. By making a phone call pretending to be a customer, a vendor, or a friend or employee in the company, information can be obtained. Mobile phones that do not use passwords on their voice mail can be spoofed with IDs in order to listen to the stored voicemails and acquire information. There is even a technique called Silent Cleaner. An individual gives the illusion he belongs within an office and walks around without anyone challenging him. While taking a stroll, he is able to read all sorts of information, client contracts left and unlock locations, has the ability to steal mail and other pieces of correspondence left in trays, as well as get a list of employees staff, their titles and e-mail addresses, and phone numbers. They can even walk by piles of paper being waited to be recycled or shredded. Just standing over someone's back or shoulder to see what they enter into a door code or password gives them an advantage.

It is situations like this where training and awareness comes into play. A strong training course in the area of information security, such as the quality Center for Technology Training training is an excellent choice. CISSP training brings awareness, understanding, and a strong knowledge base of data security and provides a new, dynamic career in great demand. Environmental security, access control, security risk management, cryptography, and network security is just a small listing of the entire range of issues and topics to be learned in the information security certification training. It is this user training and methods of education that support any form of sophisticated technology used as a measure of security. When users understand security best practices and the many ways they can be tricked into providing information, situations using social engineering can be recognized and stopped. Neil O'Neil works with The Logic Group is a very qualified forensics investigator and ethical hacker as well as a secure payment specialist. In penetration exercises he uses social engineering to acquire information and demonstrate how it can be done as well as the measures to take in order to prevent the problem. “I use different methods and understanding individual I am interfacing with. These methods involve human individualities of lethargy, fear, and accommodation.” Neil explains people fear they are always being watched and therefore make an effort to display how much they know, their personal opinions, and their experience. This makes it very simple along with stroking their ego to get a very large amount of data less the individual feels they have failed or they will experience criticism.

Individuals such as those who did not receive a promotion work in automatic mode. It is very easy to pretend empathy and friendship and share their disappointments. From there is a simple process to gain information. Lower tier employees are more than generous in their human nature to help their fellow man. By playing on their helpfulness and niceness, getting them to provide information is not difficult.

The company VeriSign was a target for social engineering in the year 2009. The attack was unsuccessful but highly sophisticated in nature. The hacker used a voice over IP environment to communicate with customer service. Computer systems were compromised which are utilized to carry forth instant messages and chats with the help desk. Since all of this occurred in a location very close to the individual he pretended to be, customer service did not raise suspicions. By supplying particular, sensitive information related to who he was impersonating, he made a very good attempt to persuade customer service to give him information access. It is believed his preparation came from other attacks he conducted with data from open sources and understanding of the Domain Name Service platform.

About Us: SSC Training is the location of IT certification training, desktop training, and enterprise training systems. Microsoft Project Server training courses help organizations increase productivity and delivers new ideas in the areas of risk management, analysis of performance, and keeping your business aligned with missions that are critical to the overall success. There are many certification training courses and tutorials including Windows 7, Microsoft Office 2010, SQL Server, SharePoint, Cisco networking, and many other quality training and tutorials. Discover how Learning Planet can assist you in your training requirements.