Ethical hacking: Social engineering basics

What is social engineering?

In a nutshell, social engineering is the art of manipulation and misdirection. A social engineer’s goal is to do something that they are not authorized to do. This includes everything from stealing sensitive information to gaining access to a restricted area. Accomplishing this requires ensuring that the target, or “mark,” doesn’t notice what the social engineer is doing or, at least, doesn’t take any action to stop them.

How social engineering works

Social engineering is essentially lying and manipulation. Done properly, a social engineer can accomplish everything that traditional hacking can and often with a lot less work. When preparing for and performing a social engineering attack, there are a few useful tips and tricks.

Know your target

One of the most important parts of social engineering is knowing your target. This includes knowing as much as possible about what information or access you are trying to acquire and the person that you’re trying to acquire it from.

Distilling everything down to a single piece of information can make a social engineering engagement much simpler and more effective. If you need to ask many different questions, the more likely that the mark will become suspicious, which can bring a social engineering exercise to a sudden end.

Simplifying what you want, down to the simplest amount of information possible, can require some attack modeling. In many cases, a collection of information can be acquired from a single other piece of data. For example, access to an email account can provide a large amount of valuable data and only requires knowledge of the user’s password.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Acquiring the information in a subtle manner often requires knowing the target. There are a variety of different social engineering approaches (see Cialdini’s research for some suggestions), and knowing which one to try (Read more...)