Before I would begin , I know few of you would have these questions.
What is Social Engineering?
In simplest terms its gaining trust and misleading users.
Well..Does it really work?
Can the smartest people be easily mislead?
the answer is YES!!
Kevin Mitnick the famous hacker said that "SE helped him a lot to gain access to most critical systems".
If so, Are we protected?
In this world where we all are connected through internet.Banking, stocks, sport updates,Face book,Twitter, everything is connected.As we are depeneding on computers for our daily work, even computers are depended on us.The more we depend the more vulberable we become. The attackers / creators mislead users by some means and gain access to the systems whichleads to financial loss.
SE in Email:
I'm sure we all would have received emails like I'm the only descendant of a rich African who recently passed away. The latter deposited several million dollars in a financial security company and your contact person needs a foreign associate to help him transfer the funds. Moreover, he is willing to pay you a non-negligible share if you agree to provide him with an account to transfer the funds
if you respond to such mails, then you are caught in a circle that can cost you hundreds of dollars
The best ways it to delete such mails.Money does not come easily :)
There are lot of other mails too, offering you a good job with resumes attached, JOB from Google.COCA-COLA Lottery.You have a new E-Card from your friend , just to name a few.Creators use there wildest imagination to gain the trust.
The most popular in recent times was UPS Mail, All most everyone will click on such links,SE is not just with mails its can grow beyond that.
SE over phone:
Read this interesting long before, a guy called tech support for some small query, he was chatting with the tech supporter for quite some time.The guy said that he is willing to sell is car for a cheap rate and wanted to know if the rep is interested( low prices, we all would say yes) he sent out an email with a car pose, when the rep clicked on the link it executed an exploit that created a backdoor connection out through the firewall. This allowed the attacker to gain access to the Supportes machine. Isn't this easy than trying to bypass all those firewalls at the Gateway ?
Whenever there is a link , or a advertisement, or a message from friend, we need to make sure that its from a trusted source. SE speards wildely in facebook, twitter, and all socail sites which helps to spread links and malwares, Man is a Social Animal and social Engineering works better in these sites .
You can't find out who saw your profile. You won't see what you'll look like in the future. You won't know what that man saw when he walked in on his daughter. There are no free IPads. And you can't see the video of Osama's death. Even yourself being tagged in any videos(like what are you doing in this video). STOP clicking the spam links and exposing yourself and friends to virus risks.
SE with just few smiles and smart talks:
Few years back a unknown guy walked into a famous Bank (I dont want to name it here) . He used his SE skills and later had access to the entire corporate network.He was able to achive this by getting small ammount of information from employees of the bank. He researched about the company for two days, learned employees’ names by calling Human Resource department. Next day,at the main enterance he pretended to service the companies standard printers and photocopy machines. Front-desk security allowed him to access the building. He reached the third floor security building though he did not have access, he just smiled, and a friendly employee opened the door( Easy access). when he reached the printer, a wireless access point was placed on the local network. this helped to gain access to internal network from outside, where hackers were waiting to gain access to the internal network. They used common network hacking tools to elevate privileges and to gain super-user access on critical system. This is how our small mistakes in terms of security give us a devastating reward.
Protecting data and maintainig security is not just security admin / System admins job, its a responsibility of everyone in the company. Educate your employes about the best security practices in offices.