Social Engineering

"We believe social engineering is the single greatest security risk in the decade ahead."

Rich Mogull, Research Director for Information Security and Risk , The Gartner Group.

In computer security, social engineering describes a non-technical kind of intrusion that involves tricking other individuals to break normal security procedures. A social engineer runs a modern-day version of a "con game".

For example, a person using social engineering to break into a computer network would try to gain the confidence of someone who is authorized to access the network to have them reveal information that compromises the network's security. A social engineer might notify an authorized employee with some kind of urgent problem, often relying on the natural helpfulness of people, as well as on their weaknesses. Appeals to vanity, authority, and old-fashioned eavesdropping are typical social engineering techniques.

Another aspect of social engineering relies on the victim’s inability to keep up with a culture that relies heavily on information technology. Social engineers take advantage of the fact that people are not aware of the value of the information they possess – and are careless about protecting it. Frequently, social engineers will search dumpsters for valuable information, memorize access codes by looking over someone's shoulder (shoulder surfing), or abuse people's natural inclination to select passwords that are meaningful to them but can be easily guessed.

Security experts predict that as our culture becomes more dependent on information, social engineering will remain the greatest threat to any security system. Prevention includes educating people about the value of information, training them to protect it, and increasing people's awareness of how social engineers operate.

Social Engineering Assessments

Sacure can identify weak links in the security chain through exploiting human vulnerabilities. We use our expertise in this field to expose what is often the weakest link in the information security apparatus: the human element.

Once individual or systemic weaknesses are identified, Sacure recommends procedures designed to ensure employees do not divulge information that could compromise company assets. Our social engineering assessment not only uses tactics intended to gain confidential information, but also to induce unsuspecting employees to create vulnerabilities that can subsequently be exploited to gain access to confidential information.

Social Engineering Workshops

Most people don't believe gaining information by deceit could be so easy. "No one could be that stupid" is a common phrase heard from people who first learn how these types of attacks work.

However, once demonstrated (especially armed with some personal information) people who have been conned become hard and fast believers. Just seeing it in action brings home the reality that information can leak through most any worker and that one must always be on guard.

Through one or two-day training courses, Sacure will take you through case studies, examples and methods of social engineering. By examining how attackers gather personal information, abuse trust, and choose their targets, you can be better prepared to prevent these incidents. We will help guide you and your company towards policy, security, and an informed workforce that can provide protection against future attacks on your company.