Social Engineering as it Applies to Information Systems Security
The research takes into account several aspects that better create an overview of the term and the impact it has on security systems. In this sense, the first part of the analysis reviews the concept of social engineering and the aspects it entails. Secondly, it provides a series of cases that were influenced by social engineering and the effects each had on the wider picture of information security. Thirdly, the research looks at what policies are set in place to avoid this type of practice and how has the information security society responded to the threat posed by social engineering. Finally, possible solutions to the issues social engineering raises are also presented in the context of the increased technological environment in which business is conducted in the world we live in today.
General aspects on social engineering
A non-academic definition of what social engineering stands for has been provided in several instances as the matter grew in attention and more cases of such "behavior" became known. Putting it bluntly, "Social engineering aims to exploit the weakest link in information security -- people. Just as in historical examples in which people were manipulated into meeting one's ends, social engineering is grounded in the same principle. Yet social engineering does not necessarily need the use of technical methods. By nature, people tend to be helpful and polite. Social engineering techniques take advantage of this intrinsic nature to manipulate people into divulging sensitive information" (Schneier, 2009). At a first glance, it can be argued that the concept takes into account human nature as a default condition for their activity. More precisely, social engineering and a successful individual who practices this endeavor focuses on the social nature of an individual and transforms this part of the personality into a weakness. From a first perspective, it is fair to say that social engineering as a practice uses people to achieve different goals, in this particular case information that would have otherwise be restricted by security protocols.
A more formal definition of social engineering provides a stricter description of the practice. In this sense, "Social engineering is the practice of obtaining confidential information by manipulation of legitimate users" (Allen, 2006). Under this definition, the term incurs several considerations. On the one hand, it must be pointed out that the incentives for this practice are represented by the acquisition of confidential information. In general, it is not considered social engineering, the access to public information that would otherwise be available to everyone. Therefore, a first aspect is related to the fact that social engineering implies a breach of security and automatically of the law. Secondly, it must be pointed out that those that are targeted by social engineers are the individuals and links that handle this type of information, the legitimate users of the information. From this point-of-view and given a general outlook, in fact, it is not the social engineer that is committing a wrongdoing but rather the authorized user for divulging the information. Therefore, it can be noted that social engineering as a practice is in fact a manipulation of the human component of a security system.
Aside from the legitimate users that are targeted and involved in the process, the social engineer, the individual that is carrying out the process, plays the main role. It must be pointed out from the onset that the term "engineering" and "engineer" does not necessarily reflect a technical nature of the activity undergone by such an operator. It is the definition of the term engineering that refers to "calculated manipulation or direction (as of behavior)" that needs to be taken into account (Merriam-Webster, n.d.). The social engineer in this case is, more or less, the individual who engages in such a manipulation activity with the purpose of obtaining information. A more comprehensive definition is that a social engineer is "a hacker who uses brains instead of computer brawn" (Allen, 2006).
The term "hacker" has often been associated in the popular belief with activities that relate strictly to Internet or web-based processes that focus on breaching security of information in an informational environment that includes hardware, computers, software firewalls and other IT related security measures. In this case however, the raw material that such hackers use are the personality and individuality of human beings. This is an important aspect to be taken into account especially given that in such circumstances, the possibilities to limit social engineering are rather limited and it is rather difficult to consider all aspects and all possible situations in order to limit them at the level of legislation.
There are other definitions that provide a rather comprehensive and at the same time rather straightforward definition of the entire process of social engineering, with a clear mention of the roles each party plays in the overall process. In this sense, Microsoft considers that "To attack your organization, social engineering hackers exploit the credulity, laziness, good manners, or even enthusiasm of your staff. Therefore it is difficult to defend against a socially engineered attack, because the targets may not realize that they have been duped, or may prefer not to admit it to other people. The goals of a social engineering hacker -- someone who tries to gain unauthorized access to your computer systems -- are similar to those of any other hacker: they want your company's money, information, or IT resources." (Microsoft, 2014)
Although most of the situations that have been investigated by Security did in fact prove to be social engineering, there are also cases in which a person can engage into such an action without actually knowing that he or she is committing a breach. In this sense, "Social engineering attacks can essentially be executed by accident or with the best of intentions by an innocent "attacker" whose motivations are generally benevolent. Understanding the breadth of possibilities for social engineering attacks to compromise a system, and the fact that the attacker may often not even consider its actions an attack, can help you arm yourself against social engineering" (Perrin, 2010) This is an important aspect to be taken into account particularly because it is rather difficult to ascertain precisely the rational behind one attack or another at the level of a working environment for example. This mention is particularly done for such cases in which, without a clear consideration for creating in fact a pattern or a malicious act, people may look over their shoulder into their colleague's computer and this does not necessarily need to be an act of social engineering.
There are numerous techniques used by social engineers in conducting their activities. Most of do not include the use of any type of technological devices. In this sense, according to manuals that have been written to assist companies, individuals, and governments alike to safeguard their employees from such social engineering, the most common techniques are the ones that are based strictly on other human beings not being careful enough or being to over police and trusting. In this sense, some of these techniques include shoulder surfing, "dumpster diving," or mail-outs (Allen, 2006) As it can be seen, all these type of procedures are based on the social interaction with one or more individual. While shoulder surfing represents a more personal approach, as the social engineer would need to be in the vicinity of the targeted user, dumpster diving can occur more often. Even so, according to surveys conducted among employees from different environments email phishing is seen as most common. In this sense, "Phishing -- pretending to be a trustworthy entity in an electronic communication -- was identified as the most typical source (47%), followed by social networking sites such as LinkedIn that allow new employees to be targeted (39%)" (Dimension Research, 2011). Finally, mail-outs are seen among the most common means to gather information about people who could include passwords, pins, private information about work place, income, and even marital status. An example in this sense are the questionnaires or various links that become viral on the Internet and, when interpreted correctly, can provide a considerable amount of information about individuals and then be used either against them or for different purposes.
The rational and motivation of social engineering is firstly one of material gain for the engineers. Most often from a general perspective, social engineers can either sell the information gathered or can use it to their own personal advantage. Another motivation for conducting this activity is also personal revenge. In this sense, according to a study conducted, "51% of social engineering attacks are motivated by financial gain - 14% of social engineering attacks are motivated by revenge" (Dimensional Research, 2011). Other reasons include competitive advantage and personal vendetta. There are numerous cases in which personal revenge has been used as a motivation for social engineering and, despite the fact that people conducting activities such as shoulder fishing were not aware of the name of this type of process, the information…