It’s a fancy term that essentially means getting around a security system not by exploiting bugs and technical weaknesses, but by ‘hacking’ other people.
The best way to understand what ‘social engineering’ means is to look at the infamous Kevin Mitnick. Martin McKeay, computer security expert working for Akamai Technologies, tells his story in a nutshell.
Kevin Mitnick is probably the most well-known hacker because of the fact that in the 90s he took on a number of companies including the AT&T and a few computer scientists and other security experts and led to a manhunt which eventually got him caught. He went to prison and now he’s out and he’s back in the security realm as a researcher, as a contractor. Kevin is a person who had learned how to work the systems; he would pose as customers, he would pose as workmen. He would go into areas where people wouldn’t look twice because he was wearing a uniform. He would appear to the people that he was calling as if he was an official customer and he got a lot of information out that way. And that’s how he was able to get the passwords, get the usernames.
Essentially, regardless of how secure a digital system is, it still has a weak link – human users which have access to the system. Managing Partner at Archer Energy Solutions Patrick C Miller illustrates how easy is it not to just trick people into giving up their credentials, but to straight up ask them for the password.
There was a recent comedy skit done by Jimmy Kimmel in the US, where they just went on the streets in New York and got people to just give away their passwords voluntarily. There’s another article released talking about how people would sell their passwords for $150. So if a company has spent millions of dollars on digital protection and their employees are giving away passwords for $150 a pop then the cost-benefit doesn’t really seem way out there.
How does one protect themselves against social engineering? Well, being vigilant is the key – there’s really nothing else one can do. And as far as organizations go – raising awareness is probably the most effective method of boosting security. As Mr Miller explains:
If they’re not aware that there’s potential impact or they’ve never had it hit them, they’re going to act as if that’s not a problem. You’ve seen this when people leave their homes or their cars unlocked with the keys in the ignition in communities where there’s low crime. And when a crime wave happens they all lock up their houses and take their keys out of the ignition of their car. So if it hasn’t happened to them, if it hasn’t hit them in a real way or it hasn’t hit a friend of theirs or a family member or something that makes it seem like it’s real to them, they really don’t behave that way.
So, for all those who value their personal data and corporate data they’re entrusted with – be vigilant, don’t give up passwords and don’t click on suspicious links.