Social engineering is a method of using human interaction to convince people to break their normal security processes. It can utilize technology, but it isn’t necessary in order to reach a goal. It’s been around since the beginning of time and although it has a modern name, it really is just a con-game for hackers.
According to the SANS (Systems Administration, Networking, and Security) Institute, there are four stages of a social engineering cycle: Information Gathering, Relationship Development, Exploitation, and Execution.
Roughly 50% of a social engineer’s time is spent doing research on potential victims. A social engineer will collect data, personal and professional, find weaknesses and use those against their target. So in general, limit the information you make available to strangers, whether business or personal.
The con artist will use the information gathered in the first stage and use it to gain trust and rapport with a target. Make sure that relationships are real, regardless of whether they take place at home or in the office. Often this stage takes place outside the office, but information gained will be used inside of it. The relationship can be that of a vendor, customer, or even someone looking for a job who stops by to drop off a resume. Always ask questions about who is in the office and their reason for being there.
In this phase, the targeted victim is manipulated into providing some type of information or other assistance to the con-artist that normally would not be given to him or her. This could be passwords, keys, or access to the server room. Once these are granted, the actual attack takes place and in many cases, the victim doesn’t even know he or she was tricked. A social engineer can install malware on a computer in minutes or even less.
While it’s a good trait to want to help people, it is better find some way to help that won’t result in anything of value transferring hands or traversing networks (as would be the case if malware were placed on a server, for example).
This is the exit strategy. Whatever the goal was for the con-artist has been achieved at this stage and he or she moves on. Either disappears or moves to the next phase and the cycle has been completed.