So far in this book we have covered a lot of threats, but they
have all been technological in nature. In this chapter, we will
shift gears and discuss social engineering. Social engineering
deals with the targeting and manipulation of human beings rather than technology or other
mechanisms. This method is popular because the human element is frequently the weak
part of a system and most prone to mistakes.
The reality is that security starts and stops with the human element. If that element fails,
the entire system can be weakened rapidly. The end user represents the first line of defense
in many cases and is the one factor that can have the greatest impact on the relative security
or insecurity of a given environment. Human beings can be either reactive or proactive to
security incidents and can stop many issues before they become problems.
As an ethical hacker, you need to be aware of the threats and dangers of social engineering
as well as how to use these techniques. This chapter explores how social engineering works,
why it is successful, and how you can use it in your penetration testing.
What Is Social Engineering?
Social engineering is a term that is widely used but poorly understood. It’s generally defined
as any type of attack that is nontechnical in nature and that involves some type of human
interaction with the goal of trying to trick or coerce a victim into revealing information or
violate normal security practices.
Social engineers are interested in gaining information they can use to carry out actions
such as identity theft or stealing passwords, or in finding out information for later use.
Scams may include trying to make a victim believe the attacker is technical support or
someone in authority. An attacker may dress a certain way with the intent of fooling
the victim into thinking the person has authority. The end goal of each approach is for the
victim to drop their guard or gain enough information to better coordinate and plan a
later attack.
Social engineering is one of the few types of attacks that can be classified
as nontechnical in the context of the CEH exam. The attack category relies
on the weaknesses or strengths of human beings rather than application of
technology. Human beings have been shown to be very easily manipulated
into providing information or other details that may be useful to an
attacker.