240 Chapter 10 ■ Social Engineering
Te r r o r i s m Perhaps one of the more visible forms of social engineering is terrorism. In this
case, a target is coerced into action through the threat of physical violence.Loss of Privacy An attacker using these techniques can easily steal information to perform
identity theft on any number of victims.Lawsuits and Arbitrations Depending on the compromise, the successful completion
of an attack may result in lawsuits or other actions against the victim or the victim’s
organization.Temporary or Permanent Closure Depending on how bad the breach is, the result can be
catastrophic, with an entire business closing as a result of mounting financial losses and
lawsuits.Loss of Goodwill Although all losses may not be monetary, they can still be devastating,
such as the loss of goodwill from customers or clients.If you have a good memory, you may recall some of the issues on this
list from previous discussions. I’ve repeated them here to emphasize
that social-engineering attacks can be just as dangerous or more so than
technical attacks. It is to your benefit to remember this when you are doing
your testing and planning, because far too often the social element is
overlooked in favor of focusing on technology. Although it is possible to do
things such as cracking passwords by using a technical attack, sometimes
you can get what you want just by asking nicely.Common Targets of Social Engineering
An attacker will look for targets of opportunity or potential victims who have the most to
offer. Some common targets include receptionists, help desk personnel, users, executives,
system administrators, and outside vendors. Let’s look at each and see why this is.
Receptionists—one of the first people visitors see in many companies—represent prime
targets. They see a lot of people go in and out of an office, and they hear a lot of things.
Establishing a rapport with these individuals can easily yield information that’s useful on
its own or for future attacks.
Help desk personnel offer another tempting and valuable target due to the information
they may have about infrastructure, among other things. Filing fake support requests or
asking these personnel leading-questions can yield valuable information.
System administrators can also be valuable targets of opportunity, again due to the
information they possess. The typical administrator can be counted on to have very
high-level knowledge of infrastructure and applications as well as future development
plans. Additionally, some system admins possess far-reaching knowledge about the entire
company’s network and infrastructure. Given the right enticements and some effort, these
targets can yield tremendous amounts of information.