Arcot Advisor
THE AUTHENTICATION AUTHORITY™ JULY 2007
   

Hidden Hacker Threat: Social Engineering

Our personal need to be helpful is sometimes a hacker's best asset, according to Kevin Mitnick, an ex-hacker who earned infamy when he was named "cyberspace's most wanted hacker" in a 1994 New York Times article. Hackers specialize in interpersonal conning, an art known as social engineering.

What is social engineering

Social engineering is the age-old confidence game with a technology twist. Although relatively unknown to the general public, social engineering is a widely used term among computer security experts and describes the means hackers use to deceive a trusted computer user within a company. It's a tactic hackers, con artist and criminals use to deceive a "mark" (users or administrators) at a target site.

While there are no reported statistics on the number of successful social engineering attacks, their presence is widespread. Many have been and continue to be extremely effective against unsuspecting targets.

Social engineering red flags

Social engineering attacks are typically carried out by telephoning users or operators pretending to be an authorized user in an attempt to gain illicit access to a computer network. Often criminals gain privileged information about a computer system by masquerading as a legitimate user and convincing unauthorized persons to provide seemingly unimportant information.

Scammers will also trick employees into performing actions that create a security hole that the hacker can use to access more sensitive information or exploit a network.

Preventing social engineering

Since social engineers can communicate in a variety of ways and obtain information through various means, there is no simple way to prevent social engineering.

The best defense is to combine the use of technology with a comprehensive employee education program. Use technology when possible to eliminate employee decision making, giving social engineers less avenues for conning. Using technology helps by removing the human element from security. For instance, by using the ArcotID in place of basic username/password you can verify a person's identity even if the social engineer has been able to convince a user to divulge their password. Finally, educate employees on the dangers of social engineering by using case studies illuminating the tactics used by these con artists.

While there is no simple solution for preventing social engineering, the best defense to this deceptive hacking tool is to eliminate ease of interaction with internal staff. For further information about the dangers of social engineering and keeping your organization protected, contact Arcot at 408-969-6100 or visit www.arcot.com.


Click here for a printable version of this page.