Social engineering … What is it?

Social engineering as defined in wikipedia (defined in layman) – ” … refers to an art of human emotion exploitation into conjuring one to perform some form of action that compromises security”.

Security is as best as it’s weakest link. Even with the strongest of security, it is useless once it is compromised from the inside. Hackers, fraudsters and malicious intent individuals apply a multitude of tactics to gain access and control of the prize item (may it be systems, data, private and confidential stuffs, etc).

One of the most common tactic is to implement social engineering. This can come in the form of email, sms, calls, etc. The objective is to throw you off-guard and convince you into making / performing an action without being too conspicuous about you doing it. Meaning to say, if I were to send you an email to your company accounts with the subject titled “Outstanding balance” … it is only natural for your account person to open the attachments. Can you blame your accountant for his ‘ignorance”? Hardly.  😆

The entire process starts with a harmless “intent”, which will open up a minor flaw in the security. Then, followed by a sequence of attacks with the sole purpose of widening that “gap in security” and finished off with the real “attack”. Can my antivirus or firewall prevent it? yes and no. The job of a firewall and antivirus is to prevent “known” patterns of attack. Yes, they will do their job. However, have you not encountered false positives? Have you not received any emails from a valid sources just because it’s being filtered out as junk by your mail server? or trying to download a file from a valid provider just to find out your antivirus detects there’s a virus in it? … One would normally, “allow” or grant permission for such downloads or applications. Thus, the yes and no. The firewall and antivirus is just a tool. Essentially, your permission and authority that will “cause” the breach in security. So be careful the next time you say “yes” to popups .

How do I work around this issue? Social engineering is playing with emotions. So approach it calmly and logically. Understand what you will be revealing. Does it makes sense. It’s a lot to process for a simple task of clicking “yes”, but … would you rather spend the effort in “cleaning out the mess” later?. Be paranoid about everything. Every successful hack starts with “social engineering”. The more conspicuous and convincing the story, the more likely it is a lie.