Social Engineering

[Moshe Caplan]

The following is a question I was asked that via email that I would like to open for discussion:

I am more familiar with the 'warranty exploit' part of Social Engineering and I would like to ask you about your views on Social Engineering. Such as the legal/illegal aspects of it and how Social Engineering can turn into a career (a legal one at least) in the field of Cyber Security.

[Moshe Caplan]

Social Engineering is a topic that I find fascinating, but haven't done much research in. What I do know is that it exploits the weakest link in the security chain; humans. It therefore doesn't really require much in a sense of technical skills, but rather knowledge in things like human psychology. It is also oftentimes much easier than a highly technical exploit, as humans are generally trusting by nature.

In regard to the legality of Social Engineering, using such methods to obtain information you wouldn't otherwise have access to is going to be illegal. However, as with most areas of security one of the best ways to ensure that you are protected is to attempt to attack your systems. Therefore, skilled Social Engineers can make money by attempting (with permission) to exploit the human factor and access systems etc. Obviously, a large component of their work would involve preventing such attacks as well, generally by training employees and helping to set guidelines about what information should and shouldn't be given out and who should and shouldn't be trusted. I don't know how many people could make an entire career revolving solely around Social Engineering, but it could definitely be a big component of a job.

I would recommend you look up Kevin Mitnick, possibly the most well known social engineer, who has explored Social Engineering from both a legal and illegal perspective :) He has also written a couple of books on the topic.

http://en.wikipedia.org/wiki/Kevin_Mitnick