Page 3 of 7
Visualize The Victim
The social engineer's goal is to trick someone into giving them what they want by preying on basic human nature. In an organization, the social engineer will take advantage of the very characteristics that make us good employees, characteristics such as being helpful. We train our employees to ensure customer satisfaction. As a result, employees want to be helpful, which can lead to giving away too much information. Providing timely responses in order avoid getting into trouble.
Someone may have reprimanded the employee at some point for waiting too long for verification and offending someone; therefore, an employee might provide information without ensuring source authentication. And trusting nature. Most social engineers are extremely confident in their behavior, and if someone tells an individual that they are a certain person, and appear genuine, there is a tendency to believe someone's word.
In addition, social engineering works with some not so great qualities, such as taking shortcuts and cutting corners instead of validating someone's identity. They may just accept someone's word and give him or her what they want, and then go back to doing what they were doing before someone interrupted them. In order to conduct an effective social engineering attack, the hacker must identify a potential victim.
The exercise goes through a process, reconnaissance, establishing trust, exploiting that trust, and then departure. For example, if a hacker needs to gain access into a building, they first try to find a target like this custodian. The hacker checks out the custodian and determines that they would be a good target. To really sell the scene, the hacker might go to a nearby door and attempt to open it.
He can even pretend to try and find his access card. - Excuse me. Hi, my name's Dave. I'm from the Manitou office. My badge doesn't seem to be working. Could you let me in? - Okay. (beep) - [Voiceover] A talented social engineer will get what they want without raising any suspicion. - Thanks so much, I appreciate it. - Sure. - [Voiceover] Identification without authorization is dangerous. A social engineering exploit may very well lead to a major security breach.