Social engineering, or about social sciences in the world of technology.

Technology is not everything.

When talking about security and security, we first think of advanced technologies and expensive devices: intruder detection systems, active prevention systems, data protection against leakage, secure authentication, authorization and sharing of resources. In order to feel safe, we spend a lot of money and surround ourselves with barriers, scanners, probes, tokens, fingerprint readers or the iris of the eye. We install systems that scan and filter traffic for viruses, worms, Trojans, attack signatures or other anomalies. To process data from so many systems, we launch new ones, used to log events, correlate them, analyze and warn us about threats. It would seem, therefore, that by doing so much, with so much resources, we have the right to feel confident about the security of our systems and the data processed with them. The reality is unfortunately very brutal. While doing so much, we forgot about the essential thing - the level of safety, just like the strength of a chain, is not determined by the sum of all its links, but by the strength of the weakest of them. The question "what is this link?" will not lead us to an answer. For we should ask not "what" but "who" is.

Social engineering.

Even the most perfect technology is not able to protect systems against their users. Man, despite all his perfection, is the weakest and most unreliable link in the chain that contributes to the process of ensuring safety. This is mainly due to the human psyche, which, unlike the algorithms performed by processors, is characterized by a lack of schematicity and unpredictability. Man, unlike technology, can behave differently in the same circumstances. His decisions are influenced not only by input data, but also by stress, emotions, past experiences and other conditions not present in the case of technological measures. Social engineering deals with the study of these conditions and the relationship between their occurrence and decisions made by people. The lessons it teaches are the main tool in the hands of social engineers. And it is the latter that pose a threat that even the most expensive technologies cannot protect us against. They are able to make users who feel safe among various advanced security systems become dangerous to themselves.

How it's working?

Social engineers do not use advanced technological knowledge or tools such as viruses or exploits to carry out the attack. In their activities, communication and interpersonal skills are more important than technical skills. They use skillfully acquired and transmitted information, which seemingly irrelevant, help build trust in the interlocutor and extract further data from him. Using ready-made, prepared for various circumstances conversation scenarios, they can, having only such narrow material as general contact details of the company, trick their employee into valuable information or persuade him to perform specific actions, such as e.g. running a command on his computer or visiting an infected website. For this purpose, they can pretend to be telexquesters, employees of the Internet provider, contractors or associates from another branch of the company. An example scenario of a telephone conversation constituting a social engineering attack may look like this:

1. An intruder calls our company, introducing himself as, for example, an employee of an Internet provider and asks for a connection with the IT department
2. The employee learns that the IT service is provided by an external company X
3. The scammer calls another employee introducing himself as an employee of company X and asks for an e-mail address in order to test the e-mail with which problems have been reported
4. After a few days, the scammer sends a specially prepared message to the e-mail address (as an employee of company X) and asks to run the attached "security patch"

The above scenario seems trivial. However, the more banal it is, the more we will underestimate the risk associated with it. And can we assume with 100% certainty that no person whose vigilance can be easily put to sleep in our company? Let's go back to our chain of expensive and complex security systems. It is this employee with a less sensitive attention who may be deceived by a skilled social engineer who is his weakest link. It is he who is able, although unknowingly, to help an intruder to overcome even the best technical security measures. And it is he who, deludingly feeling safe, is a real danger to us.

How to protect yourself?

Since technical countermeasures can be circumvented through social engineering, non-technical measures must also be taken to defend against it. The first step we should start with is to develop and implement a security policy. It should contain, inter alia, definitions of procedures and recommendations for disclosure of information by company employees, and templates of documents for providing and accessing specific data. It is very important that they are applied not only to strangers, but also to those whose identity we are not able to confirm. The fact that someone introduces himself to us in a phone call or e-mail as a specific person does not necessarily mean that he is. However, the mere implementation of a security policy is not enough. Safety should not be considered a state of affairs, but a continuous, controlled and improved process. Therefore, a very important element of it is the continuous education of employees in order to develop habits of care for the confidentiality of information and limited trust.

I hope that in this article I have introduced some of your security aspects not directly related to any technology. In a world where everyday, even the simplest operations are associated with electronic transactions and databases processing data via networks and computers, each of us should exercise great caution and limited trust. Transferring the behavior generated by corporate policy into the sphere of private life can be a good way to increase your level of security and help us remain vigilant at all times.