The process of obtaining information from others under false pretenses is, in essence, manipulation. Any attempt to gain entry to a site using a bogus pretext is called penetration. Both processes are a form of what is commonly known as ‘social engineering’. They are based upon the building of an inappropriate trust relationship with individuals and can be used against those within an organization.
Social engineering attacks are either dispersed or direct. Dispersed attacks – also known as ‘mosaic’ attacks –are where one or more people pose as a co-worker, new employee, delivery person or workman, for example, and attempt to collect information from different sources over an extended period.
A directed attack is generally aimed at a specific individual within an organization who has access to valuable information. The social engineer will pose as a business contact at a conference, for example, and may spend some time building a close relationship with the targeted individual before using the trust established to access information.
Social engineering attacks can be either dispersed or direct. Attackers prepare well, learning about an organization’s structure and language in advance.
- Take advantage of an employee’s poor use of the internet to introduce malware.
- Use information unwittingly provided by individuals on the internet, particularly on social media.
- Exploit freely available useful information on organizational websites, such as details on security, personnel, and physical access.
- Acquiring Information (Company website, Social media, Surveillance, Exploiting the natural tendency of people to assist others, Email)
- Establishing a relationship (Making a connection, Building a relationship on a false pretext)
- Exploitation (Manipulation of others, Exploiting personal vulnerabilities or weaknesses in organizational security).