Social Engineering

# Social Engineering ## Definition: **Social engineering (SE)** is any act that influences a person to take an action that may or may not be in their best interests; it takes advantage of the fact that gender bias, racial, age, and status bias (as well as combinations of those biases) exist. ## Why learn about SE Most people take social engineering as someone wanting to gain small favours or obviously manipulation. However, there is more to that from a security standpoint: **1. Identifying loopeholes** - this is the process of identifying vulnerabilities within the chain; lets say in an organization by conducting simulated phishing and even physical intrusion campaings. It helps the organization update their risk register and matrix as far as physical and information security is concerned. **2. Training to defend** - after the loophole has been identified, it needs to be patched. This has to involve training of the relevant stakeholders because as **Kevin Mitnick** put it *"There is no patch to human stupidity"* ## Categories of Social Engineering There are many forms of SE but we'll just highlight a few which are most common: 1. Smishing - the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information. 2. Vishing - the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information. 3. Phishing - the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information. 4. Impersonation - an act of pretending to be another person for the purpose of entertainment or fraud by mimicing their voice, and mannerism. ## Social Engineering Pyramid We'll now have a look at a generalized attack matrix for social engineering in order to be successful in your assignment. ![](https://i.imgur.com/WWe6Cf6.png) ### Phase 1: OSINT(Open Source Intelligence) This is the information gathering stage and can be further divided to * **Non-Technical** - It majorly involves observation, listening and paying attention to body language of the persons you want get information from. * **Technical** - Social media as well as search engines play a big part in this. One can acquire much information available online; wheather on their LinkedIn, Twitter, Facebook accounts etc. ### Phase 2: Pretext Development Based on the information gathered the attacker can now see what changes, additions or adjustments need to be made. These can be tools, props or persons to be present while carrying out the attack. ### Phase 3: Attack Plan This phase is very crusual as it will determine wheather the whole process is a success or not. An attacker will need to have the 3 W's right. * **What** is the plan - they will need to clearly understand what is it that they are going for and possibly the information they hope to exfiltrate if they are successful. * **When** is the best time - the attacker will also need to consider when the target is most vulnerable and will comply to their demands. * **Who** needs to be available - an extra person may be helpful to cause any distractions, empathy or cause a scene to help in their plan. ### Phase 4: Attack Launch At this point the attacker has all pieces in place and can go full stream ahead with the attack. The plan being executed has to be well written, clear and dynamic incase of any unxpected happening. ![](https://i.imgur.com/4yC0Zes.jpg) ### Phase 5: Reporting After a successful attack (*assuming it was successful*), the social engineer has to prepare a report for the person(s) who gave him/her the task. Here, they will have to state in details the vulnerabilities exploited, information gained and recommendation on how the weaknesses can be rectified. At this point lets look and ways we can [prevent social engineering attacks](https://https://hackmd.io/@David08/ByI7plsN5). However we'll narrow down to phishing which maily deals with email security. --- > When you understand how decisions are made, you can start to understand how a malicious attacker can use emotional triggers, psychological principles, and application of the art and science of social engineering to get you to “*take an action that is not in your best interests.*” By [David Kariuki](https://t.co/rCCnOMhI3N?amp=1)