Social Engineering 101 - What is it Really?

Often the narrative on social engineering leads people to believe that the process only takes place in Cyber Space, concepts and terms such as grooming, phishing, identity theft are often only used with regard to this environment. However, this was not always the case, while it cannot be disputed that these activities do take place on line the process has its origins in the physical realm, and it is this environment that it continues to evolve and grow.

In simple terms, Social Engineering is the act of manipulating a person to take an action that may or may not be in their best interest. This may include obtaining information, gaining access, or getting someone to carry out a specific action. As a construct, Social Engineering is as old as time itself, it is a process that involves a degree of manipulation, exploitation and extraction – for those involved in trading information it is an effective means to an end.

Regardless of the context or the desired end state of the engineering, the processes involved are the same – whether it is being conducted by an individual for personal gain or it is being done as part of a greater power play the end state is the identification of information for exploitation.

 So Who Does it?

Well, everyone……

Doctors, psychologists, and therapists often use elements of social engineering to “manipulate” their patients to take actions that are good for them, whereas conmen, criminals, spies etc. use elements of social engineering to convince their target to take actions that lead to loss for them. Even though the end game is much different, the approach is quite often the same. The type and structure of the questions a good Social Engineer asks will reflect the quality of information returned and determine its value, key phrases used to elicit a positive response are:

• How
• Why
• Where
• Can you help me?
• Please

For the social engineer preparation is the key and it is in this phase that the devil is the detail, when the engineer has identified a target for exploitation the next phase is research, research research, – for the engineer no information is irrelevant. Often it is the most minute detail that is the critical piece of information. Typical questions the SE asks themselves prior to engaging in the process are:

• How can I gather information?
• Methods & Processes of Information gathering – what tools?
• Is it the information reliable?
• Can it be verified? How do I confirm it?
• What is the source of the information?
• What other sources exist to gather information?
• What can you glean from this information to profile your targets?
• How can you locate, store, and catalog all this information for the easiest level of use?
• If I can’t get direct information, can I go elsewhere – family/friends/colleagues?
• And of course… Social Media....