5

How can I understand if I am being targeted by a grey hat social engineer?

And if I fail, what approaches exist to detect social engineering attacks being in progress within an organisation?

oleksii
  • 1,046
  • 1
  • 9
  • 19
  • 1
    +1 for the question, to which i'd add : is there some good source (website or books) showing examples of social engineering (not only the famous ones, but many examples and from diverse persons and companies) ? – Olivier Dulac Aug 23 '13 at 13:17
  • 3
    @OlivierDulac, Love him or hate him, Kevin Mitnick has written a fantastic book on Social Engineering called the Art of Deception. It outlines successful attacks, why they were successful and what could have been done to mitigate them – DKNUCKLES Aug 23 '13 at 13:26
  • Human sensors are helpful. – JZeolla Aug 23 '13 at 14:31

1 Answers1

5

The reason that social engineering is as successful and popular as it is, is because there is no "catch all" approach to identifying a social engineer attack.

Approaches to identify social engineering attacks within an organization, typically (in my experience) involve getting the attacker to try to identify things that only a legitimate caller would know (security questions). It's debatable how secure this approach is, however it's still widely employed and used by many companies. Technologies like two factor authentication can help as well, but again these technologies rely on not having a "weak" human that can over-ride their processes.

Social Engineers will attempt to play off your emotions as a human. Most humans have a distinct nature in wanting to help those who need help, so it's common for social engineer experts to create a scenario whereby you pity them and may circumvent proper security procedures to help them. Another tactic is to get very angry and irate at someone in hopes that they'll provide the attacker what they want because most humans don't like being yelled at, and many don't like any sort of confrontation.

Perhaps the worst part is, if an attacker has done their research and knows their lingo and security questions of their would-be victim, you'd probably have no idea you had been socially engineered. Many companies have staff follow security procedures but if an attacker knows those procedures and has figured out a way to circumvent them, you'll likely find yourself out of luck

DKNUCKLES
  • 9,237
  • 2
  • 37
  • 47
  • 1
    When I worked for the Air Force, the security folks used to pretty regularly call people and try to get them to give up a password or some other secure information. If someone fell for it, they'd then yell at them for giving out secret information to unverified people over the phone, and send a letter to the person's boss and generally embarrass them for their foolishness. It was a good program, I think: the penalty for screwing up was usually just being embarrassed in front of your boss and co-workers, but that was enough to keep people on their toes. And as we got these calls all the ... – Jay Jun 17 '15 at 14:24
  • 1
    ... time, people didn't get complacent. You KNEW the security folks would make a phishing call at least twice a year or so, so you were on guard. Sad that people were more on guard against internal checks than against real hostile attacks from outside, but it worked. – Jay Jun 17 '15 at 14:26