How to think like an online con man

An enterprise is only as secure as the weakest human link. Here's how to use social engineering to test security defenses.

Con job, pretexting, social engineering -- the art and science of manipulating human beings for nefarious ends -- goes back as far as the origin of the species. The techniques have been practiced and perfected by a rogue's gallery of flimflam artists, from legendary carnival operator P. T. Barnum to infamous FBI mole Robert Hanssen.

But in our modern, security-centric world, this ancient craft poses an ever-present danger: Despite technological advances that present an illusion of security, we are as vulnerable as ever to the con.

IT security pros frequently employ social engineering when analyzing a company's overall security strategy. After all, even a completely locked-down computer network won't protect your company's secrets if someone can "tailgate" a group of employees through the front door, plug a remote-access device into an open network port, and walk out again. And the sad fact is, even a social engineering amateur can be successful. People are gullible, and without a real-world test, you'll never know how vulnerable your company really is.

With that in mind, we spoke to security experts in the field who perform these kinds of physical penetration tests on a regular basis to learn the tricks they use to bypass security. Armed with this knowledge, you stand a better chance at preventing a real attacker from stealing the recipe to your company's secret sauce.

Do: Research your target before you make contact

If you're going to do a realistic test, you need to do your homework. Going to school on a target -- whether a person or a company -- is a fundamental first step to any social engineering project. Why go to the trouble to sneak into a building if, once inside, you find that the info you're looking for resides elsewhere?

"What you've got to do is learn [as much as you can] about the target itself, and what information is valuable to the target," says Ira Winkler. And Winkler should know: Author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers, and Criminals You Don't Even Know You Encounter Every Day and Zen and the Art of Information Security, Winkler is among the foremost experts in the art and science of social engineering.

Winkler makes a crucial point, because even white hat social engineers can get into trouble. One penetration tester interviewed for this story, who asked that his name not be used, admitted that a lack of preparation early in his career nearly got him arrested.

The task, commissioned by a U.S.-based firm to get inside its London office, seemed simple enough, but he had no idea that the same building that housed the company that hired him also housed Britain's domestic intelligence agency, MI5.

"They had spotted me when I was still a block away, followed me using CCTV cameras, and picked me up just before I was able to approach a female employee and ask her to let me into the building," he said.

In other words, a successful social engineering hack is no snatch-and-grab job. It requires real diligence. "If you're going to be doing this work, you have to have a detailed plan," Winkler says. "The less training you have, the more detailed the plan you have to follow."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ACTCrownFBIHISIntuitMotionSprintTribeWikipedia

Show Comments