COMP6008:

Research Method In
Computing
Research Review: Social Engineering- Exploiting the Human
Weakness
Raman Pal
(rp5g09@ecs.soton.ac.uk)
M.Sc. Web Technology
School of Electronics And Computer Science
University Of Southampton
Table of Contents
1. Abstract ............................................................................................. 3
2. Introduction ....................................................................................... 3
3. Recent researches in the field of social engineering......................... 3
(i) On The Anatomy of Human Hacking ............................................ 3
(ii) The Threat of Social Engineering, And Your Defense Against
It……. .................................................................................................... 4
(iii) The Art of Deception -- Social Engineering ............................... 5
(iv) Information Security Technology ? Don’t Rely on It. A Case
Study in Social Engineering .................................................................. 6
(v) A Multi-Level Defense Against Social Engineering. ................. 7
4. Conclusion ...................................................................................... 8
5. References ...................................................................................... 8
 1. Abstract
Hacking can be done by several ways either by hacking the technical infrastructure
or by hacking the non-technical aspects of Information security. The art of stealing
the information by exploiting the weakness of human psychology is called Social
Engineering. This paper provides a review of the research that has been done in
this field and countermeasures that can be taken to deal with it.

2. Introduction
Social Engineering can also be referred as “Human Hacking”. A social engineer
utilizes the psychological weaknesses of their victims [17]. A very famous
computer hacker Kevin Mitnick referred Social Engineering as the “The Art of
Deception” in his book. [1] He was one of the key persons who brought this art of
hacking into limelight. Recently many researches have been carried out in this field
of information security to curb the menace caused by this art of hacking. Human
errors or weaknesses are the biggest loophole, it allows a hacker to gain access to a
system, no matter how many layers of security implementation has been done in
the company to protect critical information. One of the most famous case of Bank
Fraud “Stanley Rifkin” [2] is a very good example of Social Engineering attack.
The vulnerabilities present in human behavior that are exploited by social
engineers have been analyzed and listed out in [3], [4], [9], [10], [13]. And these
research papers have been reviewed to draw out this Technical Report on Social
Engineering. Every research paper taken up speaks about one aspect of Social
Engineering and menace created by it.

3. Recent researches in the field of social engineering:

(i) On The Anatomy of Human Hacking

“It is a way of obtaining unauthorized confidential information from a trusting

individual through non technical means by building inappropriate trust
relationships with information custodians. It is basically an art and science of
manipulating individuals into providing sensitive information. Social engineers
would normally use the telephone or the Internet as a vehicle for perpetrating their
acts.”[3]
“Human hacking is a non technical kind of intrusion that relies heavily on human
manipulation. Its impact is continuously giving serious concern in the Information
technology arena which has often been undermined due to the ease with which this
technique is widely used to infiltrate networks through unsuspecting individuals
that are undeniably considered the “weakest link” in the security circle.” [3]

Whether at home or work, sensitive electronic data can be and should be protected
by using at least basic authentication mechanisms. However, even with all of these
precautions and controls in place, organizations and individuals are still at risk for
having their information stolen. Granger [5][3] points out that “by merely trying to
prevent infiltration on a technical level and ignoring the physical-social level, we
are leaving ourselves wide open to attack.” As Hollows [6][3] further explains
“Many security systems and technologies have been deployed to prevent intruders
from accessing high value systems, however, an organization simply cannot patch
against social engineering.” Social engineering facilitates human hacking.

Social Engineers use different means to achieve their ultimate goal (impersonation,
intimidation, phishing, shoulder surfing), which is to gain unauthorized access to
systems or confidential data in order to perpetrate fraud, network intrusion,
industrial espionage, identity theft, or simply to disrupt the system or network
[7][3]. According to [8][3], there are four broad categories of human hacking
attacks: technical, ego, sympathy and intimation attacks. Psychological techniques
are applied in each case.

Human hackers exploit not just the trusting nature of human beings through social
engineering but also their lack of security awareness through techniques such as
identity theft and dumpster diving. [3]

(ii) The Threat of Social Engineering, And Your Defense

Against It.

Gulati R. says “The ultimate security wall is the human, and if that is duped, the
gates are wide open for the intruder to take control. It is the art of utilizing the
human behavior to breach security.”[9]

[9]says “There are two main categories under which all social engineering attempts
can be classified- computer or technology based deception, and human based
deception.”
Computer/Technology based attack is to deceive the user into believing that he is
interacting with “real” computer system and get him to provide confidential
information.
Human approach is done through deception, by taking the advantage of victim’s
ignorance, and the natural human inclination to be helpful and liked.

Common techniques used for social engineering[9] a) Direct Approach b)

Dumpster Diving c) Spying And Eavesdropping d) Technical Expert e) Support
Staff f) The Voice of Authority g) The Trojan Horse h) The Pop-Up Window.

Characteristics of human nature fall prey to the Social Engineering techniques like
Carelessness and Ignorance can result in Eavesdropping, Spying, Dumpster
Diving. Being helpful and trusting others easily can be exploited by Direct
Approach, Technical Expert, Voice of Authority.

(iii) The Art of Deception -- Social Engineering

People are the weakest links in the security architecture. The biggest vulnerability
for maintaining secure system is the human nature of trusting others.

“You receive a phone call in the middle of the day. A friendly voice says “Hi, I’m
your AT&T representative I’m stuck on a pole. I need you to punch a bunch of
buttons for me.” Being the thoughtful person that you are, you go ahead and punch
the bunch of buttons for the person on the other end of the phone; after all you
would hate to be stuck up on a pole and in the need of assistance. The person on
the phone thanks you and tells you to have a nice day and you go about your
business. Little do you know you just compromised the PBX to make a long
distance call for the person “on the pole” The attack that was just described is what
is known as social engineering.” [10]

Pollett [10] raises two questions:

Q1. What kind of person will attack a company with the hopes of attaining access
to information or systems that they are not granted?
Q2. What type of person will be the target of such an attack?

When the statistics of attacks are compiled in the cyber threat arena of information
security an alarming number of attacks are attributed to the “insider” or a person
that was recently laid off from a job. The disgruntled employee is a dangerous
employee to the company and can often times be hard to detect. [10]
There is no one determining factor on whether this person or that person will
attempt an attack on your institution nor are there a multitude of factors that make
up the profile of the attacker. The fact of the matter is it can be someone that is just
testing your system for fun, has monetary gains staked on breaking into your
systems or is just vengeful in a practice with which your institution is partaking.
[10]
Figuring out who is going to be the target of a social engineering attack is no easier
unfortunately. The basic idea is that anyone in an organization may be a target.
Anyone from the front office receptionist all the way to the CEO of the company
may be the target of a social engineering attack. Some areas are targeted more
frequently than others because of their function and the information that they have
access to. One such area is the corporate help desk. [10]

(iv) Information Security Technology ? Don’t Rely on It. A

Case Study in Social Engineering

“Many companies spend hundreds of thousands of dollars to ensure corporate

computer security. The security protects company secrets, assists in compliance
with federal laws, and enforces privacy of company clients. Unfortunately, even
the best security mechanisms can be bypassed through Social Engineering. Social
Engineering uses very low cost and low technology means to overcome
impediments posed by information security measures.”[4]

In more elaborate circumstances, a hacker may go through the garbage or pose as a

security guard to obtain critical information. A recent edition of 2600: The
Hacker’s Quarterly detailed methods for obtaining a job as a janitor within a
company [12] [4]. While these methods appear to be ridiculous, and possibly even
comical, they are extremely effective. Social Engineering provides hackers with
efficient short cuts, and in many cases facilitates attacks that would not be possible
through other means. For example, the Masters of Deception, who significantly
penetrated the United States’ telecommunications system, were only able to do so
after obtaining information found in the garbage of the New York Telephone
Company [11] [4].

In these circumstances being very careful while handling critical information is

mandatory. And some set of guidelines are proposed by Winkler [4] which could
be very handy while managing the security infrastructure of a company.
a) Do not rely upon common internal identifiers.
 b) Implement a call back procedure when disclosing protected information.
c) Implement a security awareness program.
d) Identify direct computer support analysts.
e) Create a security alert system.
f) Social engineering test to security policies.

(v) A Multi-Level Defense Against Social Engineering.

Gragg D. [13] says Confidentiality, Integrity and Availability can all be
compromised directly or indirectly by the risk of social engineering.

Recent researches in social psychology demonstrate that security awareness

training alone will not equip employees to resist the persuasion of a social
engineer. Social engineering is diverse and complex enough that a multi-layer
defense is necessary as a compliment to the security administrators’ defense-in-
depth model.

Gragg D. [13] suggests Multi-Level defense architecture to combat Social

Engineering attacks:

Foundation Level: Security Policy addressing Social Engineering

Parameter Level: Security Awareness Training For All Users.
Fortress Level: Resistance Training for Key Personnel.
Persistence Level: Ongoing Reminders.
Gotcha Level: Social Engineering Land Mines
Offensive Level: Incident Response
Social Engineering has created a menace in the Information Technology sector.
Once businesses start taking social engineering seriously and applying the social
sciences to protect against this threat with a multi-layered defense, social
engineering will become a much more difficult, if not impossible, avenue for a
hacker to employ. [13]
 4. Conclusion
Social Engineering is such an evil that attacks on the human weakness of being
helpful and kind to others. It is such a menace that can only be minimized. Effect
of the attack and the possibility to be attacked can only be minimized and that too
after abiding to Information Security Policy. Training the employees to be able to
think and think out of the box before giving away any information. Random Social
Engineering Attack drills should be done. Multi Level Defense architecture should
be followed whenever any confidential information is dealt.

5. References

[1] Mitnick K.D., Simon W.L. “Controlling the Human Element of Security- The
Art of Deception”.
[2] http://www.time.com/time/magazine/article/0,9171,948323-1,00.html
[3] Dr. Okenyi P.O., Dr. Owens T.J. “On The Anatomy of Human Hacking”
[4] Winkler I.S., Dealy B. “Information Security Technology? Don’t Rely on It A
Case Study in Social Engineering”.
[5] Granger, Sarah (2006); “Social Engineering Reloaded”. Available online at
http://www.securityfocus.com/print/infocus/1860.
[6] Hollow, Phil. (2005). Hackers are Real Time Are You? Sarbanes-Oxley
Compliance Journal.
[7] Granger, Sarah (2001); Social Engineering Fundamentals,
Part 1: Hacker Tactics http://www.securityfocus.com/print/infocus/1527
[8] Turner, T;”Social Engineering – Can Organizations Win the Battle? ”
http://www.infosecwriters.com/text_resources/pdf/Social_Engineering_Can_Organ
izations_Win.pdf
[9] Gulati R. “The Threat of Social Engineering and Your Defense Against It”.
Sans Institute 2003
[10] Brandon Pollett “The Art of Deception -- Social Engineering”
[11] Slatalla, M. and J. Quittner (1995), Masters of Deception: The Gang that
Ruled Cyberspace, New York: HarperCollins, 1995.
[12] Voyager (1994), Janitor Privileges, 2600: The Hacker’s Quarterly, 11(4).
[13] Gragg D. “A Multi-Level Defense Against Social Engineering” Sans Institute
2003