“Remember: those who build walls think differently than those who seek to go over, under, around or through them. If you think you can’t be conned, you’re just the person I’d like to meet.” – Paul Wilson

Blog post number 1! I am excited to have you along for the ride and greatly appreciate you checking TheSocialEngineer.net out! This blog is designed to cover the different aspects of social engineering, including the different tools, skills, and strategies used by professional and malicious social engineers. Each post will dive deep into the science and art of different social engineering skills to show you how they can be used, enhanced, and perfected. Along the way, we will post about different IT and security related topics that will help to better secure yourself, your families, and your organizations.

“The only true way to reduce the effect of SE attacks is to know that they exist, to know how they are done, and to understand the thinking process and mentality of the people who would do such things. When you possess this knowledge and you understand how malicious hackers think, a light bulb goes off. That proverbial light will shine upon the once-darkened corners and enable you to clearly see the “bad guys” lurking there. When you see the way these attacks are used ahead of time, you can prepare your company and your personal affairs to ward them off.” – Paul Wilson

Before we get started…

I figure the best way to start this blog – before I go into what social engineering is – is to give you some background knowledge about myself – and how I stumbled upon the amazing and mind-blowing world of social engineering. My goal for this blog is to educate individuals about social engineering, both from an offensive and defensive perspective, but all for the purpose of making each and every one of you more knowledgeable on this wonderful topic and ultimately, more secure.

If you come here with a goal of one day pursuing a career as a social engineer pen tester, this is the place for you. If you come here with a goal of making yourself, your loved ones, or your organization more secure, this is also the place for you. This is an amazing field to be apart of, and one that will only continue to grow. Hackers nowadays are utilizing social engineering tactics more and more. Why go through a firewall, when you can just call up the target and gain the needed information?

I am new to the field, so every day is a learning experience. Every day brings about a new challenge, but the thrill of a social engineering engagement and the reward of helping your clients become more secure is a wonderful experience. The majority of the time when I explain to friends, family members and even strangers what it is that I do, I am met with confused looks. I get to attempt to break into banks – with a get-out-of jail free card? Most people didn’t know that a job like this existed, and neither did I growing up.

I am so excited to officially kick off this blog and to have you all here with me along the way. This information is not a guide for hackers – they already know how to break in and are finding new ways every day. Instead, this offers those inside the fence an opportunity to take a look from the other side, the dark side, and expose the thinking and methods of the world’s most malicious hackers, con men, and social engineers.

What is Social Engineering

In a more malicious context, social engineering can be defined as a combination of social, psychological and information gathering techniques that are used to manipulate people for nefarious purposes. In more of a security context, social engineering targets humans rather than technology to exploit weaknesses in an organization’s security. By exploiting this human element, it is possible to gain access to vast amounts of sensitive information often without the victim’s knowledge. This information can then be used for nefarious purposes including but not limited to:

• Identity / Data theft
• Unauthorized access to systems, buildings, etc.
• Financial gain
• Corporate espionage

Wikipedia defines social engineering as “the act of manipulating people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.”

But social engineering does not have to occur in a malicious way. Often times, the best social engineers will leave their targets feeling better that they met them. Maybe a better, more simple way to define social engineering can simply be: The science of skillfully maneuvering human beings to take action in some aspect of their lives, and that can be for better or worse.

Social engineering is used in our everyday lives, from babies to politicians. Here are some examples of social engineering in its truest form:

• Doctors, psychologists, and therapists “manipulating” their patients to take actions that are good for them.
• Teachers or coaches interacting with their students and players.
• Kids and teens with their parents.
• Law enforcement using well-crafted questions to move their suspects into vulnerable positions.
• Con men, hackers, and criminals.

There is a misconception when it comes to security. There are individuals who think that if they spend vast amounts of money on the latest and greatest security systems and equipment, then they will be safe, but the reality is, no matter how sophisticated your security equipment and procedures may be, the most easily exploitable aspect is, and has always been, the human infrastructure. The skilled malicious social engineer is a weapon, nearly impossible to defend against.

When it comes to security there are two sides of the coin. From the inside, we look for a sense of comfort and assurance. From the outside, thieves, hackers, and vandals are looking for gaps. Most of us believe our homes or businesses are safe until one day, we find ourselves locked out, we find that there has been a breach. Suddenly, our perspective shifts and weaknesses are easily found. The problem is that most of us are blinded to potential problems by our own confidence or our belief that strong locks, thick doors, a high-end security system and a guard dog are more than enough to keep most people at bay. But no matter how secure a system is, there’s always a way to break through. Often, the human elements of the system are the easiest to manipulate and deceive. Creating emotions in the target, using influence, manipulation tactics, or causing feelings of trust are all methods used by the skilled social engineer.

Just remember, the first step in becoming more secure is simply conceding that a system is vulnerable and can be compromised. On the contrary, by believing a breach is impossible, a blindfold is placed over your eyes.

Article Written By: Chad Gutschenritter

For further information on today’s post check out the following:

Social-Engineer, LLC – www.social-engineer.com

Social Engineering: The Art of Human Hacking

Hadnagy, Christopher. Social Engineering: The Art of Human Hacking. Wiley, 2011.