In the end, no security control in the world will be its most effective without the support and compliance of all employees. With each of the items discussed in the chapter, employees must be informed and trained. Organizations can have the best technological controls in the world and still suffer debilitating attacks.
Social engineering is the act of obtaining or attempting to obtain otherwise secure information or access by conning an individual into revealing secure information. Social engineering attacks are hard to protect. The best means of protection is through security awareness training. Only by educating everyone in the enterprise on the company’s security policies and procedures can you begin to reduce this threat. Employees must be trained and know what information needs to be protected and how to protect it. Only then are employees in a much better position to recognize social engineering when it occurs. Social engineers, or con artists, have been studied for many years. Robert Cialdini developed a list of six basic techniques that social engineers use to attempt to gain compliance of a victim:
Authority— This form of attack attempts to use authority or power to gain compliance.
Liking— This attack works by making the victims believe that they are similar to the attacker, have common beliefs, or like him.
Consistency— This attack is made possible by the victim’s attempt to remain consistent. We all tend to follow through or want to do what seems acceptable.
Reciprocation— This attack relies on the fact that after you have been given something, behavior dictates that something must be given in return.
Social validation— This attack functions on the premise that it is the right thing to do. It seems to be what anyone else would do.
Scarcity— This attack feeds on the action that people respond when they believe time or quantities are limited.