Social engineering (security)

Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not concern the divulging of confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional 'con' in that it is often one of many steps in a more complex fraud scheme. It has also been defined as 'any act that influences a person to take an action that may or may not be in their best interests.' Employee behavior can have a big impact on information security in organizations. Cultural concepts can help different segments of the organization work effectively or work against effectiveness towards information security within an organization. 'Exploring the Relationship between Organizational Culture and Information Security Culture' provides the following definition of information security culture: 'ISC is the totality of patterns of behavior in an organization that contribute to the protection of information of all kinds.' Social engineering has also been used extensively by Islamic State and other terrorist groups for recruiting and radicalising younger people into joining their cause. Andersson and Reimers (2014) found that employees often do not see themselves as part of the organization Information Security 'effort' and often take actions that ignore organizational information security best interests. Research shows Information security culture needs to be improved continuously. In 'Information Security Culture from Analysis to Change', authors commented, 'It's a never ending process, a cycle of evaluation and change or maintenance.' To manage the information security culture, five steps should be taken: Pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation. All social engineering techniques are based on specific attributes of human decision-making known as cognitive biases. These biases, sometimes called 'bugs in the human hardware', are exploited in various combinations to create attack techniques, some of which are listed below. The attacks used in social engineering can be used to steal employees' confidential information. The most common type of social engineering happens over the phone. Other examples of social engineering attacks are criminals posing as exterminators, fire marshals and technicians to go unnoticed as they steal company secrets. One example of social engineering is an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. So, when employees call for help the individual asks them for their passwords and IDs thereby gaining the ability to access the company's private information.Another example of social engineering would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Gradually the hacker gains the trust of the target and then uses that trust to get access to sensitive information like password or bank account details. Social engineering relies heavily on the 6 principles of influence established by Robert Cialdini. Cialdini's theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, authority, liking, scarcity.