There is a saying that says "the current of security is as strong as its weakest link." One of these links has always been the man, who could be the strongest, but who is usually the weakest.
Despite all training, the human being often responds to his social instincts of camaraderie, trust or even out of sheer distraction, reveals sensitive information, answering simple and direct questions that make him provide confidential information. This is what happens when people fall victim to social engineering, an increasingly common concept in business conversations. It is a way of obtaining confidential information about a particular person, equipment, campaign or company, without the use of force, only with intelligence, technique, perspicacity and persuasion. Many people associate this term with computing, believing that only those who have access to certain programs and documents in digital format are subject to this type of attack. Ledo mistake. Frank W. Abagnale, a former American fraudster, conceptualized social engineering as "the art and science of inducing people to act according to their desires." His feats were so impressive that they spawned the film "Catch Me If You Can" (2002), directed by Steven Spielberg, starring Leonardo DiCaprio and Tom Hanks.
The fact is that this method of psychological subversion is increasingly used by all kinds of people. See what the prisoners of the penitentiary of Bangu I, Rio de Janeiro, have done through cell phones. They call a landline from any city, talk to the caller (who can be a maid) and they can extract important information about the owners of the house. From this information, the bandits begin to extort the family, threatening kidnapping and other crimes if their demands are not met. Many have already been victims of this type of extortion, and unfortunately, many will still be.
Another type of social engineering is practiced via e-mail. The social engineer sends a message that he has detected a virus on his computer and that to remove it, you need to install an attached application. In fact this application will spy all the contents of the PC and leave a door open to access your data. These are just a few examples of the methods used by the social engineer. To avoid problems, companies need to be alerted of the need to train their employees, making them aware of the danger they are exposed to on a daily basis. No big investments in technology and equipment are worth anything if people are not prepared to face social engineers. As Kevin Mitnick wrote in "The Art of Deception", the truth is that there is no technology in the world that avoids the attack of a social engineer. Mitinick is the most well-known hacker in the world and used most of the time, about 80%, drawing information through social engineering methods and only 20% using the computer. A recent study released by the US institute Gartner predicts that social engineering will be the main threat to the defensive technology systems of major corporations and Internet users ten years from now. All are potential victims.
Why do people tell you their secrets?
Even with all the sense of insecurity currently experienced by society, many people are still naive, trust strangers, and worse, do not know how to value the information entrusted to them, usually because they do not think such data is important. The social engineer is an opportunist with a great talent for observing people, evaluating them for their attacks. He also does not lack an entrepreneurial spirit, taking risks to get what he wants. In addition, he uses the most common feelings of people as weapons in his favor, such as fear, vanity, greed, revenge, and anger.
So often people talk more than they should because they feel wronged, dissatisfied with the company. Of course there are other reasons, such as:
- Willingness to be useful - The human being usually seeks to act with courtesy, helping others when necessary.
- Search for new friends - People feel good when praised and are more vulnerable and open to giving information.
- Spread of responsibility - This is the situation in which the individual considers that he is not alone in charge of a set of activities.
Almost an art understands the ability to persuade people, where specific answers are sought. This is possible because people have behavioral characteristics that make them vulnerable to manipulation. It is worth noting that the success of social engineering depends on the understanding of human behavior, as well as the ability to persuade others to make information available or to perform actions desired by the social engineer. Also realize that the fear of losing your job or the desire to move up in the company can result in the delivery of information of a proprietary nature. In this way, it is observed that social engineering has a sequence of steps in which an attack can occur:
- Information collection - The social engineer searches for the most diverse information of the users such as CPF number, date of birth, parents' names, information about the children, routine and company manuals. This information will help in establishing a relationship with someone in the target company.
- Relationship development - The social engineer explores the human nature of trusting people until proven otherwise.
- Exploiting a relationship - The social engineer seeks information from the victim or company, such as a password, appointment calendar, bank account or credit card data to be used in the attack.
- Execution of the attack - The social engineer makes the attack, making use of all the information and resources obtained.
When we read these actions practiced by the social engineer, it seems to us unlikely to happen, but in practice, this happens more easily than is imagined. Just look at what occurred in an audit conducted earlier this year at the Internal Revenue Service (IRS), the US Internal Revenue Service. The people who work at the institution are trained and know the importance of the information they have access to.
Even so, during an audit simulation, of the hundred people involved, including managers, 35 passed the information requested by social pseudo-engineers, informing them of their keys and passwords. If with these trained people this happened, imagine what would not happen in your company. Only awareness and constant training can prevent the success of a social engineer.