Social engineering

Social engineering is the practice of deceiving legitimate users of a system into disclosing information that will aid the attacker in compromising system security. A simple example is calling a user and pretending to be someone from the service desk working on a network issue; the attacker then proceeds to ask questions about what the user is working on, what file shares she uses, what her password is.

A successful social engineering act requires the trust of the victim, so user awareness training about the problem is an effective countermeasure. Strict policies about service desk staff never asking for personally identifying information or passwords over the phone or in person can also help potential victims recognize a social engineering attempt.

How to Assess and Mitigate Information Security Threats
  Introduction
  Malware: The ever-evolving threat
  Network-based attacks
  Information theft and cryptographic attacks
  Attacks targeted to specific applications
  Social engineering
  Threats to physical security
  Balancing the cost and benefits of countermeasures

This chapter excerpt from the free eBook The Shortcut Guide to Protecting Business Internet Usage, by Dan Sullivan, is printed with permission from Realtimepublishers, Copyright 2006.