Document Actions
Social Engineering
Social engineering is the attempt to manipulate or trick a person into providing information or access to a system's information, by bypassing network security. A social engineering compromise can provide information on background, credit rating, medical history, and driving record, most of which is confidential. Colleges and universities are sometimes targeted for social engineering compromises due to inexperience of large numbers of students serving as part-time employees.
System security, once thought of as a technical issue, now has human vulnerabilities. Connecting computers to networks significantly increases risk, and network security depends heavily on the cooperation of each user. Personal and social weaknesses are at the heart of social engineering, a significant source of compromise.
Examples of Social Engineering
Terms and examples below describe how individuals use social engineering to engage in confidentiality compromises used to their benefit.
Shoulder surfing is the practice of looking over one's shoulder as the user is working. Health status and personal records can be viewed if monitors are not appropriately placed in offices. It's easy to see over a colleague's shoulder as anyone is walking by a workstation.
Dumpster diving is the practice of looking through someone's trash for personal information. This is a prime technique for identity theft and attaining bank and credit records.
Identity Theft is the crime of stealing someone's name and records to use as your own. An individual uses the information to open bank or credit accounts, obtain a new driver's license or buy a house, then get into trouble. Eventually the delinquent account, or unpaid moving violation is reported on the victim's credit report, or the victim is arrested. These crimes are very hard to prove, and even harder to catch the offender. In another scenario a thief can call a victim's credit card issuer and, pretending to be the victim, change the mailing address on the victim's credit card account. Then, run charges up on the victim's account. Because bills are being sent to the new address, the victim may not immediately realize there's a problem. In yet another scenario cellular phone service may be established or a bank account is opened in the victim's name and bad checks written to that account.1
Getting account numbers can be done just as easily by dumpster diving in critical documents that were not properly destroyed, or computers whose disks were never wiped clean.
Human error lies at the root of most unauthorized access incidents. Few business functions occur in our society without the control or assistance of a computer. Any computer not secured on a network could be breached and any unauthorized intruder could be dangerous. If the computer manages sensitive information critical to people's lives or business, the intrusion threatens them as well.