Social Engineering: "Hacking" that Doesn't Require a Computer

Breaking into a secure system does not always require the use of computers, network protocols, brute force attacks, or viruses and Trojans. Sometimes an attacker or "hacker" can gain unauthorized access to a system without any of these tools, but instead using a method of hacking called social engineering. Wikipedia.org defines Social Engineering as "...the practice of obtaining confidential information by manipulation of legitimate users." These users usually have knowledge of the securities that guard from attackers, and can be tricked into giving away the information that would enable an attacker to gain access.

Social engineers use a practice called the "con game" to gain confidence of someone who has authorized access to a network. The attacker uses this confidence to eventually lead the target user to reveal sensitive information. A social engineer usually targets the weakness of the user which is sometimes their charisma or natural helpfulness. It is the most helpful users who go out of their way to provide the social engineer with information they would not normally be allowed to give out. "Appeal to vanity, appeal to authority, and old-fashioned eavesdropping are typical social engineering techniques" (State of Wisconsin DET). A target may also not be aware of the security implications, or may do it out of carelessness for security.

There are several different methods a social engineer could use to gain information from a legitimate user. Social engineering can take place on two levels, one being physical and the other psychological. Examples of physical settings include phones, the workplace, trash, and the internet. A social engineering could simply scout a workplace for documents containing sensitive information or watch a user type in their password. Someone could also dress up as an employee or worker to gain access to areas they would otherwise not have access to.