Md. Mukul Hossen
What is social engineering?
Social engineering is essentially the art of gaining
access to buildings, systems or data by exploiting
human psychology, rather than by breaking in or
using technical hacking techniques. For
example, instead of trying to find a software
vulnerability, a social engineer might call an
employee and pose as an IT support
person, trying to trick the employee into divulging
Why do people fall for social
People are fooled every day by these cons
because they haven't been adequately
warned about social engineers.
most people won't recognize a social
engineer's tricks because they are often very
Social engineers use a number of
psychological tactics on unsuspecting victims.
They simply act like they belong in a
facility, even if they should not be, and their
confidence and body posture puts others at
It is quite difficult to identify them because of
Social engineer’s motives
Some Social Engineering
Familiarity Exploit –People are way more
comfortable responding and carrying out requests
by familiar people than they are with complete
Creating a hostile situation – People withdraw
from those that appear to be mad, upset or angry
at something or someone other than themselves.
For example, if you are on the phone and fake
having a heated conversation with someone
people around you will absolutely notice you but
they will go out of their way to avoid you as well.
Gathering and Using Information – When it
comes right down to it the key to being a
successful social engineer is information
Get a Job There – Once you are on the inside
you become way more trusted, even if you are a
lowly clerk. Social engineering a co-worker is
usually a piece of cake given the assumed trust
you'll have as a fellow employee.
Reading body language – An experienced Social
engineer will read and respond to their mark's
How to protect Against Social
Password Management: Guidelines such as the
number and type of characters that each password
must include, how often a password must be
changed, and even a simple declaration that
employees should not disclose passwords to anyone
(even if they believe they are speaking with someone
at the corporate help desk) will help secure
Two-Factor Authentication: Authentication for high-risk
network services such as modem pools and VPNs
should use two-factor authentication rather than fixed
Anti-Virus/Anti-Phishing Defences: Multiple layers of
anti-virus defences, such as at mail gateways and
end-user desktops, can minimize the threat of
phishing and other social-engineering attacks.
Change Management: A documented change-
management process is more secure than an ad-hoc
process, which is more easily exploited by an attacker
who claims to be in a crisis.
Information Classification: A classification policy
should clearly describe what information is considered
sensitive and how to label and handle it.
Document Handling and Destruction: Sensitive
documents and media must be securely disposed of
and not simply thrown out with the regular office trash.
Physical Security: The organization should have
effective physical security controls such as visitor
logs, escort requirements, and background checks.
Organizations must address social-
engineering threats as part of an overall riskmanagement strategy. The best way to
mitigate the risk posed by rapidly evolving
social-engineering methods is through an
organizational commitment to a securityaware culture. On-going training will provide
employees with the tools they need to
recognize and respond to social-engineering
threats, and support from the executive staff
will create an attitude of ownership and
accountability that encourages active
participation in the security culture.