Social Engineering: A Career Option for Security Pros
Social Engineering is the act of gaining unauthorized access to systems or information in order to commit fraud, network intrusion, identity theft and more. The act usually leads to bypassing security measures and ultimately compromising the targeted computers and networks.
The act is conducted in several ways -- by physically being at the target workplace, over the phone, dumpster-diving for valuable information and even online. Social engineers rely heavily on people's inability to value confidential information and protect it. Frequently, social engineers simply walk in the target workplace and pretend to be a maintenance worker or consultant who has access to the organization, and then scans through the office until he or she finds a few passwords lying around, or any other confidential information, and emerges from the office building with ample information to exploit the network.
Over the phone, a social engineer attempting to break into a computer network might try to gain the confidence of someone who is authorized to access the network in order to get them to reveal information that compromises the network's security. Also, social engineers often search dumpsters for valuable information such as company employee hand book, memos, company policy manuals and printouts of sensitive data and more. Again, online access to information includes fraudulent emails etc seeking sensitive information.
Social Engineering is one of the oldest and boldest security threats, and as our society becomes more dependent on information and internet, social engineering will remain the greatest threat to any security system. Prevention includes educating and training employees about information security awareness, placing appropriate emphasis on IT security at the senior management and board of director's level is the first step toward minimizing system breaches. By establishing effective policies and procedures, boards of directors can promote an atmosphere that addresses critical security areas and establishes appropriate guidelines and standards for all employees.
"However, social engineering is not just pursued by the bad guys or the criminal hackers as we call them", says Jesse Valentine, a senior security professional at Securasys, an independent IT Security consulting company. There are professionals who pursue this as part of their career and conduct social engineering with a positive intent and impeccable morals and ethical values. The difference between a criminal hacker and the professional is that the latter will seek to assist an organization or person in reducing their exposure to risk and when identifying said risk show proper due diligence by alerting his client(s) to such facts.
"A criminal seeks to compromise sensitive information in order to accomplish a selfish gain be it monetary gain or social advancement," Valentine says. "The criminal also ignores his ability to discern the impact his actions have on other people, organizations or their reputations."
A security professional will be able to discern long-term impacts to a client's business stemming from a particular practice or business model. The professional will be able to interpret and translate certain areas that may prove to be attractive to the criminal minded. The professional will also seek to protect the interests of clients, as well as the people to which they provide services.
Social engineering undoubtedly is an integral aspect of information security and is a growing, respectable career field for professionals who value information security awareness and wish to play an active role in protecting security controls that govern the processes, operations, and transactions of any organization and add a distinct value within the institutional culture that informs and influences employee behavior. Social engineers are hired on both contract and permanent basis by independent IT/ Security consulting companies and government agencies to target client organizations in order to identify vulnerabilities that could cause important information to be compromised from their respective networks and system and thereby provide them with guidelines and recommendations to prevent this security threat.
For more information on social engineering, see:
Social Engineering: How to Beat the Bad Guys
Social Engineering: How to Train Your Employees to Spot and Stop the Scams