What Is Social Engineering?
As a penetration tester, and Adversarial Engineer sometimes it feels like there are many different variations on what social engineering (SE) actually is. This post is a general catch all to help answer some of those common questions, and variations.
The official dictionary definition of SE in terms of cyber/information security is:
the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
As a penetration tester/adversarial engineer, I'm not looking to take my SE anywhere near that far. Let's be honest, yes, I can't SE easily without "deception" and that's something that any person looking to get into SE might need to make peace with. But I'm not looking to be fraudulent, I'm looking to test the "human" aspect of a company's cyber security defences. That's a really important distinction, as a penetration tester, my job is to test cyber security. It's not my job to be fraudulent, but there are certainly areas of my job that sail close to the wind.
So lets talk about the different types of SE:
Physical Access: my favourite type of SE, gaining physical access into "something", could be an office, a facility, a site etc. Typically, I would pretend to be an employee and attempt to gain access. A lot of the blog is going to focus on this aspect of SE because it's where I have the most experience. Physical access could also include lock bypassing, lock picking, and electronic ID badge cloning.
Vishing: this normally involves someone making a phone call to a target. Usually to gain some kind of information that is useful. It could be something simple like, what browser are you using, to something much more complex like, please visit this website to download this software update (which likely isn't a real software update, but part of a command and control framework).
Phishing: sending emails to a target (a spear phish), or a whole company, pretending to be something they aren't, normally with the intention of getting the target to click a link, open an office document or something else. Often the emails will be designed to look legitimate but again, are most likely trying to install some kind of command and control framework.
There are many different types of SE, however, as a penetration tester, the above list are the most commonly used in my day to day job. I'm not intending to cover the other areas in too much detail because they are often used in genuine malicious attacks.
The blog covers many different aspects of the how's and why's of SE works including the psychological details but hopefully in a plain English language explanation.