Manipulation in its basic and oldest form uses speech, a lively word, in order to convince the opposite side in some facts, in a way that circumvents the truth, using all available means of conviction in the pronounced. It is justifiable to say that manipulation is one of the oldest ways of reaching a goal through the interactive relationship of two or more people. The first roots of this skill are found in the form of rhetoric, on the ground of ancient Greece, where the judicial practice was the decisive role in the emergence of this skill.
The goal of conviction was to persuade judges and jurors of the guilt or innocence of the Accused. The skill of the speaker depended on the credibility of their claims and statements, as well as the subsequent fate of the Accused. Today, this type of manipulation is resorted to both in state bodies and against them, with legal entities and, of course, in all segments of private life. For this kind of manipulation and conviction, in the scientific and professional public, the term less well known to the broad masses of people – social engineering is used.
Social engineering basically uses the connection and relationships among people to achieve the goal through various methods of persuasion. The basic in social engineering is the use of different communication skills in order to obtain the desired information. One of the definitions of social engineering is that it is “a form of manipulation to individuals with the aim of instructing them to do something that they would otherwise not do, which refers to the fulfillment of the demands that an attacker has set” (Mandić, 2015). The attacker most often uses people as the weakest part of any system, but technical means can also be used. The ultimate goal of such an attack is the arrival of information that can later be used for various purposes that are detrimental to the owner of the information. Social engineering uses the connection and relationships between people to achieve the goal through various methods of persuasion.
Methods of execution of social engineering
We can divide the ways of social engineering execution in relation to the existence or lack of communication and contact between the target and attacking targets. In view of this, we can distribute it to (Mandić, 2015):
• Enforcing contact (direct contact, over the phone, through social networks)
• Executing without contact (using malicious software, using fake websites, loading a memory media)
• Combined execution mode.
Techniques used by social engineering
In addition to the various ways of executing social engineering, there are a number of techniques that can be applied in different ways of execution. Techniques are rarely used alone, and are generally used in combination with other techniques. Techniques can be divided into three groups (Mandic, 2015):
• Phishing technique
• Technique of using negligence, negligence and ignorance of targeted attacks
• The reverse engineering engineering technique
As for phishing technique, an attacker lends another person’s identity and may present himself as someone who is employed by a legal entity or other target organization, or as a person from another legal entity or organization. This technique is most often used on the phone, due to the inability to check the identity of the attacker. The very important thing for the success of the attack is the use of internal terminology so as not to doubt that an attack is being carried out.
The negligence, negligence and ignorance of the targets of attack very favor the attacker, if the attacker knows how to use such situations. Some of the techniques are: eavesdropping in public places, shoulder-to-shoulder viewing, office overview, computer overview, waste scans, phishing …
Reversed social engineering is seen as the most complicated attack, as it requires a lot of preparation and skills to be successfully carried out. The basic characteristic of this technique of social engineering is that the attacker must create such a situation where the target of the attack is that the attacking person is a positive and legitimate person who can entrust certain information or allow certain actions. In such situations, the target of the attack itself contacts the attacker, not doubting his identity and expertise for a particular field.
Profile of persons using social engineering
The precise determination of a group of people who perform social engineering is very difficult, almost impossible, because it depends on a large number of factors. It can only be said that these are the most common men of men, but in the history of social engineering and women they have been very successful in this activity. When it comes to the age structure, it is also very difficult to determine, and it moves from teenage to adulthood. Faces are most active in the period from the twentieth to thirties. The aforementioned faces are very intelligent, with highly developed communicative and manipulative abilities, they are good experts in psychology and possess sufficient technical knowledge. Such persons can perform independently, as well as teamwork “(Mandić, 2015).
Recognition of social engineering
Social engineering is very important to recognize in time and respond adequately to it. These warning signals refer to execution by direct contact and contact by telephone. Some of the characteristics on the basis of which social engineering can be identified are: unusual requests in contradiction with everyday procedures, direct questions about confidential information, excessive interest in information that is public, overly long communication on topics that do not have touchpoints with business topics, unnecessary and excessive praise, accentuation of urgency, hidden or direct threat to consequences, emphasizing high position, etc …
Protection from social engineering
As already mentioned, social engineering attacks the weakness of people, using or not using technical means. We can not defend ourselves from social engineering through software and hardware, but by educating people and staff, and by prescribing an appropriate and effective security policy for the organization. “Well-documented and affordable security rules and standards are critical to a good security strategy for an organization. The one-defined policy must be easily accessible, as well as regularly updated” (CERT, 2010). There is a need for continuous review and implementation of standards and policies in order to make certain changes in the case of determining certain omissions. It is also very important that all members of the organization adhere to this protocol and procedures.
Since its inception until today, social engineering has evolved and progressed, but the main goal has remained the same, which is the arrival of information by attacking people. Social engineering is exactly directed at people, because people are the security factor that is often forgotten. During this attack, only the rhetorical abilities of the attackers were used earlier, while today the attack can be carried out via computers, the Internet, social networks and internet access points. In spite of the very low level of awareness and awareness among people about this threat, social engineering is nowadays very widespread. Social engineering methods are developed at a high speed and used in all sophisticated ways, leading to the need to introduce security policies for handling information, passwords and computers. However, the basic principle of protection includes programs of education on the risks, threats and consequences of such attacks. Each computer user should take certain precautions. Special attention has to be paid to leaving personal information on social networks, because today it is not conducted or little attention is being paid.
CERT. (2010). Napredne tehnike socijalnog inženjeringa. Hrvatska akademska istraživačka mreža.
Mandić, G. J. (2015). In Sistemi obezbeđenja i zaštite pravnih lica. Beograd: Fakultet bezbednosti.
Author: Marko Kon