Sample Literature Review On Social Engineering

Social engineering

Social engineering involves practical applications of various sociological principles of tackling particular problems. According to Mitnick et al. (2001), social engineering primarily utilizes human relationships to attain a common goal. Such goals include combating drug abuse and terrorism using undercover police officers. Social engineering also helps to avert malicious intention of individuals that may seek to interfere with the corporate assets of the organization. Most people can get what they want using various social engineering tactics. Granger (2001) opined that in the context of organizations, individuals with malicious aims may cause security of organizational information and data. For example, hackers may use their social engineering skills to persuade employee in an organization to reveal sensitive information.

Tactics

Mandia & Chris (2001) posited that social engineers employ various tactics which include attaining trust and knowledge of internal processes and technology about an organization. They usually take advantage of the existing weaknesses to collect information and carry out attack. Granger (2001) supported this claim by stating that such information is gained through integration of small pieces of information that eventually constitute a plan to carry out an attack. Smith (2002) observed that whereas social engineers use trust to win over their targets, other tactics such as reverse social engineering are used. In reverse social engineering, a situation is created in which the target individual will need the help of the attacker. After seeking help from the attacker, the target individual will feel beholden to the attacker. In this state, the target individual will most likely divulge important information should the attacker needs it.
Devices such as phone numbers provide ground for social engineers to find easy information. They easily come by corporate directories that may not be regarded as containing sensitive information. They use these phone numbers to take advantage of target people. Information can also be gathered from the various websites of most companies (Granger, 2001). Knowledge about the internal processes is another trick that social engineers use to advance their aims. The internal processes in an organization enable social engineers to disguise as the employees of a company. Ex-employees of a company may be used by social engineers to find detailed information about the internal processes of the company. They may also use technologies to develop viruses that can potentially harm the information systems in a company.

Defense

Smith (2002) observed that in light of these tactics, organizations can still prevent against these threats. Defense against social engineering include training of employees on common social engineering techniques. Organizations set up strong security policies. Protection against social engineering includes vulnerability assessments, background checks, termination processes and password policies (Granger 2001; Smith 2002). Other steps include response to various incidences, acceptable use policy, physical security and training on security awareness. Mandia & Chris (2001) posited that organizations should have policies that deliver and create passwords. Policies should encompass methods of delivering passwords, login failure lockout, regular change of passwords and not sharing passwords. The importance of having a strong password should be underscored. Effective physical security measures will reduce authorized entry into a facility. In this regard, social engineers will not be able to enter the organization with the intention of seeking information. In addition to the defense techniques, Granger (2001) added that physical security measures should involve proper identification of people that are not employees of the organization, identification of visitors by allowing them to submit identification requirements such as IDs and driver’s licenses. The measures also involve the use of temporary badges and logging in of license plate numbers of vehicles.
Social engineering is an easier way through which organizations can lose information and infrastructure. Since humans beings are actors in this vice, it cannot be controlled by measures such as anti-virus software. The success of this form of attack depends on the mistake of an employee. However, proper training of employees can reduce the threat of social engineering.

References

Granger, S. (2001) "Social Engineering Fundamentals, Part I: Hacker Tactics"
Retrieved from http://www.securityfocus.com/infocus/1527
Mandia, K. & Chris, P. (2001). Incident Response. McGraw-Hill
Mitnick, K. & Simon, W. L. (2002). The Art of Deception. Wiley Publishing
Smith, R. E. (2002). Authentication: From Passwords to Public Keys. Addison
Wesley