It is just about summer — the weather is gorgeous and everyone is in a
A pretty — not beautiful — girl comes into the lobby of a local company
and glances around. She walks up to the receptionist and explains she has
a meeting with the Information Technology director and is running late.
She says she is very embarrassed and would the receptionist tell her the
conference room number and she’ll just sneak into the meeting. Feeling
sorry for the young lady, the receptionist tells her the main conference
room is on the third floor and lets her into that part of the building.
Once in the elevator, the woman gets off on the fourth floor — not the
third. She wanders the halls. A gentleman stops her because she doesnt’
have a badge. But she smiles sweetly, asks him about his day and pretty
soon they are chatting about this and that. He forgets why he stopped her
and goes back to his office.
She continues down the hall. This time she sees someone going into the
computer lab and he allows her to follow him through the door. She has
one of those smiles that lights up her entire face, and it doesn’t go
unnoticed. She explains that she is a student at the local university and
she’s going to be a summer intern in the IT department… part of her
internship is to see how the computer lab works.
She spends the next hour looking around, chatting with the network
administrators and lighting up a usually boring environment.
The girl leaves the building, waving good-bye to the receptionist on her
way out and thanking her again.
After all, she should thank her and all the others she spoke to during
The woman leaves with Post-it notes that had been stuck onto monitors
with passwords and user identifications (usually ‘admin’). She has a
wealth of knowledge on how the network is set-up, what kinds of
protection mechanisms are in place and even how to get around the
protection — thanks to a young techie who was more than pleased to show
her how ‘smart’ he was.
She now owns their network, their industry secrets and their
This is a classic case of social engineering.
According to sbc.webopedia, social engineering is defined as: ”In the
realm of computers, the act of obtaining or attempting to obtain
otherwise secure data by conning an individual into revealing secure
information. Social engineering is successful because its victims
innately want to trust other people and are naturally helpful. The
victims of social engineering are tricked into releasing information that
they do not realize will be used to attack a computer network.”
Whatitis.com states: ”In computer security, social engineering is a term
that describes a non-technical kind of intrusion that relies heavily on
human interaction and often involves tricking other people to break
normal security procedures. A social engineer runs what used to be called
a ‘con game’.”
Either definition makes it clear that social engineering involves human
interraction. That is the major factor that makes protection against
social engineering difficult. All the firewalls, and identification and
authentication mechanisms are ineffective against a seasoned social
So, how do you protect your network from these types of people?
The best protection against social engineering tactic is a well-trained
employee, who is aware of this kind of scam. The employee is the target
of social engineering. Employees need to be made aware that even though
they need to be helpful on the job, they need to be cautious and
Security training that reinforces the requirement to protect user
identifications, passwords, and other such information is a valid
protection against social engineering. Employees also need to be aware of
their surroundings to ensure that people without proper identification
are confronted and escorted to security personnel. They also need to be
aware of unauthorized people trying to follow them into secured areas.
This awareness training isn’t just for computer users and network
administrators. It’s for every employee — the receptionist, secretaries,
file clerks, etc. Training should be a yearly event.
Anything that looks suspicious should be reported. Be suspicious of that
person you have never seen before, or someone asking questions that raise
a little red flag in the back of your head. You never know when it’s a
person on a mission to obtain information that can, and will, be used
The next time a friendly individual approaches you with a request for
assistance in getting information that you know should be protected, be
prepared. Check it out before you give out any information. Beware the