The key to social engineering is establishing a trust relationship, typically between individuals who have previously never met. The act of social engineering is designed to attempt to obtain otherwise secure data by convincing an individual into revealing non-public information. This can be done by masquerading as a privileged or authorized employee, or using other means to gain a persons trust. In performing social engineering a common thread often occurs whereby an individual is tricked, cajoled, awed, persuaded, or otherwise convinced that providing the requested information is an appropriate course of action. Social engineering is often based on trickery and misleading activities that encourage employees to release information that may be valuable to obtain other non-public information from the organization, often using a computer system. For example, an employee in an enterprise may be tricked into revealing theirs or someone’s password for access to a sensitive application.
- Utilize human interation skills both in person and via telephone, to elicit information.
- Attempt to gather sensitive information including user ids, passwords, IP addresses and application details.
- The scope of a social engineering engagement must be carefully determined and should typically limit the total number and type of employees to be targeted.
- Multiple locations can be targeted for the telephone phase of social engineering, scoped as appropriate to a set number of personnel.
- Physical access will be performed and general social engineering activities where the objective will be to gain access to up physical building locations and the data center.