Social Engineering

"an outside hacker's use of psychological tricks on legitimate users of a computer system, in order to obtain information he needs to gain access to the system" (SANS Institute)

Some strangers entered a large company and exited with access to private information from the corporate network. How did they do it? They found pieces of data, one by one, from disparate employees in that company. Before arriving, they conducted an investigation about the company. They discovered key employee names using the telephone. Then they waited for someone kind enough to open the locked employee entrance. A friendly employee let them into the secured floor of the executive offices.

The president was on vacation, so they infiltrated his office and found sensitive information contained in his unlocked desk and computer. There was a veritable smorgasbord of documents and notes in the trash bin and mailroom. No one asked any questions when they took pictures or passed through the exit with a large amount of materials. Later, they imitated the CEO's voice, in a hurry, frantically requiring his network password. With that trophy, technical means were used to gain super-user access into the system.

However, these thieves did not cause any damage, destroy any information or sell any secrets. They were security consultants working for the CEO for the purpose of seeing how far they could go in an organization that had spent millions of dollars over the past few years on computer hardware, software and personnel to secure their private information. A few effective social engineering techniques bypassed all of the expensive equipment guarding the castle and a plan was designed to mitigate these real vulnerabilities.