Social engineering is about hacking the human mind, something that in many ways is significantly easier than finding a new software vulnerability and using it as a gateway into your enterprise. These vulnerabilities, called zero-days, can cost tens of thousands of dollars in the hacker underground – money that can be saved if someone can be conned into installing a computer virus on their own machine. After all, there is no need to go through the effort of picking a lock when you can talk someone into letting you into their home.
But just what makes for a good social engineering attack? The key is the lure, which can vary from an attention-grabbing post on Facebook about a celebrity to e-mails with subject lines about your company’s business. One of the most publicized attacks of the past year was the attack on RSA, which started with an employee opening up an email entitled: ‘2011 Recruitment Plan.’ When the employee opened the accompanying attachment, the person set off a series of events that led to data being compromised. While hacking a system requires knowledge of programming vulnerabilities, hacking the human mind requires a different kind of knowledge – specifically, what types of e-mails or links is the victim most likely to click on.