Chapter 10 Social Engineering and Other Foes
Network users have plenty of real viruses to worry about. Yet some people find it entertaining to issue phony threats to keep people on their toes. These are known as?
A hoax. Some of the more popular hoaxes that have been passed around are the Good Time and the Irina viruses. Millions of users received emails about these two viruses, and the symptoms sounded just awful. Both of these viruses claimed to do things that are impossible to accomplish with a virus. When you receive a virus warning, you can verify its authenticity by looking on the website of the anti-virus software you use, or you can go to several public systems. One of the more helpful sites to visit to get the status of the latest viruses is the part of the CERT organization (www.cert.org) CERT monitors and tracks viruses and provides regular reports on this site.
Impersonation can go?
A long way in allowing access to a building or network. Another social engineering attack actually happened at a high-security government installation. Access to the facility required passing through a series of manned checkpoints. Professionally trained and competent security personnel staffed these checkpoints. An employee decided to play a joke on the security department: he took an old employee badge, cut his picture out of it, and pasted in a picture of Mickey Mouse. He was able to gain access to the facility for two weeks before he was caught. Social engineering attacks like these are easy to accomplish in most organizations. Even if your organization uses biometric devices, magnetic card strips, or other electronic measures, social engineering attacks are still relatively simple.
A watering hole attack can sound?
A lot more complicated that it really is. The strategy the attacker takes is simply to identify a site that is visited by those that are targeting, poisoning the site, and then waiting for the results. As an example, suppose an attacker wants to gain unauthorized access to the servers at Spencer Industries, but Spencer's security is really good. The attacker discovers that Spencer does not host its own email but instead outsources it to a big cloud provider. On the cloud provider's email site, they install the malware du jour, wait until a Spencer employee gets infected, and suddenly have the access they coveted.
When you receive an email that you suspect is a hoax, check the CERT site before?
Forwarding the message to anyone else. The creator of the hoax wats to spread panic, and if you blindly forward the message to co-workers and acquaintances, you're helping the creator accomplish the task. For example, any email that says "forward to all of your friends" is a candidate for hoax research. Disregarding the hoax allows it to die a quick death and keeps users focused on productive tasks.
In a physical environment, each floor is?
Broken down into separate zones. An alarm system that identifies a zone of intrusion can inform security personnel about an intruder's location in the building; zone notification tells security where to begin looking when they enter the premises.
The concept of security zones is as old as?
Broken down into separate zones. An alarm system that identifies a zone of intrusion can inform security personnel about an intruder's location in the building; zone notification tells security where to begin looking when they enter the premises.
Physical perimeter security is intended to accomplish for a network what perimeter security does for a?
Building. How do you keep intruders from gaining access to systems and information in the network through the network? In the physical environment, perimeter security is accomplished through fencing, gates, cages, locks, doors, surveillance systems, and alarm systems. This isn't functionally any different from a network, which uses border routers, intrusion detection systems, and firewalls to prevent unauthorized access.
A properly developed mantrap includes?
Bulletproof glass, high strength doors, and locks. After a person is inside the facility, additional security and authentication may be required for further entrance.
Privacy filters, which go over the screen and restrict the viewing angle to straight on can be used to?
Decrease the success of shoulder surfing.
A Faraday cage usually consists of an?
Eclectically conductive wire mesh or other conductor woven into a "cage" that surrounds a room. The conductor is then grounded. Because of this cage, few electromagnetic signals can either enter or leave the room, thereby reducing the ability to eavesdrop on a computer conversation. To verify the functionality of the cage, radio frequency (RF) emissions from the room are tested with special measuring devices.
The only preventive measure in dealing with social engineering attacks is to?
Educate your users and staff never to give out passwords, user IDs over the phone or via email or to anyone who isn't positively verified as being who they say they are. Social engineering is a recurring topic that will appear many times.
A number of principles, or elements, allow social engineering attacks to be?
Effective. Most of these are based on our nature to be helpful, to trust others in general, and to believe that there is a hierarchy of leadership that should be followed.
Shielding refers to the process of preventing?
Electronic emissions from your computer systems from being used to gather intelligence and preventing outside electronic emissions from disrupting your information-processing abilities. In a fixed facility, such as a computer center, surrounding the computer room with a faraday cage can provide electronic shielding.
Air-gapping is commonly used in?
Environments where networks or devices are related to handle different levels of classified information (classified and unclassified, for example). When moving data from one system to another, confidentiality models (such as Bell-LaPudula) are commonly used.
As an administrator, one of your responsibilities is to educate users on how to avoid?
Falling prey to social engineering attacks. They should know the security procedures that are in place and follow them to a tee. You should also have a high level of confidence that the correct procedures are in place, and one of the best ways to obtain that confidence is to check on your users occasionally. Preventing social engineering attack involves more than just providing training on how to detect and prevent them. It also involves making sure that people stay alert.
Locks come in many different sizes, shapes, types and designs. Likewise, they offer many different levels of?
Security and/or ease/difficulty of operation. Some locks look impressive but can be easily broken or circumvented. Others are quite simplistic in design yet are next to impossible to thwart. As an administrator you need to make sure the locks being used for a purpose is able to fulfill that purpose. You can rarely go wrong by using a lock that provides a higher level of security than you need for the job, but you can fail horribly by using a lock that fails to provide the needed level of security for the task.
Permitter security, whether physical or technological, is the first line of defense in your?
Security model. In the case of a physical security issue, the intent is to prevent unauthorized access to resources inside a building or facility.
Lighting can play an important role in the
Security of any facility. Poor lighting can lead to a variety of unwanted situations: someone sneaking in a door that is not well lit, and individual passing a checkpoint and being mistaken for another person, or a biometric reading failure. The latter is particularly true with facial recondition, and proper lighting needs to be in place for both the face and the background.
Social engineering can have a hugely damaging effect on a?
Security system. Always remember that a social engineering attack can occur over the phone, by email, or by a visit. The intent is to acquire access information, such as user-IDs and passwords.
The location of your computer facility is critical to its?
Security. Computer facilities must be placed in a location that is physically possible to secure. Additionally, the location must have the proper capabilities to manage temperature, humidity, and other environmental factors necessary to the health of your computer systems.
With social engineering, the villain doesn't always have to be?
Seen or heard to conduct the attack. The use of email was mentioned earlier, and in recent years the frequency of the attacks via instant messaging has also increased thank to social media.
A favorite method of gaining entry to electronically locked systems is to follow someone through the door they just unlocked. This process is known as?
Tailgating. Many people don't think twice about this event—it happens all the time—as they hold the door open for someone behind them who is carrying heavy boxes or is disabled in some way.
Social engineering is easy to do, even will all of today's technology to prevent it. Education is the?
Key. Educate users on reasons why someone would attempt to gain access to data and how the company can be negatively affected by it. Educate them on the simple procedures in which they can engage, such as stopping tailgating to increase security. It is surprising how helpful users can be once they understand the reason why they're being asked to follow certain procedures.
A mantrap makes it difficult for a facility to be accessed by?
Large numbers of individuals at once because it allows only one or two people into a facility at a time. It's usually designed to contain unauthorized, potentially hostile person physically until authorities arrive.
Social Engineering is the?
Process by which intruders gain access to your facilities, your network, and even your employees by exploiting the generally trusting nature of people.
A protected distribution system (PDS) is one in which the network is?
Secure enough to allow for the transmission of classified information in unencrypted format—in other words, where physical network security has been substituted for encryption security. In a mall office, for example, you could ban the use of wireless devices and require that all such devices be connected to a bus topology network that is clearly visible as it runs through the space. Moving forward from this overly simplistic scenario, it is possible to create a much larger network that uses fiber, various topologies, and so on, as longs as you still have the ability to monitor and control the span of it. Such networks were once called "approved circuits," and the U.S. government largely uses them.
A safe provides a?
Secure, physical location where items can be stored. These items can include hard copies of your data, backup media, or almost anything else vital to your firm. It is important that access to the safe be tightly governed and that the safe be fireproof and sturdy enough to reduce threats of burglary, robbery, and internal theft. Commercial safes come in many varieties including those that require biometric authentication to open. Be sure to choose a safe that is suited for your purpose.
Systems must operate in controlled environments in order to be?
Secure. These environments must be, as must as possible safe from intrusion. Computer system consoles can be a vital point of vulnerability because many administrative functions can be accomplished from the system console. These consoles, as well as the systems themselves, must be protected from physical access.
What is a hoax?
Typically, an email message warning of something that isn't true such as an outbreak of a new virus.
As mentioned at the beginning of the chapter, impersonation involves?
Any act of pretending to be someone you are not. This can be a service technician, a pizza delivery driver, a security guard, or anyone else who might be allowed unfettered access to the grounds, network, or system. Impersonation can be done in person, over the phone, by email, and so forth.
An alarm is used to draw attention to a?
Breach, or suspected breach, when it occurs. This alarm can be sounded in many ways—through the use of a siren, a series of lights (flashing or solid), or an email or voice message. However, it is always intended to draw attention to the event.
*For the exam, be familiar with the following reasons for social engineering effectiveness.*
Authority: if it is possible to convince the person, you are attempting to trick that you are in a position of authority, they may be less likely to question your request. The position of authority could be upper management, tech support HR, or law enforcement. Intimidation: Although authority can be a source of intimidation, it is possible for intimidation to occur in its absence as well. This can be done with threats, with shouting, or even with guilt. Consensus: Putting the person being tricked at ease by putting the focus on them—listening intently to what they are saying, validating their thoughts, charming them—is the key to this element. The name comes from a desire that we all have to be told that we are right, attractive, intelligent, and so forth, and we tend to be found of those who confirm this for us. By being so incredibly nice, the social engineer convinces the other party that there is no way their intensions could possibly be harmful. Scarcity: Convincing the person who is being tricked that there is a limited supply of something can often be effective if carefully done. For example, convincing them that there are only 100 vacation requests that will be honored for the entire year and that they need to go to a fictitious website now and fill out their information (including username and password, of course) if they want to take a vacation anytime during the current year can dupe some susceptible employees. Familiarity: Mental guards are often lowered, many times subconsciously, when we are dealing with other individuals that we like. The "like" part can be gained by someone having, or pretending to have, the same interests as we do, be engaged in the same activities, or otherwise working to gain positive attention. Trust: One of the easiest ways to gain trust is through reciprocation. When someone does something for you, there is often a feeling that you owe the person something. For example, to gain your trust, someone may help you out of a troublesome situation or buy you lunch. Urgency: The secret for successfully using the urgency element is for the social engineer to convince the individual whom they are attempting to trick that time is of the essence. If they don't do something right away. Money will be lost, a nonexistent intruder will get away, the company will suffer irreparable harm, or a plethora of other negative possibilities may occur.
The best defense against a watering hole attack is to make?
Certain that all of your partners are secure. Identify weak links, and bring them up to the same level of security as the rest of your infrastructure. From an exam perspective, one of the best things about most of these types of attacks is that the name telegraphs the predicament. As an IT administrator, you have no way of preventing someone from trying these tactics against your company, but educating users about them is the best way to prevent them from being successful. The more people are aware of their presence and potential harm, the more likely they can help thwart such attacks since the ultimate objective is to gain unauthorized access to information. From a real-world perspective, a number of tools are available that can help limit the success of social engineering attacks. Most browsers include a feature allowing them to check websites that a user wishes to visit against a database of known questionable sites and warns them if they find a match.
If the computer systems for which you're responsible require special environmental considerations, you'll need to establish a?
Cooling and humidity control system. Ideally, systems are located in the middle of the building, and they're ducted separately from the rest of the HVAC (heating, ventilation, and air-conditioning) system. It's a common practice for modern buildings to use a zone-based-air-conditioning environment, which allows the environmental plant to be turned off when the building isn't occupied. A computer room will typically require full-time environmental control.
Don't overlook the most common personal motivator of all which is?
Greed. It may surprise you, but people can be bribed to give away information, and one of the toughest challenges is someone on the inside who is displeased with the company and eager to profit from it. The is known as? A malicious insider threat, and it can be far more difficult to contend with than any outside threat since they already have access—both physical and login access—to your systems.
As opposed to sings, out of the most expensive physical security tools that can be implanted is a?
Guard. A guard can respond to a situation and be intimidating, but a guard is also fallible and comes at a considerable cost.
Physical tokens or FOBs are anything that a user must?
Have on them to access network resources, and they are often associated with devices that enable the user to generate a one-time password authenticating their identity.
There are often multiple rows of severs located in racks in server rooms. The rows of the servers are known as aisles, and they can be cooled as?
Hot aisles and cold aisles.
Within Microsoft Windows, you have the ability to put sings where?
In the form of onscreen pop-up banners, that appear before the login telling similar information—authorized access only, violators will be prosecuted, and so forth. Such banners covey warnings or regulatory information on the user that they must "accept" in order to use the machine or network. In Windows, the banner is turned on in the Registry though an entry beneath HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. You can configure legalnoticecaption as the caption of the sign that you want to appear and legalnoticetext as the text that will show up, which you need to be dismissed before the user can move on. Both are string values accepting any alphanumeric combination.
A security zone is an area in a building where access is?
Individually monitored and controlled. A large network, such as the ones found in a big physical plant, may have many areas that require restricted access. In a building, floors, sections of floors, and even offices can be broken down into smaller areas. These smaller zones are referred to as security zones.
Attacks can send infected files over?
Instant messaging (IM) as easily as they can over email, and this can occur in Facebook, LinkedIn, or anywhere else that IM is possible. A recent virus on the scene accesses a user's IM client and uses the infected user's friend's list to send messages to other users and infect their machines as well.
When it comes to desktop models, adding a lock to the back cover can prevent an?
Intruder with physical access from grabbing the hard drive or damaging the internal components. The lock that connects through a slot on the back of the computer can also go to a cable that then connects to a desk or other solid fixture to keep the entire PC from being carried away. In addition to running a cable to the desk, you can choose to run an end of it up to the monitor if theft or peripherals is a problem in your company. You should also consider suing a safe and locking cabinets to protect backup media, documentation, and any other physical artifacts that could do harm if they fell into the wrong hands. Sever racks should lock the rack-mounted servers into the cabinets to prevent someone from simply pulling one and walking out the front door with it.
What is Personal Identity Verification (PIV)?
It is a card required of federal employees and contractors to gain access (physical and logical) to government resources.
What is administrative control?
It is a control implemented through administrative policies or procedures.
What is a mantrap?
It is a device, such as a small room, that limits access to one or a few individuals. Mantraps typically use electronic locks and other methods to control access.
What is spear phishing?
It is a form of phishing in which the message is made to look as if it came from someone you know and trust as opposed to an informal third party.
What is phishing?
It is a form of social engineering in which you simply ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. Commonly sent by email.
What is a cable lock?
It is a physical security deterrent used to protect a computer.
What are hot aisles?
It is a sever room aisle that removes hot air.
What is privacy?
It is a state of security in which information isn't seen by unauthorized parties without the express permission of the party involved.
What is social engineering?
It is an attack that uses others by deceiving them. It does not directly target hardware or software, but instead it targets and manipulates people.
What is a faraday cage?
It is an electrically conductive wire mesh or other conductor woven into a "cage" that surrounds a room and prevents electromagnetic signals from entering or leaving the room through the walls.
What is wetware?
It is another term for social engineering.
What is PTZ?
It is cameras that can pan, tilt, and zoom.
What is vishing?
It is combining phishing with Voice over IP (VolP).
What is detective control?
It is controls that are intended to identify and characterize an incident in progress (for example, sounding the alarm and alerting the administrator.
What is tailgating?
It is following someone through an entry point.
What is data disposal?
It is getting rid of/destroying media no longer needed.
What is a watering hole attack?
It is identifying a site that is visited by those that they are targeting, poisoning that site, and then waiting for the results.
What is personally identifiable information (PII)?
It is information that can be uniquely used to identify, contact, or locate a single person. Examples include Social Security number, driver's, license numbers, fingerprints, and handwriting.
What is restricted information?
It is information that isn't made available to all and to which access is granted based on some criteria.
What is whaling?
It is phishing only large accounts.
What is impersonation?
It is pretending to be another person to gain information.
What is control?
It is processes or actions used to respond to situations or events.
What is perimeter security?
It is security set up on the outside of the network or server to protect it.
What is fire suppression?
It is the act of stopping a fire and preventing it from spreading.
What is the PASS method?
It is the correct method of extinguishing a fire with an extinguisher: Pull, Aim, Squeeze, and Sweep.
What is information classification?
It is the process of determining what information is accessible, to what parties, and for what purposes.
What are cold aisles?
It is the server room aisles that blow cold air from the floor.
What is shoulder surfing?
It is watching someone when they enter their username, password, or sensitive data.
High-security installations use a type of intermediate access control mechanism called a?
Mantrap (also occasionally written as man-trap).
Any concept that spreads quickly through the Internet is referred to as a?
Meme.
Dumpster diving is a common physical access?
Method. Companies normally generate a huge amount of paper, most of which eventually winds up in dumpsters or recycle bins. Dumpsters may contain information that is highly sensitive in nature. In-high security and government environments, sensitive papers are either shredded or burned. Most businesses don't do this. In addition, the advent of "green" companies has created an increase in the amount of recycled paper, which can often contain all sorts of juicy information about a company and its employees.
The most effective physical barrier implementations require that more than one physical barrier be crossed to gain access. This type of approach is called a?
Multiple barrier system or defense in depth.
An airgap (or more commonly, air gap) is a?
Network security measure used to ensure that a secure computer network is physically isolated from unsecured networks. Those "unsecured networks" include both the Internet and any unsecured local area networks.
Whaling is nothing more than?
Phishing or spear phishing, but for big users. Instead of sending out a To Whom May Concern message to thousands of users, then whaler identifies one person from whom they can gain all the data they want—usually a manger or owner—and targets the phishing campaign at them.
A key aspect of access control involves?
Physical barriers. The objective of a physical barrier is to prevent access to computers and network systems.
Hardware security involves applying?
Physical security modifications to secure the systems and preventing them from leaving the facility. Don't spend all of your time worrying about intruders coming through the network wire while overlooking the obvious need for physical security.
Access control is a critical part of?
Physical security, and it can help cutdown the possibility of social engineering or other type of attack from succeeding.
Secure ID and RSA, is one of the best-known examples of a?
Physical token. No matter how secure you think your system is, you'll never be able to stop everyone. But your goal is to stop most attempts and, at the very least, slow down the most sophisticated. As an analogy, the front door of you home may contain a lock and a deadbolt. The minimal security is enough to convince most burglars to try somewhere less secure. A professional who is bent on entering your home, however, could always take the appropriate lock-defeating tools to the door.
Phishing is a form of social engineering in which you ask someone for a?
Piece of information that you are missing by making it look as if it is a legitimate request. An email might look as if it is from a bank and contain some basic information, such as the user's name. In the email, it will often state that there is a problem with the person's account or access privileges. The use will be told to click a link to correct the problem. After they click the link—which goes to a site other than the bank's—they are asked for their username, password, account information, and so on. The person instigating the phishing can then use the values entered there to access the legitimate account.
One popular form of social engineering is known as?
Shoulder surfing and it involves nothing more than watching someone "over their shoulder" when they enter their sensitive data. They can see you entering a password typing in a credit card number, or entering any other pertinent information. The best defense against this type of attack is to survey your environment before entering personal data. It is a good idea for users not to have their monitors positioned in ways that make it easy for this act to occur, but they also need to understand and appreciate that such an attack can occur away from the desk as well: in any public location where they sit with their laptops, at business travel centers in hotels, at ATMs, and so on. Passwords entered on Apple products by default display the last letter entered as convenience to the user. Unfortunately, this increases the dangers posed by shoulder surfing.
One of the least expensive physical security tools that can be implemented is a?
Sign. Signs can be placed around secure areas telling those who venture by that only authorized access is allowed, that trespassers will be prosecuted, and so on. There is a story told of a couple of magicians who drove across country while on tour, and to prevent anyone from breaking into their car, they put a sing on it identifying the car as a transport vehicle for the Centers for Disease Control. Supposedly, it worked and no one ever broke into the vehicle.
A social engineering attack may come from?
Someone posing as a vendor, or it could take the form of an email from a (supposedly) traveling executive who indicates that they have forgotten how to log on to the network or how to get into the building over the weekend. It's often difficult to determine whether the individual is legitimate or has bad intentions.
Spear phishing is a unique form of phishing in which the message is to look as if it came from?
Someone you know and trust as opposed to an informal third party. For example, in a phishing attack, you would get a message that appears to be form Giant Bank XYZ telling you that there is a problem with your account and that you need to log in to rectify this right away. Such a message from someone you've never heard of would run a high risk of raising suspicion and thus generate a lower than desired rate of return for the phishers. With spear phishing, you might get a message that appears to be from your boss telling you that there is a problem with your direct deposit account and that you need to access this HR link right now to correct it. Spear phishing works better than phishing because it uses information that I can find about you from email databases friends lists, and the like.
Social engineering attacks can develop?
Subtly. They are also hard to detect. Let's look at some classic social engineering attacks. Someone enters your building wearing a white lab jacket with a logo on it. He also has a toolkit. He approaches the receptionist and identifies himself as a copier repairman from a major local copier company. He indicates that he's here to do preventive service on your copier. In most cases, the receptionist will let him pass and tell him the location of the copier. One the "technician" is out of sight; the receptionist probably won't give him a second thought. Your organization has just been the victim of a social engineering attack. The attacker has now penetrated your first and possibly even your second layer of security. In many offices including security-oriented offices, this individual would have access to the entire organization and would be able to pass freely anywhere he or she wanted. This attack didn't take any particular talent or skill other than the ability to look like a copier repairman.
Ideally, your systems should have a minimum of three physical barriers what are they?
The external entrance to the building, referred to as a perimeter, which is protected by burglar alarms, external walls, fencing, surveillance, and so on. This should be used with an access list, which identifies who can enter a facility and who can be verified by a guard or someone in authority. A locked door protecting the computer center; you should also rely on such items as ID badges, proximity readers, fobs, or keys to gain access. The entrance to the computer itself. This should be another locked door that is carefully monitored. Although you try to keep as many intruders out with the other two barriers, many who enter the building could be posing as someone they are not—heating technicians, representatives of the landlord, and so on. Although these pretenses can get them past the first two barriers, the locked computer room door should still stop them.
What are physical controls?
They are controls and countermeasures of tangible nature intended to minimize intrusions.
What are preventive controls?
They are controls intended to prevent attacks or intrusions.
What are technical controls?
They are controls that rely on technology.
What is compensating controls?
They are gap controls that fill in the coverage between other types of vulnerability mitigation techniques. (Where there are holes in coverage, we compensate for them.)
What are privacy filters?
They are screens that restrict viewing of monitors to only those sitting in front of them.
What are control types?
They are technical, physical, or administrative measures in place to assist with resource management.
Biometric systems use some kind of?
Unique biological trait to identify a person, such as fingerprints, patters on the retina, and handprints. Some methods that are used include hand scanners, retinal scanners, facial recognition, applications, and keystroke recognition programs, which can be sued as part of the access control mechanisms. These devices should be coupled into security-oriented computer systems that record all access attempts. They should also be under surveillance in order to prevent individuals from bypassing them. These technologies are becoming more reliable, and they will be widely used over the next few years Many laptops sold now have a fingerprint reader built in. The costs associated with these technologies have fallen dramatically in recent years. One of the best independent sources of information on development in the field of biometrics is biometricnews.net where you can find links to publications and their blog.
To stop someone from entering a facility, barricades or gauntlets can be?
Used. These are often used in conjunction with guards, fencing, and other physical security measures, but they can be used as stand-alone as well.
When you combine phishing with Voice over IP (VolP), it becomes known as?
Vishing, and elevated form of social engineering. Although crank calls have been in existence since the invention of the telephone, the rise in VolP now makes it possible for someone to call you form almost anywhere in the world without worrying about tracing, caller ID, and other than landline-related features. They then pretend to be someone they are not in order to get data from you.
Mantraps require?
Visual identification as well as authentication, to gain access.
A secure system is only secure as its?
Weakest link, and sometimes that weak link can be the cabling. Closely associated with protected distribution systems, protected cabling involves using locked wiring closets, locked spare jacks, conduit, and cable trays to prioritize the protection of cabling. Physical security safeguards are put in place to prevent accidental damage, distribution, and physical tampering with the cabling, as well as to help prevent eavesdropping or "in-transit modification" of transmissions. (NIST 800-53r4).
Few security systems can be implemented that do not have?
Weaknesses or vulnerabilities. A determined intruder can, with patience, overcome most security systems. The task may not be easy, and it may require careful planning and study; however, a determined adversary can usually figure out a way. This is why deterrence is so important. If you want to deter intruders from breaking into your building, you can install improved door locks, coded alarm systems, and magnetic contacts on doors and windows. Remember that you can't always keep an intruder out of your building; however, you can make an intrusion riskier and more likely be discovered if it happens.
Social engineering attacks are relatively low tech and are more akin to con jobs. Here are a few examples?
Your help desk gets a call at 4 A.M. for someone purporting to be a vice president at your company. She tells the help desk personnel that she is out of town to attend a meeting, that her computer just failed, and that she is sitting in a Kinko's trying to get a file from her desktop computer back at the office. She can't return seem to remember her password or user ID. She tells the help desk representative that she needs access to the information right away or the company could lose millions of dollars. Your help desk rep believes the caller and gives the vice president her user ID and password over the phone instead of calling IT. You've been hit. Another common approach is initiated by a phone call or email from someone claiming to be one of your software vendors, telling you that they have a critical fix that must be installed on your computer system. If this patch isn't installed right away, your system will crash and you'll lose all your data. For some reason, you've changed your maintenance account password, and they can't log on. Your system operator gives the password to the person instead of calling IT. You've been hist again.