Was that a lucky guess,
or did you really know the answer?

4. Actually, "social engineering" is what hackers call conning legitimate computer users into providing useful information that helps the hacker gain unauthorized access to their computer system.

The attacker using social engineering usually poses as a legitimate person in the organization and tricks computer users into giving useful information. This is usually done by telephone, but it may also be done by forged e-mail messages or even an in-person visit.

Most people think computer break-ins are purely technical, the result of technical flaws in computer systems that the intruders are able to exploit. The truth is, however, that social engineering often plays a big part in helping an attacker slip through the initial security barriers. Lack of security awareness, or gullibility of computer users, often provides an easy stepping stone into the protected system in cases when the attacker has no authorized access to the system at all.

For example, here is a quick summary of a successful hacking operation based almost entirely on social engineering:

Case 2 contains a detailed explanation of how this was accomplished -- the cover stories and other manipulations that were used.

Social Engineering provides guidelines for guarding against such tactics. The most important is this: If you cannot personally identify a caller who asks for personal information about you or anyone else (including badge number or employee number), for information about your computer system, or for any other sensitive information, do not provide the information. Insist on verifying the caller’s identity by calling them back at their proper telephone number as listed in your organization’s telephone directory. This procedure creates minimal inconvenience to legitimate activity when compared with the scope of potential losses.

Related Topic: Social Engineering, How Hackers Work, How We Unknowingly Make It Easy for the Hackers.