Social engineering is quite possibly the least popular means of attacking a network currently employed in penetration testing. It certainly receives the least media attention.
These attacks, however, can prove quite costly and should be guarded against. This sort of attack can allow the attacker to bypass the security mechanisms of a network without using any script or hacking tool and without even executing a single piece of code.
Social engineering involves getting employees at target companies to voluntarily surrender their personal or corporate information. This is usually accomplished through nothing more than conversation, often over a telephone and without any direct contact at all. It is essentially a confidence game.It is a good idea to incorporate such an exploit into your penetration testing since social engineering can circumvent any logical security measures in place. It relies on exploiting employees who either do not place a high value on information security or do not understand that the information they hold (such as the IP address of their firewall or default
gateway or even their own password) can be misused to compromise the network ifdisclosed to malicious individuals.
There are various methods of social engineering. i ld like to discuss three in this article and give examples we are familiar with that are known to produce positive results. Among these are making apparently harmless telephone calls to employees of the target company, searching through the company’s office trash, and casually looking at an employee’s
workspace to directly obtain or deduce confidential information.