 Welcome back. Today we're going to be talking a little bit more about social engineering. And social engineering is basically the art of manipulating people or convincing people to give you some information, either knowingly or unknowingly, that way they can use that information to either impersonate you or get more access to certain areas or certain information that they shouldn't have access to. Social engineering is based on the principle that most people are trusting and they want to be helpful. The average person you meet on the street wants to try to help people who are in need. And social engineers really take advantage of this this act that or this ability of people to to be helpful and to generally trust the overall population. Social engineers also take advantage of the ability of the fact that most people also don't really want to take responsibility for certain situations. So whenever somebody sees somebody doing something that might be suspicious, unless their job is to stop that person, they don't really want to get involved. They don't want confrontation. So the fact that humans are relatively trusting, they want to be helpful, and they don't really want confrontation, this helps social engineers to get access to information or access to physical areas. And whenever we're talking about online access to information online that they shouldn't have access to. So it's a very powerful method. In the physical world social engineering basically helps us to gain access and gain information. Think about at your work if somebody comes into your office and tells you I'm here to fix the telephone. If they look like a telephone repair person you'll probably let them into your office to fix their telephone and you won't really question their credentials. So in that case somebody could social engineer you by pretending to be the telephone fixing person and they could implant some device on your phone or basically do whatever they want inside your office for that time. In the digital world it's also about gaining access or gaining information. So we want to get this information about maybe somebody's computer or some documents that they have on that computer. Instead of just physically walking up to their computer we might just send an email that says click here to reset your password. And many people as long as it looks like it's related to something that they normally do they might click on that email reset their username and password but actually they're just giving that information to the social engineer. So the social engineer is just setting up a situation that can trick the person into providing more access or more information basically because people don't check to make sure that these people actually should be the ones accessing this information. So social engineering is one of the most effective ways to steal confidential data because it targets the biggest weakness which is normally the human element. Most employees are completely unaware that they're being manipulated. So social engineers go into companies and they can get access to many different areas inside the company. They can get access to a lot of different information and the people that are helping them don't know that this person isn't allowed to be in the area because the person has successfully socially engineered them. The same in digital systems. People think that they are giving information to trustworthy people but actually they're just revealing their login credentials or some other confidential information to that person that shouldn't have access. So what information is useful in social engineering and it really depends on what the goal of the social engineer is. It's usually about gaining access to areas or access to information. So information that might be very helpful would be things like names, job descriptions, department names, any internal lingo or internal speech that a company might use. If a social engineer can get access to that information they might be able to convince someone either over the telephone or in person that they actually belong inside the company and they've been there a while and they should get access to certain pieces of information inside that company. Online kind of the same thing. If we have your name or we have your department or your boss's name we can pretend to be the IT department and then you might give us your personal information or information that you really shouldn't be giving out to random people but as long as we social engineer it properly you might give that information. So some tactics I won't go too much into tactics for social engineering but a couple of them are pre-texting and this is basically creating a fake scenario so people think that a scenario exists whenever it actually doesn't. So basically convincing people that there's some problem that they need to respond to. So for example if you call up somebody at their work and say we notice that the internet is not working very well today we'll send a technician over very shortly to fix your computer. So then people will say well I didn't have a problem but okay a technician will come and fix my computer shortly so they've kind of they're then prepared for someone to come and work on their computer. They don't know what they're gonna do but somebody will come. So then we send a social engineer to get access to that computer and we can essentially take the computer over that way. Fishing is trying to trick people into giving information away and this is like those emails that basically say click here to reset your password by the way we also need your username and your phone number and your address and all this other information as well. Fake websites are a type of social engineering and that just relies on the fact that people don't normally check whether the domain is the correct domain for the website they want to go to or certificates are correct. Fake pop-ups also give this kind of impression that something is wrong with your computer system and it will convince the person that they need to act to solve a problem even though they don't have a problem. Usually solving the problem actually creates the problem in their computer in the first place and then baiting is also a relatively I won't say new but interesting form of social engineering. Let's say we wanted to target a specific company and we need to get a virus inside their network. Well one of the easiest ways to do that is to drop USB sticks with a virus loaded on the USB stick in front of the building of the company you're targeting. Someone is very likely to pick that USB stick up and then put it into their computer to check whose USB stick this is and as soon as they insert into their computer you might have access basically to their entire network. Okay so next so some examples there's lots of examples of social engineering it happens all the time both online and offline. One that I a couple that I really want to talk about here in the Korean situation because of the Korean organizations are very hierarchical usually. Think about if you're a Korean and your boss asks you to do something will you check to make sure that that was actually a request from your boss or not. So using this knowledge if I'm pretending to be the secretary of your boss and I command you to give some information or send some money or do something would you question it. If you if you're not sure whether you would actually check whether your boss said this or not or if it was just some random person asking for this then you are potentially susceptible to social engineering and this is a big concern right because the boss has a lot of control in most Korean organizations and people don't normally check whether it's actually the boss's word or not and a lot of different types of social engineering happened this way. There was a case in China where a Chinese businessman his computer the computer of his computer and his secretary's computer had been hacked and had a virus for a very long time and whenever he went on a trip to Japan specifically to buy art in Japan the secretary received an email from the CEO saying send a million dollars to this account in Japan I'm going to buy some art. So the secretary just said okay this is from the CEO in who's currently in Japan it looks like a legitimate request so the secretary sent the money to this account in Japan and it turned out that actually the computer had been hacked and hackers were watching this and they were waiting until a certain situation happened where they could pretend to be the CEO because the secretary does not want to question her boss whether he actually asked that or not she just sent the money directly and basically the hackers got the money that way the money was sent and they lost it. So social engineering is a very powerful tool because it relies on social society right so it all comes down to not verifying who the request is from not checking not auditing essentially make sure you're always checking who is making requests and what information they're asking for. So there's lots of different ways to protect yourself but basically verifying the identity of people and information sources is the most critical part it is worth especially if money is involved it is worth asking whether the boss did ask for the the money to be sent it is worth checking whether the website domain name is correct and if you can do those things then it will make social engineering at least a little bit more difficult. So that was kind of my quick rundown of social engineering it is a very interesting technique that's used offline and online and it is very powerful and most attacks we see now rely on some type of social engineering at least to get into the network for example sending somebody an email with a virus attached to it they're relying on somebody to download that attachment open the attachment up and install the virus on their computer once that happens then everything else is a technical attack but it was social engineering that got us into the network in the first place so that's it for today thank you very much