Social Engineering

Loose lips sink ships

Tom Conley, Senior Information Security AnalystMatthew Dalton, Director of Information SecurityOhio University

What is Social Engineering?

• While other forms of hacking target the technology, social engineering attempts to exploit human psychology to achieve the hacker’s goals.

• Emotional tension + path to resolution > Logic or Controls = social engineering

• Emotional “Amplifiers” and Distractions are catalysts for this.• Social Engineering has been known by many names

– Trojan Horse– Con Men– Snake Oil Sales– Phishing

Psychology of Social Engineering

Seek Positive• Being Helpful• Hedonism/Greed• Conformity• Trust• Compliance

Avoid Negative• Guilt• Feeling Foolish• Pain• Undue Effort• Punishment

Emotional “Amplifiers”

Seems like an Authority

• Police• Fire Dept

Look knowledgeable

• IT, HR• Use Company Jargon

Look Distraught

• Time is critical• Life could be on the line

Seem established

• Cool detachment• Part of the Routine

Scenario #1

Matthew• Pretends to be from IT,

trying to get a password into the HR system

Tom• Pretends to work in the HR

department

Scenario #2

Matthew• Ex-boyfriend pretends to be

a distraught parent, trying to get a particular student’s class schedule.

Tom• Pretends to work in the

Registrar’s office

Scenario #3

Tom• Pretends to be a survey

taker at the bottom of Baker Center

Matthew• Pretends to pass by in Baker