Hi everyone, Ed Amoroso here. In this video I want to talk to you about a particularly tough, particularly insidious type of attack known as social engineering. Now this is a relatively recent phenomena in business. You didn't have this too much maybe a 100 years ago, even 50 years ago. But more recently, we've seen hackers and fraudsters and criminals and even young children just fooling around taking advantage of the trust that businesses place in their customers when they're trying to help them. So for example, a lot of businesses will set up a very friendly help desk with smiling, happy, friendly people who are there wearing their headsets, ready to provide assistance to customers. Maybe you forgot something, forgot your account number, or you want to look something up. Or you need help ordering, or you want to check a balance, any number of things that you might be calling a help desk for. And these help desk folks are trained to be helpful, that's the whole idea. They are dispensers of help, hence the name. So when you call and, for example, you make believe you are Alice, but you're really not. And you call in as Alice and you try and get information, you're taking advantage of that trust. In a sense, you're kind of lying. And there's a whole discipline around how this works that hackers have figured out. For example, if you're calling bank XYZ, before you call them, you look on your website, you get some information about them. You learn the names of the departments. So that as you're calling in, either as a customer or even as an employee, you do so in a way that has some informed element to it. You know the right lingo, you know the right sort of things to be asking for. Similarly, if you're calling as a customer, you might find some things about the customer. And we refer to a lot of that as sort of a targeted attack or a speared attack where I'm calling in as you, but I first learn about you. I go in your website. I go in your social network pages. I look you up a little bit. And then if I'm calling in as you, I'm calling from an informed perspective. I might have your home address, for example, might have some phone numbers, might have email. So that first attack, social engineering is particularly tough one. There's a related one, sort of a physical attack where you might be looking not so much for people calling, but you're looking for paper. You're looking for discarded trash or documents or reports that might have information that would be particularly useful to then use in a subsequent attack. And there's a classic reference that we have in this area called dumpster diving. That's where you go and you dive in the garbage of some business. And you're looking for whatever you can find. And again, there's a whole discipline around how you do this. Like for example, one thing some youngsters like to do if they're dumpster diving a business is bring some cardboard boxes, scatter them around outside the dumpster and then jump in looking for business material. If the police, if corporate security, if some people come up and they say, hey, what are you doing? You pop your head up out of the trash dumpster. And you say, I'm just looking for some boxes, I'm moving, and you have some boxes scattered there. And they might kick you out and say, hey, get outta there, you're not allowed in there. But it looks like a plausible argument. You could also make it look like you're foraging for food if you have some food in your pocket, a sandwich that you ball up into some tinfoil or something. And then you dive in, and the police come and somebody comes, they say what are you doing? Well, you stand up and you take a bite of your sandwich, and it appears that you're actually looking for food. So there are all these plausible arguments that could be used to support maybe not getting caught dumpster diving, similarly social engineering, and so on. The reason these are so difficult, the reason these are just completely unacceptable attacks is because the solution to these has been to not trust people that you're dealing with, to change the business model to be helpful to folks. Now granted, dumpster diving should not occur. You should be shredding your documents, and there are some sort of physical interaction type attacks that I think are reasonable to be stopping with approved security. But when you have to train a help desk not to be helpful and to distrust people calling in and to assume the glass is half empty as opposed to the glass is half full. You call in and instead of saying, the goal of this call is I really want to help you, if you change that to, the goal of this call is to make sure you don't hack me, changes business. Changes the way we interact, not just in business, but as a society. So social engineering and dumpster diving, in particular, are very difficult types of attacks to deal with because they prey on the basic trust that businesses have with their customers. Now, got a little quiz here, and the answer is none of the above. None of them really make any sense or are true with respect to social engineering. As we said, social engineering takes advantage of the trust that businesses have with their users. And a solution, unfortunately in many cases, has been to degrade that trust to some degree. So hopefully this has been useful for you, and we will see you in our next video, thanks.
