The social engineering attack surface is the totality of an individual or a staff’s vulnerability to trickery.
Social engineering attacks usually take advantage of human psychology: the desire for something free, the susceptibility to distraction, or the desire to be liked or to be helpful. Social engineering is often used by hackers and other thieves.
A few examples of social engineering attacks:
- A faked call to IT posing as an employee to get a password.
- Media drops, which are much like a physical Trojan horse: An enterprise employee might pick up an apparently lost flash drive in the parking lot, for example, that in use will execute automatic running code leading to a data breach.
- Fake service people, such as janitors, repair people or electricians gaining access to server closets.
The main thing one can do to reduce the social engineering attack surface is to educate employees about known risks and about how social engineering hackers tend to operate. This information can help them reappraise innocuous-seeming interactions that could lead to data breaches, long tail intrusions and lost operational time.
Many attack approaches us a combination of attack surfaces to gain access to resources. Social engineering is often used to gain physical access, for example, that enables an intruder to exploit software vulnerabilities.
See also: software attack surface, network attack surface, physical attack surface