With all the advances in technology, the oldest way to attack a password-based security system is still the easiest: coercion, bribery, or trickery against the users of the system.
Social engineering is an attack against people,
rather than machines. It is an outsider’s use of psychological tricks on legitimate users of a computer system,
usually to gain the information (e.g., user IDs and passwords) needed to access a system. The notorious“hacker” Kevin Mitnick, who was convicted on charges of computer and wire fraud and spent 59 months in federal prison, told a Congressional panel that he rarely used technology to gain information and used social engineering almost exclusively (Federation of American Scientists, n.d.).
According to a study by British psychologists, people often base their passwords on something obvious and easily guessed by a social engineer. Around 50% of computer users base them on the name of a family member, a partner, or a pet. Another 30% use a pop idol or sporting hero.
Another 10% of users pick passwords that reflect some kind of fantasy, often containing some sexual reference.
The study showed that only 10% use cryptic combinations that follow all the rules of “tough” passwords (Brown,
2002).
The best countermeasures to social engineering attacks are education and awareness. Users should be instructed never to tell anyone their passwords. Doing so destroys accountability, and a system administrator should never need to know it either.
Also, users should never write down their passwords. A clever social engineer will find it if it is “hidden” under a mouse pad or inside a desk drawer.
Site Title 