It is not hacking that results in the most damaging penetrations into an enterprise's security system. It is often the work of an employee within the enterprise that causes the most harm. In most of the organisations security measures are focussed on attacks from outside. The insider threat is usually ignored, though it is an important area of concern. It is estimated that more than 70% of unauthorised access to information systems is committed by employees. Gartner estimates that more than 95% of intrusions that result in significant financial losses can be attributed directly or indirectly to insiders.

Malicious attackers know that the easiest way into any system is to exploit the people that use and administer it. Malicious attackers who make their way into IT systems do not work in isolation. Their accomplices are often unsuspecting employees of the enterprises, who are targeted by these attackers. An employee who is targeted by an attacker is a victim of 'social engineering', which is the manipulation of a person through a combination of spying, theft, deception, and psychological ploys. This 'art of human persuasion' takes advantage of the natural tendencies of humans to be trusting, seeking prestige, avoiding embarrassment, or merely looking for acceptance. Awareness and consciousness of 'social engineering techniques' is thus an important part of personnel security. Likewise, background checks have become an imperative human-resource requirement. Insiders who may be moles for corporate espionage, or who may have susceptibilities of being socially engineered through bribes, etc, have always been the biggest threat to a network. Background checks would continue to have an expanded role in enhancing the decision-making process, towards developing safe, competent, and long-term human resource.

Social engineering techniques
The fundamental methodology of social engineering is the use of trickery instead of technical knowledge. Social engineering is the exploitation of the natural human tendency to trust others. It is a hacking technique that relies on weaknesses in human nature, rather than weaknesses in hardware, software, or network design. Using social engineering, even someone with minimal computer hacking skills can find a way into a supposedly secure system. Social engineering, therefore, involves gathering of information that would make the technical side of hacking easier. It is done by using psychological methods on unsuspecting people, to obtain confidential information without the use of technical tools or techniques. It is a method for leveraging vulnerabilities caused by human elements in an organisation.

Common methods used in social engineering
Reverse engineering
In this method, a legitimate user is induced into asking an attacker questions to obtain information. The attacker poses as a person of higher authority or competence than the user. The attacker deduces the needed information from the questions, which are asked by the user. For example, the attacker may pose as a system administrator available on phone for answering computer related queries of end-users.

E-mail
This mode of social engineering involves sending an e-mail on a topical subject, to a user possessing confidential information. The e-mail is meant to trigger an emotional response from the user. It makes the user unwittingly participate in the hacking by disclosing the confidential information, or by opening the mail, thereby permitting a virus or Trojan into the end user's system. Examples of this kind of social engineering are the 'I love you' virus, the 'Anna Kournikova' worm, the 'KLEZ' e-mail worm, chain e-mail, and virus hoaxes.

Website
Fictitious websites, that require users to enter e-mail addresses and passwords, are created. The expectation is that users will use the same or similar passwords at the site, as they use at their workstations.

Direct approach
A user possessing confidential information such as usernames and passwords, or the names of important personnel, is directly approached for the information.

Important user
An attacker posing as a senior manager with an urgent issue approaches a user possessing confidential information. The user is made to disclose information, such as the type of remote access solution in use, its configuration, the telephone numbers to a Remote Access Server (RAS), or the credentials needed to login to the system.

Helpless user
An attacker posing as a new or temporary user approaches a user, usually a non-IT person possessing confidential information. The attacker pretends helplessness about an IT related problem, and attempts to make a user feel sympathetic and reveal some confidential information.

Tech support personnel
An attacker approaches a user possessing confidential information, posing as an IT employee who is troubleshooting a problem. The attacker asks for the user's username and password to supposedly find out how the problem looks with the user's access.

Shoulder surfing
This form of social engineering involves an attacker, usually an insider, looking over the shoulder of a user, and reading a password as the user types it in. Such attackers are usually trusted insiders, who secretly indulge in unethical activities. The attacker could also be a visitor, legitimate or otherwise, looking to obtain a password and use it to gain remote access.

Observing behavioural patterns
The attacker, usually a visitor, observes the behavioural patterns of a target user, or a group of target users. For example, an attacker may try to find out if a user allows others to piggyback into secure premises.

Dumpster diving
An attacker sifts through an organisation's trash, looking for sensitive information related to the organisation and its personnel. The information may be work related such as market intelligence; or personal information such as birthdays, phone numbers, and credit card details, which may be used for guessing passwords. It may provide the hacker with vital clues, which may be used for further social engineering and breaking into a network. For example, a hacker may use sensitive personal information to blackmail an employee into revealing classified information relating to an organisation.

Countermeasures to social engineering
Many computer users mistakenly assume that the network administrator, and security personnel, are doing everything necessary to keep networks safe. This brings in a false sense of security amongst them, and they do not worry about taking precautions. To counter 'social engineering,' the measures recommended by the 'Non-Proliferation and National Security Institute' are: