Legitimidad material

Security policies are created with the common goal to protect the integrity, confidentiality and availability of information (Pfleeger, 1997, p.4). To this end they try to comprehensively address all security issues and attempt to cover everything from physical security, to electromagnetic emissions control, to personnel certification and authorisation, to user authentication etc. However, one issue that is very difficult to cater for, is that of the exploitation of psychological traits that are inherently present in all humans. By exploiting such human characteristics, an attacker can bypass most (if not all) security rules and directives specified by even the most stringent of security policies and gain access to the sensitive information which is thus only falsely assumed to be safe.

People who employ such methods to circumvent the existing security measures need not necessarily be technological wizards in the sense that hackers are. All they need is good communication skills and the ability to quickly adapt themselves to situations and roles that the ordinary benevolent person can not. These people are commonly described as "Social Engineers"

(Mitnick & Simon, 2002, p. 7). The "Engineer" part of the title signifies the attackers' ability to design an attack procedure and successfully carry it out. It equally denotes the ability of the attacker to swiftly adapt to changing situations while interacting with a target (or victim or "Mark"). The term also indicates the possession of problem-solving skills necessary to avoid any pitfalls and through manipulation of the Mark to achieve the desired effect of gaining access to the sensitive information required.

Accordingly, the types of attack that target the human element within a protected system in an indirect and possibly unorthodox way, in order to surpass existing security controls, are generally described by the term "Social Engineering". Those who carry out attacks of this type can successfully apply methods of Social Psychology against other people, with the ultimate goal of gaining access to restricted information. Such attacks call for a high level of preparation and the collection of data that simplifies the attack and makes the claims of the attacker believable.

A formal definition of Social Engineering is found in the Meriam-Webster online dictionary (2004), where it is described as the "management of human beings in accordance with their place and function in society : applied social science".

Social Science "deals with the institutions and functioning of human society and with the interpersonal relationships of individuals as members of society"

(Meriam-Webster, 2004). A Social Engineer will focus on building and exploiting an interpersonal relationship with the Mark. This relationship does not have to be based on a false sense of trust. Alternative routes that are followed by the Social Engineer can be based on psychologically negative principles such as intimidation or fear. Furthermore, the relationship resulting from a SE attack can not always be prescribed, as it is invariably molded by the interaction of the Social Engineer and the Mark. This uncertainty can only be controlled by the skill of the Social Engineer. The Social Engineer's ability to adapt to rapidly changing situations dictates the degree of success of the attack.

As it is clear up to this point, definition-wise, there has been no direct correlation of SE to Computer Systems. This is true because the methods grouped under the term "Social Engineering" are neither particularly related to computer technology, nor are they something new. SE techniques have been used since the birth of mankind to extract information and achieve goals

through the manipulation of unwilling (at least in principle) people. From the ancient art of spying and infiltrating the enemy's ranks to the more modern applied art of advertising, to telephone scams, and pyramid schemes, all fall under -or have a lot in common with- Social Engineering in the sense that they all require considerable skill from the part of the attacker in order to convince the Mark to do something that he/she would not normally do. SE has always been the weapon of choice used to carry out traditional fraud. Hence, the extension of SE practices necessary to take advantage of the opportunities rising from the vast field of computer systems and the information processed through these, is far from unexpected.

Granger (2001) identifies the goals of computer-related SE as being similar to those of hacking in general: "to gain unauthorised access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network". This statement formally describes the adaptation of old-fashioned subterfuge to modern technology-oriented reality.

In an effort to better define "Social Engineering" in the context of the computer age, the Hacker's Jargon Lexicon (2004) states: "Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security". Note: For clarity, "Wetware" (also known as "Meatware" or "Liveware") according to Hacker's Jargon Lexicon (2004) is defined as: "1. The human nervous system, as opposed to computer hardware or software. 2. Human beings (programmers, operators, administrators) attached to a computer system, as opposed to the system's hardware or software".

In the "Complete Social Engineering FAQ" by Bernz (2004) it is stated that

"Hacking takes more advantage of holes in security while social engineering takes advantage of holes in people's common sense".

Thus, a more precise definition of SE for the special context of computer-related crime would be: "The subtle psychological and mental manipulation of legitimate users of a computer system, leading to the disclosure of sensitive information that facilitates the attacker to obtain access to that computer system or the data processed on it". The manipulation has to be subtle because nobody possessing a reasonable level of common sense, will succumb to an unreasonable demand made by the attacker. In this sense, the victim must be manipulated within the scope of his/her everyday tasks and responsibilities. Social engineering does not involve any kind of telepathic mind control and as such can not force actions to be taken by the victim.