Mogull: Social engineering is the manipulation of people rather than electronic systems in a security attack. The reality of it is that we all use it on a day-to-day basis-to get a discount at a store, to maybe get into a concert that were not supposed to get into, and so forth. Successful social engineering can completely circumvent all of our security.
Heres an example: How hard do you think it is to get a UPS uniform? You can buy one on eBay for $50 bucks with 48-hour delivery. How much access do we give the UPS guys? Say this UPS guy comes in early in the morning before anyone else is in the office and hes got a delivery for so-and-so. He walks into the data center with a PDA, plugs it into the computer, and voila. He can suck down anything. Obviously, there are a lot of tools at the disposal of somebody who wants to perpetuate these kinds of problems.
Another example: The cleaning and maintenance staff have access to your entire organization overnight while theyre cleaning and maintaining. How do you know that they dont have a Ph.D. in computer science and malicious intent? You dont.
Heres a great story, and its true: A CEO of a company goes on vacation. The day after he leaves, a consultant, wearing a suit, carrying all the right references, walks in the door of the office and says, "Mr. Johnson hired me and asked me to take a look at your engineering plans. Apparently, there was a technical problem." Someone says, "Oh, he just went on vacation, hes not here." The consultant responds: "Well, you know, I came from out-of-town, Im only here for basically the one day. This is pretty important, and, frankly, you guys already paid me a lot of money. Is there anyone I could talk to about this?" So this person sits down, spends an entire day going over the engineering plan, and walks out with copies because there are some issues that he needs to work on later. Meanwhile, the CEO gets back from vacation and says: "What consultant?"