In this article the term "Social Engineering" (from here on referred to as SocEng) is used to describe the confidence tricks used by hackers to get into systems. Psychologists also use the term Social Engineering, but I am unsure in what context. Social engineering is a fine art and many security breaches would be near impossible without it. "H4x0r cr3w 0wnz j0ur b0x" type web defacements are unlikely to utilise SocEng, and most attacks using it are so subtle they are never even noticed.
Please bear in mind this article is intended to make you think twice about what you do at your workplace, it's not a guide to make a living from hacking. If you are confident and smart enough to do this stuff lying no doubt comes naturally to you and you no doubt already know this stuff.
Stop and think for a moment, when was the last time you got a helpdesk call for a lost password from Bob in Finance. Did you know Bob? Did you know there WAS a Bob? Did you verify that Bob really was Bob? Chances are, like most people, you took it for granted it was Bob, spat out a new password and continued whatever you were doing. It seems to be human nature to accept things as true unless there is a strong indication otherwise. It's the same as checking money. You assume bills are not forgeries when you get them in change. It's only when they are smaller, blue in color rather than green, and the Monopoly figurehead has replaced Benjamin Franklin that you begin to wonder...
Real mercenary Black Hats are not script kiddies. While a misconfigured firewall and an unpatched Redhat 5.2 box as a mail gateway will provide them with an easy way in, technology is not the only resource at their command. What easier way to get access to a system than to stroll in, wave to the security guard, sit down at a terminal and use the password stuck to the bottom of the desk drawer. Its more risky, but also more subtle than smashing packets against a firewall trying to find an open port.
There was a story published in (as I recall) WiReD a few years ago where a Security Consultant gained access to a system via walking in, physically subverting a lock (using a screwdriver or suchlike), and sitting down at the main console. He informed the indignant head of security at the company and gave his advice towards fixing the physical access issue. When re-testing the company a week or two later he was still able to do exactly the same thing. You may be installing all your vendor patches within an hour of release, but how good are your locks? Do you have CCTV? How often do you walk away from a root console to grab a cup of coffee?
In relation to my "Bob from Finance" example before, this can work both ways. What if Bob got a call from Lance in the IT Department. Lance asks if Bob's computer has been freezing. Bob doesn't think so, but Lance says Bob better tell him his password so he can fix it just in case. Bob hands over his password and hangs up the phone. Bob doesn't remember meeting anyone called Lance in IT, but Lance seemed to know what he was talking about and there are lots of people in the organisation Bob has never met. When the witch hunt for Industrial Espionage reaches Bob a few months later, once all the audit trails lead to his account, he will no doubt have forgotten about his call from Lance.
Corporate databases contain a lot of valuable information. Things like payroll databases tend to have sanity checks in them, but if all the figures inside the databases add up inside their universe no one is any the wiser. If the Human Resources database has a record for the five phantom employees who have been added to the Payroll database, who is to know they are not real? I've never heard of a large company doing roll calls to make sure all the employees are real. Provided it was done carefully who would ever suspect that five out of the four hundred people employed by the company were money syphons? Truth be known four fake employees could be a lot less costly than many other alternatives.
When you are next auditing or designing a system, or even moving buildings, stop and think about this stuff. Shape your corporate policy to be aware of it. Stop now and send out a memo reminding staff that Helpdesk people will never ask for their password. There were confidence 'hackers' in Biblical times, and there will be a long time into the future....