The unfortunate bottom line of networking security problems is that hacking happens because it is allowed to happen. Most cases of fraud could have been prevented if people had just adhered to sensible protocols and properly implemented available security solutions. It cannot be stressed enough that the big problem with IT security is people - you, me, and the vast majority of people in the world who interface with IT systems.
It is far easier to get vital information from a person than it is to extract it from a well organized and protected computer system. That's seems like a fantastic statement, but it is absolutely true. If a complete security architecture is deployed, maintained and followed, then it is very difficult to penetrate systems. But humans are another problem entirely.
Absolute faith in a security system can ultimately be its greatest weakness, as people grow accustomed to it and fail to hold up their end of the bargain. Every wall has a gate through which people can walk; conventional hacking involves breaking this gate down, and even the best antivirus software can be fooled. Social engineering is getting the gate keepers to wave you past with a smile on their faces.
To focus your mind for the next couple of minutes while you read through this article, let me tell you a story. For the distinct purpose of legality, I'm going to clearly state that this story is a figment of my imagination.
Hiding In Plain Sight
Suppose that I'm asked by a firm to configure some Internet application servers. This is a very high profile hacking target: an online financial institution.
I'm hired to work on a server farm. After introducing myself to the staff and conducting some initial meetings, I get to work at a console that is provided for me in the main IT area. I bring in my own laptop and configure it for DHCP and simply plug into the system.
Out of habit, I run a quick scan looking for other devices that are running in promiscuous mode (sniffing) on the system. This might point to a previous or current visitor, or company security software looking for illegal activity on the network.
The server room is located several floors up, and all entrances and elevators are secured by access control cards, not unlike a credit card. For me to access this area I have to ask someone to accompany me and provide access by swiping their card. I need to do this a couple of times a day as the need arises.
Following a short period of working on site, everyone is tired of traveling around the building using their key cards to open doors and operate elevators on my behalf. Trust builds as familiarity breeds contempt, and within two weeks I'm getting a loan of employees' pass cards, and a short time later I have my own temporary key card.