Social Engineering – A Threat Vector

What is “social engineering?” A simple working definition that I like is, “to induce an individual to take an action in which they otherwise would not engage.” This begs a second question, “What does this have to do with business?” It means that employees of businesses, both large and small, may become targets of unscrupulous and malevolent entities interested in obtaining the information or assets belonging to the business. The individuals may wish to engage in criminal behavior and break into your business headquarters; may attempt to follow an employee through the side door, or perhaps speak to you on the telephone and ask you to share the phone number of an executive; provide your user id and password; reveal the physical whereabouts of a facility or executive.
In all cases two factors are always at play – compassion and urgency. The individual will attempt to trigger the target’s basic human trait to be helpful. The individual will also infuse a sense of urgency in their quest for information or specific action with the expectation that you won’t have sufficient time to verify their proffered bona fides.
So what happens before the phone rings or you’re faced with an unknown person either face-to-face, on the phone, in an instant message window, or via a Twitter/Facebook exchange?