Social engineering comes from two words, social and engineering, where social refers to our day-to-day lives—which includes both personal and professional lives—while engineering means a defined way of performing a task by following certain steps to achieving the target.

Social engineering is a term that describes a nontechnical intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures. For an example, refer to http://www.wired.com/threatlevel/2011/04/oak-ridge-lab-. Here, you can see how a top federal lab got hacked by the use of the spear phishing attack.

The Oak Ridge National Laboratory was forced to terminate the Internet connection for their workers after the federal facility was hacked. According to Thomas Zacharia, Deputy Director of the lab, this attack was sophisticated and he compared it with the advanced persistent threat that hit the security firm RSA and Google last year.

The attacker used Internet Explorer to perform zero-day vulnerability to breach the lab's network. Microsoft later patched this vulnerability in April, 2012. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user's machine if he or she visits a malicious website. A zero-day vulnerability is a kind of vulnerability present in an application for which the patch has not been released or isn't available.

According to Zacharia, the employees of the HR department received an e-mail that discussed employee benefits and included a link to a malicious website. This mail was sent to 530 employees, out of which 57 people clicked on the link and only two machines got infected with the malware. So as we can see, it's not very difficult to get inside a secured network. Many such attacks are covered in the following chapters.