Chapter 13: Social Engineering

question

Social Engineering Definition
answer

Social engineering is an attack against a user, and typically involves some form of social interaction. The weakness that is being exploited in the attack is not necessarily one of technical knowledge, or even security awareness. Social engineering at its heart involves manipulating the very social nature of interpersonal relationships.
question

The best defense against social engineering?
answer

The best defense against social engineering attacks is a comprehensive training and awareness program that includes social engineering. The training should emphasize the value of being helpful and working as a team, but doing so in an environment where trust is verified and is a ritual without social stigma.
question

Two types of ruses
answer

1) Familiarity 2) Avoiding hostility
question

EXAM TIP: SOCIAL ENGINEERING
answer

For the exam, be familiar with all of the various social engineering attacks and the associated effectiveness of each attack.
question

Shoulder Surfing
answer

Shoulder surfing does not necessarily involve direct contact with the target but instead involves the attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work or may set up a camera or use binoculars to view the user entering sensitive data.
question

Dumpster Diving
answer

The process of going through a target’s trash in hopes of finding valuable information that might be used in a penetration attempt is known in the security community as dumpster diving. – Through this, an attacker might gather a variety of information that can be useful in a social engineering attack. IN MOST LOCATIONS, TRASH IS NO LONGER CONSIDERED PRIVATE PROPERTY AFTER IT HAS BEEN DISCARDED. – An organization should have policies about discarding materials. Sensitive information should be shredded and trash should be secured.
question

Tailgating – How to counter?
answer

– Tailgating or piggybacking is the simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building. – This can be countered with good security practices and mantraps.
question

Impersonation: Third-Party Authorization
answer

– Using previously obtained information about a project, deadlines, bosses, and so on, the attacker arrives with 1) something the victim is quasi-expecting or would see as normal, 2) uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as one not to upset, and 3) they name-drop \”Mr. Big,\” who happens to be out of the office and unreachable at the moment, avoiding the reference check. And the attacker seldom asks for anything that on the face of it seems unreasonable, or is unlikely to be shared based on the circumstances.
question

Impersonation: Help Desk/Tech Support
answer

– Calls to or from help desk and tech support units can be used to elicit information. Posing as an employee, you can get a password reset, information about some system, or other useful information. This works in both directions.
question

Impersonation: Contractors/Outside Parties
answer

question

Impersonation: Defenses
answer

– In all the cases of impersonation, the best defense is simple – have processes in place that require employees to ask to see a person’s ID before engaging with them if the employees do not personally know them. That includes challenging people such as delivery drivers and contract workers. Don’t let people in through the door, piggybacking, without checking their ID
question

Social Engineering Principles: two reasons it is successful
answer

1) The basic desire of most people to be helpful. 2) Individuals normally seek to avoid confrontation and trouble. Ex: an attacker may attempt to intimidate the target, threatening to call his supervisor because of a lack of help, the target may give in and provide the information to avoid confrontation.
question

Tools
answer

1) Authority 2) Intimidation 3) Consensus/Social proof 4) Scarcity 5) Urgency 6) Familiarity/liking 7) Trust

Get instant access to
all materials

Become a Member