Chapter 13: Social Engineering

Social Engineering Definition
Click the card to flip 👆
1 / 13
Terms in this set (13)
Social engineering is an attack against a user, and typically involves some form of social interaction. The weakness that is being exploited in the attack is not necessarily one of technical knowledge, or even security awareness. Social engineering at its heart involves manipulating the very social nature of interpersonal relationships.
The best defense against social engineering attacks is a comprehensive training and awareness program that includes social engineering. The training should emphasize the value of being helpful and working as a team, but doing so in an environment where trust is verified and is a ritual without social stigma.
Shoulder surfing does not necessarily involve direct contact with the target but instead involves the attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work or may set up a camera or use binoculars to view the user entering sensitive data.
The process of going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt is known in the security community as dumpster diving.
- Through this, an attacker might gather a variety of information that can be useful in a social engineering attack. IN MOST LOCATIONS, TRASH IS NO LONGER CONSIDERED PRIVATE PROPERTY AFTER IT HAS BEEN DISCARDED.
- An organization should have policies about discarding materials. Sensitive information should be shredded and trash should be secured.
- Using previously obtained information about a project, deadlines, bosses, and so on, the attacker arrives with 1) something the victim is quasi-expecting or would see as normal, 2) uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as one not to upset, and 3) they name-drop "Mr. Big," who happens to be out of the office and unreachable at the moment, avoiding the reference check. And the attacker seldom asks for anything that on the face of it seems unreasonable, or is unlikely to be shared based on the circumstances.
Impersonation: Defenses- In all the cases of impersonation, the best defense is simple - have processes in place that require employees to ask to see a person's ID before engaging with them if the employees do not personally know them. That includes challenging people such as delivery drivers and contract workers. Don't let people in through the door, piggybacking, without checking their IDSocial Engineering Principles: two reasons it is successful1) The basic desire of most people to be helpful. 2) Individuals normally seek to avoid confrontation and trouble. Ex: an attacker may attempt to intimidate the target, threatening to call his supervisor because of a lack of help, the target may give in and provide the information to avoid confrontation.Tools1) Authority 2) Intimidation 3) Consensus/Social proof 4) Scarcity 5) Urgency 6) Familiarity/liking 7) Trust