Social Engineering

Social engineering is the process by which intruders gain access to your facilities,
your network, and even your employees by exploiting the generally trusting
nature of people. A social engineering attack may come from someone posing as a
vendor, or it could take the form of an email from a (supposedly) traveling
executive who indicates that they have for- gotten how to log on to the network
or how to get into the building over the weekend. Its often difficult to
determine whether the individual is legitimate or has bad intentions.

Social engineering is the art of manipulating a person, or a group of people, into

providing information or a service they otherwise would never have given. Social
engineers prey on peoples natural desire to help one another, their tendency to
listen to authority, and their trust of offices and entities.

Social engineering is using manipulation, influence and deception to get a

person, a trusted insider within an organization, to comply with a request, and
the request is usually to release information or to perform some sort of action
item that benefits that attacker. Kevin Mitnick

I think it goes back to my high school days. In computer class, the first
assignment was to write a program to print the first 100 Fibonacci numbers.
Instead, I wrote a program that would steal passwords of students. My teacher
gave me an A. Kevin Mitnick

https://www.youtube.com/watch?v=DB6ywr9fngU

Types of Social Engineering

u

Shoulder Surfing One popular form of social engineering is known as shoulder surfing, and it
involves nothing more than watching someone over their shoulder. They can see you entering a
password, typing in a credit card number, or entering any other pertinent information. The best
defense against this type of attack is to survey your environment before entering personal data. It is
a good idea for users not to have their monitors positioned in ways that make
it easy for this act to occur, but they also need to understand and appreciate that such an

Dumpster Diving is a common physical access method. Companies normally generate a huge amount
of paper, most of which eventually winds up in dumpsters or recycle bins. Dumpsters may contain
information
that is highly sensitive in nature. In high-security and government environments, sensitive papers
are either shredded or burned. Most businesses dont do this. In addition, the advent of green
companies has created an increase in the amount of recycled paper, which can often contain all
sorts of juicy information about a company and its employees.

Tailgating A favorite method of gaining entry to electronically locked systems is to follow someone
through the door they just unlocked, a process known as tailgating. Many people dont think twice
about this eventit happens all the timeas they hold the door open for someone behind them who
is carrying heavy boxes or is disabled in some way.

Types of Social Engineering

u

Impersonation: impersonation involves any act of pretending to be someone you are not. This can be a
service technician, a pizza delivery driver, a security guard, or anyone else who might be allowed
unfettered access to the grounds, network, or system. Impersonation can be done in person, over the
phone, by email, and so forth.

Hoaxes Network users have plenty of real viruses to worry about. Yet some people find it entertaining to
issue phony threats to keep people on their toes. Some of the more popular hoaxes that have been
passed around are the Good Time and the Irina viruses. Millions of users received emails about these two
viruses, and the symp- toms sounded just awful.

Technical support A form of impersonation, this attack is aimed at the technical support staff
themselves. Tech support professionals are trained to be helpful to customersits their goal to solve
problems and get users back online as quickly as possible. Knowing this, an attacker can call up posing
as a user
and request a password reset. The help desk person, believing theyre helping
a stranded customer, unwittingly resets a password to something the attacker knows, thus granting him
access the easy way. Another version of this attack is known as authority support.

Types of Social Eng.

u

Whaling Whaling is nothing more than phishing or spear phishing but for big users. Instead
of sending out a To Whom It May Concern message to thousands of users, the whaler
identifies one person from whom they can gain all the data they wantusually a manager
or ownerand targets the phishing campaign at them.

Vishing When you combine phishing with Voice over IP (VoIP), it becomes known as vishing,
an elevated form of social engineering. Although crank calls have been in existence since
the invention of the telephone, the rise in VoIP now makes it possible for someone to call
you from almost anywhere in the world, without worrying about tracing, caller ID, and
other land linerelated features. They then pretend to be someone they are not in order to
get data from you.

Physical Control
u

Access control is a critical part of physical security, and it can help cut down
the possibility of a social engineering or other type of attack from succeeding.
Systems must operate in controlled environments in order to be secure. These
environments must be, as much as possible, safe from intrusion

A key aspect of access control involves physical barriers. The objective of a

physical barrier is to prevent access to computers and network systems. The
most effective physical

Know the six types of controls.

u

CompTIA has categorized controls into six types:

deterrent (warning), preventive (stopping),
detective (uncovering), compensating (backup),
technical (using technology), and administrative
(using policies).

Physical Controls
u

Hardware Locks and Security

Mantraps

Video Surveillance

Fencing

Access List

Proper Lighting

Signs

Guards

Environmental Controls
u

HVAC

Fire Suppression

Fire Extinguishers

Fixed Systems

EMI Shielding

Hot and Cold Aisles

Temperature and Humidity Controls

Controls
u

Administrative

Technical

Correctives

Preventative

Deterrent

Administrative Control :
Administrative: I establish a number of
policies to keep the tomatoes safe:
u

Preventive: I instruct every member of my family that they are not to go into the and
they are not to let anyone else go back there either.

Deterrent: I tell the kids that if I ever hear of any of themor their friendsbeing the
backyard, I will take away their allowance for month.

Detective: As a matter of routine, I want each member of the family to look out the
window on a regular basis to see if anyone has wandered into the yard.

Compensating: Every member of the family is instructed on how to call the police the
minute they see anyone in the yard.

Technical : Technical: Not trusting that the

administrative controls will do the job without
fail, I implement a number of technical
controls:
u

Preventive: I put up a fence around the yard, and the door that leads out from the
garage is locked.

Deterrent: Beware of Dog signs are posted all over the fence (although I have no
dog).

Detective: Sensors are placed on the gate to trigger an alarm if the gate is opened.

Compensating: Triggered alarms turn on the backyard sprinklers at full volume to

douse any intruder who wanders in.

Corrective
u

Corrective - Corrective controls restore the system or process back to the

state prior to a harmful event. For example, a business may implement a full
restoration of a system from backup tapes after evidence is found that
someone has improperly altered the payment data.

Exam Essentials
u

Be able to describe the process of social engineering

Know the importance of security awareness and training.

Know the purposes of shielding in the environment.

Be able to describe the types of fire-suppression systems in use today.

Know the six types of controls

Questions
1. An attacker creates a fake ID badge and waits next to an entry door to a secured
facility. An authorized user swipes a key card and opens the door. Jim follows the user
inside. Which social engineering attack is in play here?
A. PiggybackingB. TailgatingC. PhishingD. Shouldersurfing

2. An attacker has physical access to a building and wants to attain access credentials
to the network using nontechnical means. Which of the following social engineering
attacks is this best option?

A. TailgatingB. PiggybackingC. Shoulder surfing D. Sniffing

Questions
u

An attacker performs a Whois search against a target organization and

discovers the technical point of contact and site ownership e-mail
addresses. He then crafts an e-mail to the owner from the technical POC,
with instructions to click a link to see web statistics for the site. Instead,
the link goes to a fake site where credentials are stolen. Which attack has
taken place?
a. Phishing
B .Man in the middle
c. Spear phishing
d. Human based

Answers
1. B. In tailgating, the attacker holds a fake entry badge of some sort and
follows an authorized user inside.

2.

C. Because he is already inside (thus rendering tailgating and piggybacking

pointless), the attacker could employ shoulder surfing to gain the access
credentials of a user.

3.

C. Spear phishing occurs when the e-mail is being sent to a specific

audience, even if that audience is one person. In this example, the
attacker used recon information to craft an e-mail designed to be more
realistic to the intended victim and therefore more successful.