Академический Документы
Профессиональный Документы
Культура Документы
Social engineering is the process by which intruders gain access to your facilities,
your network, and even your employees by exploiting the generally trusting
nature of people. A social engineering attack may come from someone posing as a
vendor, or it could take the form of an email from a (supposedly) traveling
executive who indicates that they have for- gotten how to log on to the network
or how to get into the building over the weekend. Its often difficult to
determine whether the individual is legitimate or has bad intentions.
I think it goes back to my high school days. In computer class, the first
assignment was to write a program to print the first 100 Fibonacci numbers.
Instead, I wrote a program that would steal passwords of students. My teacher
gave me an A. Kevin Mitnick
https://www.youtube.com/watch?v=DB6ywr9fngU
Shoulder Surfing One popular form of social engineering is known as shoulder surfing, and it
involves nothing more than watching someone over their shoulder. They can see you entering a
password, typing in a credit card number, or entering any other pertinent information. The best
defense against this type of attack is to survey your environment before entering personal data. It is
a good idea for users not to have their monitors positioned in ways that make
it easy for this act to occur, but they also need to understand and appreciate that such an
Dumpster Diving is a common physical access method. Companies normally generate a huge amount
of paper, most of which eventually winds up in dumpsters or recycle bins. Dumpsters may contain
information
that is highly sensitive in nature. In high-security and government environments, sensitive papers
are either shredded or burned. Most businesses dont do this. In addition, the advent of green
companies has created an increase in the amount of recycled paper, which can often contain all
sorts of juicy information about a company and its employees.
Tailgating A favorite method of gaining entry to electronically locked systems is to follow someone
through the door they just unlocked, a process known as tailgating. Many people dont think twice
about this eventit happens all the timeas they hold the door open for someone behind them who
is carrying heavy boxes or is disabled in some way.
Impersonation: impersonation involves any act of pretending to be someone you are not. This can be a
service technician, a pizza delivery driver, a security guard, or anyone else who might be allowed
unfettered access to the grounds, network, or system. Impersonation can be done in person, over the
phone, by email, and so forth.
Hoaxes Network users have plenty of real viruses to worry about. Yet some people find it entertaining to
issue phony threats to keep people on their toes. Some of the more popular hoaxes that have been
passed around are the Good Time and the Irina viruses. Millions of users received emails about these two
viruses, and the symp- toms sounded just awful.
Technical support A form of impersonation, this attack is aimed at the technical support staff
themselves. Tech support professionals are trained to be helpful to customersits their goal to solve
problems and get users back online as quickly as possible. Knowing this, an attacker can call up posing
as a user
and request a password reset. The help desk person, believing theyre helping
a stranded customer, unwittingly resets a password to something the attacker knows, thus granting him
access the easy way. Another version of this attack is known as authority support.
Whaling Whaling is nothing more than phishing or spear phishing but for big users. Instead
of sending out a To Whom It May Concern message to thousands of users, the whaler
identifies one person from whom they can gain all the data they wantusually a manager
or ownerand targets the phishing campaign at them.
Vishing When you combine phishing with Voice over IP (VoIP), it becomes known as vishing,
an elevated form of social engineering. Although crank calls have been in existence since
the invention of the telephone, the rise in VoIP now makes it possible for someone to call
you from almost anywhere in the world, without worrying about tracing, caller ID, and
other land linerelated features. They then pretend to be someone they are not in order to
get data from you.
Physical Control
u
Access control is a critical part of physical security, and it can help cut down
the possibility of a social engineering or other type of attack from succeeding.
Systems must operate in controlled environments in order to be secure. These
environments must be, as much as possible, safe from intrusion
Physical Controls
u
Mantraps
Video Surveillance
Fencing
Access List
Proper Lighting
Signs
Guards
Environmental Controls
u
HVAC
Fire Suppression
Fire Extinguishers
Fixed Systems
EMI Shielding
Controls
u
Administrative
Technical
Correctives
Preventative
Deterrent
Administrative Control :
Administrative: I establish a number of
policies to keep the tomatoes safe:
u
Preventive: I instruct every member of my family that they are not to go into the and
they are not to let anyone else go back there either.
Deterrent: I tell the kids that if I ever hear of any of themor their friendsbeing the
backyard, I will take away their allowance for month.
Detective: As a matter of routine, I want each member of the family to look out the
window on a regular basis to see if anyone has wandered into the yard.
Compensating: Every member of the family is instructed on how to call the police the
minute they see anyone in the yard.
Preventive: I put up a fence around the yard, and the door that leads out from the
garage is locked.
Deterrent: Beware of Dog signs are posted all over the fence (although I have no
dog).
Detective: Sensors are placed on the gate to trigger an alarm if the gate is opened.
Corrective
u
Exam Essentials
u
Questions
1. An attacker creates a fake ID badge and waits next to an entry door to a secured
facility. An authorized user swipes a key card and opens the door. Jim follows the user
inside. Which social engineering attack is in play here?
A. PiggybackingB. TailgatingC. PhishingD. Shouldersurfing
2. An attacker has physical access to a building and wants to attain access credentials
to the network using nontechnical means. Which of the following social engineering
attacks is this best option?
Questions
u
Answers
1. B. In tailgating, the attacker holds a fake entry badge of some sort and
follows an authorized user inside.
2.
3.