1.1 - Compare and contrast different types of social engineering techniques.

Question 1

Social Engineering

Answer 1

• Used to extract info usually by tricking ppl
• Precursor to more advanced attacks
• Successful b/c relies on emotions

Question 2

Principles of influence/Reasons for effectiveness

(just the list, no description)

Answer 2

• Authority
• Intimidation
• Consensus/Social proof
• Scarcity
• Familiarity/Liking
• Trust
• Urgency

Question 3

Principles of influence - Authority

Answer 3

• Perceived by job titles, uniforms, badges, symbols, expertise
• Feel obligated to comply
• Trust authoritative symbols
• EX: Flashing red lights would prompt you to pull over

Question 4

Principles of influence - Intimidation

Answer 4

• Authority plays to sense of duty
• Negative impact if you don’t comply
• Plays on fear of getting in trouble, fired, etc
• EX: If you don’t help, payroll won’t be processed

Question 5

Principles of influence - Consensus/Social Proof

Answer 5

• “Safety in numbers”
• Ppl often believe what others around them believe
• Ambiguous requests/situations likely acted on b/c believe others are doing the same
• Convince based on what’s normally expected
• EX: Robert already complied with this

Question 6

Principles of influence - Scarcity

Answer 6

• Want/value something more if we believe it’s less available
• More impulsive if we believe it’s the last one
• Spur someone to act quickly on request without thinking
• EX: Must make change before time expires

Question 7

Principles of influence - Urgency

Answer 7

• Works along with scarcity
• Act quickly, don’t think
• Used to gain support
• EX: Consequence will occur unless you take this action right now

Question 8

Principles of influence - Familiarity/Liking

Answer 8

• Common friends, someone you know
• Comply with requests from ppl they like/have common ground
• “Liking” leads to trust
• You’ll be helpful b/c you want to be liked
• Effective b/c of desire to establish + maintain social relationships
• EX: Might use humor or connect through shared interests, past events, institutions

Question 9

Principles of influence - Trust

Answer 9

• Trust ppl with assigned authority/specific expertise
• Trust follows liking
• Trust the consensus
• Established + played out in idea of reciprocation
• EX: I’m from IT and here to help

Question 10

Pretexting

Answer 10

• using made up scenario 2 justify why perp is approaching someone
• used as part of impersonation efforts 2 make perp believable
• Trap = set b4 attack
• Perp is character in situation they create
• Where you work, bank, fam + friends, etc
• Lying to get info
• EX: Congrats! You qualify for 0% interest rates

Prevention
- vic can ask q’s
- vic can require verification

Question 11

Impersonation

Answer 11

• Use some details from recon
• Often used with a pretext or invented scenario
• Perp assumes character/appearance of someone else
• Attack vic as someone from higher rank
• EX: You can trust me, I’m with your help desk

Question 12

Recon

Answer 12

• Uses public info sources to first do recon of the target
• EX: LinkedIN, company website, etc.

Question 13

Eliciting info

Answer 13

• Extracting info from vic/hacking the human
• Can directly/indirectly lead to sensitive data loss
• Might not be immediate consequences but cumulative effect combined could have dire consequences
• Often seen with vishing (easier to get info over phone)
• Vic doesn’t realize it’s happening

Question 14

Identity fraud

Answer 14

• Persons personal info used without authorization to deceive/commit a crime

Question 15

Credit card fraud

Answer 15

• Open account in your name or use CC info

Question 16

Bank fraud

Answer 16

• Gains access to your account or opens new account

Question 17

Loan fraud

Answer 17

• Your info is used for loan or lease

Question 18

Government benefits fraud

Answer 18

• Obtains benefits on your behalf

Question 19

Impersonation protection

Answer 19

• Don’t volunteer info
• Don’t disclose personal details
• Always verify before revealing info (call back/3rd parties)
• Encourage verification
• Ongoing user awareness + education is important

Question 20

Phishing protection

Answer 20

• Use security technologies, techniques at client side, server side, and enterprise level
• Always check URL
• Usually something not right with spelling, fonts, graphics
• Prepending
• Best defense = user education

Question 21

Phishing protection (prepending)

Answer 21

• Orgs add notification in email subject line that an email is external
• Ideally users shouldn’t be able to directly access email attachments from within the email app

Question 22

Spear phishing

Answer 22

• Targeted version of phishing
• Targets specific individual whereas phishing involves mass emailing
• Makes attack more believable since it’s targeted

Question 23

Whaling

Answer 23

• Spear phishing that goes after high profile targets (CEO, CFO, etc.)
• Execs have direct access to corporate bank account

Question 24

Vishing

Answer 24

• Voice phishing (phone or voicemail)
• Fake/spoofed caller ID to appear as from a trusted org
• Tries to get them to enter account details
• Fake security checks or bank account

Question 25

Smishing

Answer 25

• SMS phishing
• Phishing over text messaging
• Spoofing used here
• Forwards links or asks for personal info

Question 26

Pharming

Answer 26

• Doesn’t require vic being tricked into clicking a link
• Redirects legit website to bogus one
• Poisoned DNS server/client vulnerabilities
• DNS cache poisoning
• Harvest large groups of ppl, collect access creds
• Creds typically aggregated then monetized
• Challenging for anti-malware software to stop b/c appears legit to user

Question 27

Credential harvesting

Answer 27

• Captures usernames/passwords
• Collects login creds
• Vic has no idea since everything happens in the background
• Typically creds gathered are aggregated and then monetized
• EX: Vic receives email with malicious MS word doc -> opening it runs a macro -> macro downloads credential harvesting malware

Question 28

Invoice scams

Answer 28

• Researches/finds out who pays the bills then crafts emails requesting payment
• Hopes that vic follows standard process for invoice payments without giving it much through
• EX: Fake invoice scam from spoofed version of CEOs email address

Question 29

Advance fee scam

Answer 29

• Large sum of money promised
• Vic asked to make small payment first to complete the transaction
• Vic never sees the large return

Question 30

Watering hole attacks

Answer 30

• Determines sites vics/vic groups frequently use (industry related site, etc).
• Goal = compromise large environment (company the target works for)
• Infect 3rd party site (site vulnerability, email attachments)
• Infect all visitors but they’re just looking for specific vic
• Looks for opportunities to compromise any of the frequently visited sites based on existing vulnerabilities
• Usually used in conjunction with Zero Day Exploits

Question 31

Zero day exploit

Answer 31

• Attack against a vulnerability that’s unknown to software + security vendors
• Watering hole attacks often used with zero day exploits

Question 32

Watering hole attacks prevention

Answer 32

• Defense in depth
• Layered defense
• Firewalls + IPs (stop network traffic before it gets bad)
• Anti-virus/anti-malware signature updates

Question 33

Typosquatting

Answer 33

• URL hijacking
• Relies on typographic errors users make on internet
• EX: Mistype google.com -> goooogle.com . Since google owns both domain names you’re redirected to the correct domain
• EX: Mistype your bank URL but you’re presented with a site that looks just like the banks and your login creds are recorded

Question 34

Hoaxes

Answer 34

• Threat doesn’t actually exist
• Actions ppl take in response create the actual threats
• Hoax virus email can consume resources as it’s forwarded on
• Can waste as much time as a regular virus
• Via email, social networks, word of mouth
• Some will take your money but not through electronic means

Gibson 209
Chapple 71
-intentional falsehoods
-social media plays big role
-EX: virus hoaxes, fake news

Question 35

De-hoaxing

(hoax prevention)

Answer 35

• Believe no one
• Cross reference
• Consider the source
• Spam filters can help

Question 36

Influence campaigns

Answer 36

• Sway public opinion on political/social issues
• Seek to affect development, actions, behavior of targeting population
• Recently come to include Cyber Warfare
• Internet provides opportunity to widely disseminate info + social media provides opportunity to spread

Question 37

Hybrid warfare

Answer 37

• Military strategy, wage war non-traditionally
• Influence with a military spin
• Influencing foreign elections, fake news
• Psych, econ, political influence aspects go beyond distraction to achieving greater goals such as;
• Dividing public opinion by exploiting societal vulnerabilities

Question 38

Cyber warfare

Answer 38

• Attack entity with tech

Question 39

Tailgating

Answer 39

• Use authorized person to gain unauthorized access to a building
• Appearing to be part of authorized group (clothing, 3rd party legit reason, etc).
• Capitalizing on ppl’s desire to be polite

Question 40

Tailgating prevention

Answer 40

• Visitor policy
• One scan, one person
• Don’t be afraid to ask who someone is/why they’re there
• Mantrap

Question 41

Mantrap

Answer 41

• Airlock mechanisms that allow only one person to pass at a time
• Provides entrance control + prevents tailgating
• Employed by many high security facilities

Question 42

Dumpster diving

Answer 42

• Scavenge for discarded equipment + docs to extract sensitive info
• Impersonate names, use phone #s
• Timing = important (end of month, end of quarter, based on pickup schedule)
• Legal unless local restriction
• Private property, no trespassing may be restricted
• Sources could include; organizational directories, employee manuals, hard drives + other media, printed emails, etc.

Question 43

Dumpster diving prevention/protection

Answer 43

• Secure your garbage (fence + lock)
• Shred your docs (only goes so far, GOVT burns the good stuff)
• Proper disposal of data + equipment + should be part of orgs security policy
• Require shredding of all physical docs
• Secure erasure of all types of storage media before they may be discarded

Question 44

Shoulder surfing

Answer 44

• Any method of direct observation to obtain info
• Curiosity, industrial espionage, competitive advantage, etc.
• Airports, flights, hallway facing monitors, coffee shops, ATM, etc.
• Binoculars, telescopes, webcam monitoring, etc.
• Shoulder surfers job might be done after they’ve provided or sold the info to someone with more nefarious goals

Question 45

Shoulder surfing prevention

Answer 45

• Control your input
• Be aware of your surroundings
• Use privacy filters, screen overlays to prevent someone from seeing the screen at an angle
• Keep monitor out of sight/away from windows + hallways

Question 46

Spam

Answer 46

• Unsolicited messages (emails, forums, etc)
• Commercial advertising, non commercial proselytizing, phishing attempts
• Issue b/c of security concerns, resource utilization, storage costs, managing the spam
• SPIM -> spam over instant messaging

Question 47

Identifying spam

Answer 47

• Allowed list
• SMTP standards checking -> blocks what doesn’t follow RFC standards
• rDNS (reverse DNS), blocks email where senders domain doesn’t match IP address
• Tarpitting, intentionally slow down server connection
• Recipient filtering, blocks all email not addressed to valid recipient email address

Question 48

Mail gateways

Answer 48

• Unsolicited email
• Stop at gateway before reaches user
• On site or cloud based

Question 49

SPIM

Answer 49

• Spam over instant messaging

Question 50

Phishing

Answer 50

• Attempt to acquire sensitive info by pretending to be trusted entity via electronic communication (often by text, email, etc)
• Persuade vic to perform actions that provides access to confidential info