1.1 - Compare and contrast different types of social engineering techniques.

Question 1

Social Engineering

Answer 1

• Used to extract info usually by tricking ppl
• Precursor to more advanced attacks
• Successful b/c relies on emotions

Question 2

Principles of influence/Reasons for effectiveness

(just the list, no description)

Answer 2

• Authority
• Intimidation
• Consensus/Social proof
• Scarcity
• Familiarity/Liking
• Trust
• Urgency

Question 3

Principles of influence - Authority

Answer 3

• Perceived by job titles, uniforms, badges, symbols, expertise
• Feel obligated to comply
• Trust authoritative symbols
• EX: Flashing red lights would prompt you to pull over

Question 4

Principles of influence - Intimidation

Answer 4

• Authority plays to sense of duty
• Negative impact if you don’t comply
• Plays on fear of getting in trouble, fired, etc
• EX: If you don’t help, payroll won’t be processed

Question 5

Principles of influence - Consensus/Social Proof

Answer 5

• “Safety in numbers”
• Ppl often believe what others around them believe
• Ambiguous requests/situations likely acted on b/c believe others are doing the same
• Convince based on what’s normally expected
• EX: Robert already complied with this

Question 6

Principles of influence - Scarcity

Answer 6

• Want/value something more if we believe it’s less available
• More impulsive if we believe it’s the last one
• Spur someone to act quickly on request without thinking
• EX: Must make change before time expires

Question 7

Principles of influence - Urgency

Answer 7

• Works along with scarcity
• Act quickly, don’t think
• Used to gain support
• EX: Consequence will occur unless you take this action right now

Question 8

Principles of influence - Familiarity/Liking

Answer 8

• Common friends, someone you know
• Comply with requests from ppl they like/have common ground
• “Liking” leads to trust
• You’ll be helpful b/c you want to be liked
• Effective b/c of desire to establish + maintain social relationships
• EX: Might use humor or connect through shared interests, past events, institutions

Question 9

Principles of influence - Trust

Answer 9

• Trust ppl with assigned authority/specific expertise
• Trust follows liking
• Trust the consensus
• Established + played out in idea of reciprocation
• EX: I’m from IT and here to help

Question 10

Pretexting

Answer 10

• using made up scenario 2 justify why perp is approaching someone
• used as part of impersonation efforts 2 make perp believable
• Trap = set b4 attack
• Perp is character in situation they create
• Where you work, bank, fam + friends, etc
• Lying to get info
• EX: Congrats! You qualify for 0% interest rates

Prevention
- vic can ask q’s
- vic can require verification

Question 11

Impersonation

Answer 11

• Use some details from recon
• Often used with a pretext or invented scenario
• Perp assumes character/appearance of someone else
• Attack vic as someone from higher rank
• EX: You can trust me, I’m with your help desk

Question 12

Recon

Answer 12

• Uses public info sources to first do recon of the target
• EX: LinkedIN, company website, etc.

Question 13

Eliciting info

Answer 13

• Extracting info from vic/hacking the human
• Can directly/indirectly lead to sensitive data loss
• Might not be immediate consequences but cumulative effect combined could have dire consequences
• Often seen with vishing (easier to get info over phone)
• Vic doesn’t realize it’s happening

Question 14

Identity fraud

Answer 14

• Persons personal info used without authorization to deceive/commit a crime

Question 15

Credit card fraud

Answer 15

• Open account in your name or use CC info

Question 16

Bank fraud

Answer 16

• Gains access to your account or opens new account

Question 17

Loan fraud

Answer 17

• Your info is used for loan or lease

Question 18

Government benefits fraud

Answer 18

• Obtains benefits on your behalf

Question 19

Impersonation protection

Answer 19

• Don’t volunteer info
• Don’t disclose personal details
• Always verify before revealing info (call back/3rd parties)
• Encourage verification
• Ongoing user awareness + education is important

Question 20

Phishing protection

Answer 20

• Use security technologies, techniques at client side, server side, and enterprise level
• Always check URL
• Usually something not right with spelling, fonts, graphics
• Prepending
• Best defense = user education

Question 21

Phishing protection (prepending)

Answer 21

• Orgs add notification in email subject line that an email is external
• Ideally users shouldn’t be able to directly access email attachments from within the email app

Question 22

Spear phishing

Answer 22

• Targeted version of phishing
• Targets specific individual whereas phishing involves mass emailing
• Makes attack more believable since it’s targeted

Question 23

Whaling

Answer 23

• Spear phishing that goes after high profile targets (CEO, CFO, etc.)
• Execs have direct access to corporate bank account

Question 24

Vishing

Answer 24

• Voice phishing (phone or voicemail)
• Fake/spoofed caller ID to appear as from a trusted org
• Tries to get them to enter account details
• Fake security checks or bank account

Question 25

Smishing

Answer 25

- SMS phishing - Phishing over text messaging - Spoofing used here - Forwards links or asks for personal info

Question 26

Pharming

Answer 26

- Doesn't require vic being tricked into clicking a link - Redirects legit website to bogus one - Poisoned DNS server/client vulnerabilities - DNS cache poisoning - Harvest large groups of ppl, collect access creds - Creds typically aggregated then monetized - Challenging for anti-malware software to stop b/c appears legit to user

Question 27

Credential harvesting

Answer 27

- Captures usernames/passwords - Collects login creds - Vic has no idea since everything happens in the background - Typically creds gathered are aggregated and then monetized - EX: Vic receives email with malicious MS word doc -> opening it runs a macro -> macro downloads credential harvesting malware

Question 28

Invoice scams

Answer 28

- Researches/finds out who pays the bills then crafts emails requesting payment - Hopes that vic follows standard process for invoice payments without giving it much through - EX: Fake invoice scam from spoofed version of CEOs email address

Question 29

Advance fee scam

Answer 29

- Large sum of money promised - Vic asked to make small payment first to complete the transaction - Vic never sees the large return

Question 30

Watering hole attacks

Answer 30

- Determines sites vics/vic groups frequently use (industry related site, etc). - Goal = compromise large environment (company the target works for) - Infect 3rd party site (site vulnerability, email attachments) - Infect all visitors but they're just looking for specific vic - Looks for opportunities to compromise any of the frequently visited sites based on existing vulnerabilities - Usually used in conjunction with Zero Day Exploits

Question 31

Zero day exploit

Answer 31

- Attack against a vulnerability that's unknown to software + security vendors - Watering hole attacks often used with zero day exploits

Question 32

Watering hole attacks prevention

Answer 32

- Defense in depth - Layered defense - Firewalls + IPs (stop network traffic before it gets bad) - Anti-virus/anti-malware signature updates

Question 33

Typosquatting

Answer 33

- URL hijacking - Relies on typographic errors users make on internet - EX: Mistype google.com -> goooogle.com . Since google owns both domain names you're redirected to the correct domain - EX: Mistype your bank URL but you're presented with a site that looks just like the banks and your login creds are recorded

Question 34

Hoaxes

Answer 34

- Threat doesn't actually exist - Actions ppl take in response create the actual threats - Hoax virus email can consume resources as it's forwarded on - Can waste as much time as a regular virus - Via email, social networks, word of mouth - Some will take your money but not through electronic means Gibson 209 Chapple 71 -intentional falsehoods -social media plays big role -EX: virus hoaxes, fake news

Question 35

De-hoaxing | (hoax prevention)

Answer 35

- Believe no one - Cross reference - Consider the source - Spam filters can help

Question 36

Influence campaigns

Answer 36

- Sway public opinion on political/social issues - Seek to affect development, actions, behavior of targeting population - Recently come to include Cyber Warfare - Internet provides opportunity to widely disseminate info + social media provides opportunity to spread

Question 37

Hybrid warfare

Answer 37

- Military strategy, wage war non-traditionally - Influence with a military spin - Influencing foreign elections, fake news - Psych, econ, political influence aspects go beyond distraction to achieving greater goals such as; - Dividing public opinion by exploiting societal vulnerabilities

Question 38

Cyber warfare

Answer 38

- Attack entity with tech

Question 39

Tailgating

Answer 39

- Use authorized person to gain unauthorized access to a building - Appearing to be part of authorized group (clothing, 3rd party legit reason, etc). - Capitalizing on ppl's desire to be polite

Question 40

Tailgating prevention

Answer 40

- Visitor policy - One scan, one person - Don't be afraid to ask who someone is/why they're there - Mantrap

Question 41

Mantrap

Answer 41

- Airlock mechanisms that allow only one person to pass at a time - Provides entrance control + prevents tailgating - Employed by many high security facilities

Question 42

Dumpster diving

Answer 42

- Scavenge for discarded equipment + docs to extract sensitive info - Impersonate names, use phone #s - Timing = important (end of month, end of quarter, based on pickup schedule) - Legal unless local restriction - Private property, no trespassing may be restricted - Sources could include; organizational directories, employee manuals, hard drives + other media, printed emails, etc.

Question 43

Dumpster diving prevention/protection

Answer 43

- Secure your garbage (fence + lock) - Shred your docs (only goes so far, GOVT burns the good stuff) - Proper disposal of data + equipment + should be part of orgs security policy - Require shredding of all physical docs - Secure erasure of all types of storage media before they may be discarded

Question 44

Shoulder surfing

Answer 44

- Any method of direct observation to obtain info - Curiosity, industrial espionage, competitive advantage, etc. - Airports, flights, hallway facing monitors, coffee shops, ATM, etc. - Binoculars, telescopes, webcam monitoring, etc. - Shoulder surfers job might be done after they've provided or sold the info to someone with more nefarious goals

Question 45

Shoulder surfing prevention

Answer 45

- Control your input - Be aware of your surroundings - Use privacy filters, screen overlays to prevent someone from seeing the screen at an angle - Keep monitor out of sight/away from windows + hallways

Question 46

Spam

Answer 46

- Unsolicited messages (emails, forums, etc) - Commercial advertising, non commercial proselytizing, phishing attempts - Issue b/c of security concerns, resource utilization, storage costs, managing the spam - SPIM -> spam over instant messaging

Question 47

Identifying spam

Answer 47

- Allowed list - SMTP standards checking -> blocks what doesn't follow RFC standards - rDNS (reverse DNS), blocks email where senders domain doesn't match IP address - Tarpitting, intentionally slow down server connection - Recipient filtering, blocks all email not addressed to valid recipient email address

Question 48

Mail gateways

Answer 48

- Unsolicited email - Stop at gateway before reaches user - On site or cloud based

Question 49

SPIM

Answer 49

- Spam over instant messaging

Question 50

Phishing

Answer 50

- Attempt to acquire sensitive info by pretending to be trusted entity via electronic communication (often by text, email, etc) - Persuade vic to perform actions that provides access to confidential info