1.1 Social Engineering Techniques Flashcards
Threats, Attacks and Vulnerabilities: Compare and Contrast Different Types of Social Engineering Techniques
1
Q
What is Phishing?
A
- A scam using this social engineering technique targets a large group of recipients with a generic message.
- Aim: Trick at least the most gullible into acting
- Ex: Visiting a website and entering PII, responding to an email, responding to a text (Smishing).
- Relies on: A false sense of trust (contain familiar logos, official looking messages)
2
Q
What is Smishing?
A
- A particular type of phishing that uses text of SMS messaging to scam someone.
3
Q
What is Vishing?
A
- A type of phishing attack that takes place over phone systems, most commonly over VoIP (Voice over IP).
- Aim: Using tools specific to VoIP systems, hackers can program their autodialers to send a recording from a spoofed VoIP address.
- Ex: Call may claim to be from a bank and requesting a call back to verify information.
4
Q
What is Spam?
A
- A deliberate attempt to email unsolicited advertisements to a large number of recipients.
- Spam mailing lists are shared among internet spam advertisers
- Spam consumes space and bandwidth. (Annoying to users and network administrators).
- Continues to be a prime nuisance and security issue for organizations
- Ex: Any time you sign your email up to a website/ newsgroup you open yourself up to the possibility of being added to a spam mailing list.
- Prevention: Many ISPs (Internet Service Providers) and corporate networks use anti-spam mail filters to block incoming spam.
5
Q
What is SPIM?
A
- Spam over Instance Message (SPIM) is an instance message spam.
- Similar to the more common spam, it occurs when a user receives unsolicited instance message (including users who are known and in the user’s contact list)
- SPIM can be targeted and include user information like demographic, age, gender information
- Prevention: Make sure that only people in their contact list can send them messages. (Many organizations block access to external IM chat)
6
Q
What is Spear Phishing?
A
- A variant of phishing, which is a targeted type of attack that includes information familiar to the user and could appear to be from a trusted source.
- Much more sophisticated than a phishing attack, b/c the information is targeted at the victim.
- Aim: Provides a greater inducement for trust from the victim due to its targeted nature.
- Ex: A company from which the user has purchased something in the past, financial institution, etc could use the target’s name and mailing address (easily stolen or use employee names with whom the individual has interacted before.
7
Q
What is Dumpster Diving?
A
- Requires almost not social skills a tall! Literally, looking through trash / recycling.
- Prevention: Companies will shred documents so they can’t be put back together.
8
Q
What is Shoulder Surfing?
A
- Looking at someone’s sensitive information on their monitor (possibly over their shoulder or through an unobstructed view)
- Prevention: Users must examine their surroundings before entering or viewing conficential data. Ensure their monitor isn’t easy to read from a hallway, etc.
- Ex: Blinds can be installed in the office is near another building or screen filters can be used
9
Q
What is Pharming?
A
- A technique that misdirects a user to an attacker’s website without the user’s knowledge, generally through manipulation of the DNS (Domain Name Service) on an affected server or the host file on a user’s system.
- While similar to phishing where a user may click a seemingly legitimate link, it differs in that it installs code on the user’s computer that sends them to the malicious site, even if the URL is entered correctly or chosen from a web browser bookmark.
- User is tricked into browsing to the attackers website.
- Like phishing can result in the loss of confidential data and can lead to identity theft as well.
10
Q
What is Tailgating?
A
- A simpler form of social engineering, gaining physical access to an access-controlled facility by closely following an authorized person through the security check point
- Can also refer to using another user’s access rights on a computer. (Ex: leaving a computer unlocked and going to lunch) Users must be taught to always log out and lock their workstations before leaving their area.
- Ex: A person might make casual conversation while following someone in or tell them they’ve lost or forgotten their card
- Prevention: Organizations must have strict access control rules to prevent tailgating so that unauthorized persons aren’t allowed into any secure facility or room and employees should b educated not to let in unknown persons, visitors must be accompanied and must sign in / out.
11
Q
How to prevent social engineering scams?
A
- Education is key to provide user education to recognize the warning signs of scams, including any attempt to get financial information such as credit card / bank information over the phone.
- B/c technological controls alone are not sufficient to protect users.
12
Q
What is Hoax?
A
- Typically some kind of urban legend or sensational fake news that users pass along to others via email b/c they feel it is of interest.
- Ex: Forward this email to 10 friends for good luck.
- Ex: Email saying they’re collecting money for a sick individual.
- Hoaxes are generally harmless, just taking up resources on the network and computers.
- However, some are phishing attempts that try to get the user to visit the link to a malicious site.
13
Q
What is Prepending?
A
- Adding mentions (@username) to Tweets or social media posts to make them seem more personal and legitimate.
- Creates higher engagement and can be automated to become almost as efficient as manual spear phishing campaigns.
14
Q
What is Identity Fraud?
A
- When an unauthorized user collects enough personal information about their target to perform forged credit card / banking transactions using the victim’s financial / personal details.
15
Q
Exam tip! How to combat the problem of dumpster diving.
A
- The physical security of your facility should include your garbage disposal and recycling operations.