Attacks Flashcards
Social Engineering
An attack against a user, and typically involves some form of social interaction.
Phishing
A type of social engineering in which an attacker attempts to obtain sensitive information from users by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users.
Spear phishing
The term that has been created to refer to a phishing attack that targets a specific group with something in common.
Whaling
An attack where a target is a high-value person, such as a CEO or CFO.
Vishing
A variation of phishing that uses voice communication technology to obtain the information the attacker is seeking.
Users are unaware that attackers can spoof (simulate) calls from legitimate entities using Voice over IP (VoIP) technology.
Tailgating
When an unauthorized person follows closely behind an authorized person into a restricted area without permission.
Piggybacking
When an unauthorized person follows an authorized person into a restricted area with permission.
Mantrap
A more sophisticated countermeasure to piggybacking, which utilizes two doors to gain access to the facility. The second door does not open until the first one is closed, and the doors are closely spaced so that an enclosure is formed that only allows one individual through at a time.
Impersonation
A common social engineering technique and can be employed in many ways. It can occur in person, over a phone, or online.
Impersonations can occur in a variety of manners, from third parties, to help desk operators, to vendors, or even online sources.
Third-party authorization
Using previously obtained information about a project, deadlines, bosses, and so on, the attacker arrives with 1) something the victim is quasi-expecting or would see as normal, 2) uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as someone not to upset, and 3) they name-drop “Mr. Big,” who happens to be out of the office and unreachable at the moment, avoiding the reference check.
These actions can create the appearance fo a third-party authorization, when in fact there is none.
Help desk/Tech support
Calls to or from help desk and tech support units can be used to elicit information.
Contractors/Outside parties
When a social engineer dresses up as a contractor.
Online attacks
Some older forms, such as pop-up windows, tend to be less effective today because users are wary of them. Yet phishing attempts via e-mail and social media scams abound.
Defenses
In all of the cases of impersonation, the best defense is simple–have processes in place that require employees to ask to see a person’s ID before engaging with them if employees do not personally know them.
Dumpster diving
The process of going through a target’s trash in hopes of finding valuable information that might be used in a penetration attempt.
Shoulder surfing
When the attacker simply looks over the shoulder of the user at work, sets up a camera, or uses binoculars to observe sensitive information on a form, keypad, or keyboard.
The attacker can attempt to obtain information such as
can attempt to obtain information such as a PIN at an automated teller machine (ATM), an access control entry code at a secure gate or door, or a calling card or credit card number.
Hoax
At first glance, it might seem that a hoax related to security would be considered a nuisance and not a real security issue. This might be the case for some hoaxes, but the reality of the situation is that a hoax can be very damaging if it causes users to take some sort of action that weakens security.
Watering Hole Attack
Involves the infecting of a target website with malware.
These are not simple attacks, yet they can be very effective at delivering malware to specific group of end-users.
Social Engineering Principles
Social engineering is very successful for two general reasons:
1) The basic desire of most people to be helpful.
2) Individuals normally seek to avoid confrontation and trouble.
Tools
The tools in a social engineer’s toolbox are based on a knowledge of psychology and don’t necessarily require a sophisticated knowledge of software or hardware.
Authority
If an attacker can convince a target that he has authority in a particular situation, he can entice the target to act in a particular manner or risk adverse consequences.
Intimidation
Can be either subtle, through perceived power, or more direct, through the use of communications that build an expectation of superiority.
