Chapter 11 - Low Tech Social Engineering, Physical Security Flashcards
ECC Defines 4 Phases of Social Engineering
Research (dumpster dive, websites, etc)
Select the victim (id frustrated employee, etc)
Develop a relationship
Exploit the relationship
ECC 5 Reasons why social engineering works
human nature (trusting)
ignorance of social engineering efforts
fear (of consequences of not complying with SE)
greed (promised gain from the SE)
sense of moral obligation
ECC 4 factors that allow social engineering to happen
insufficient training
unregulated information (or physical) access
complex organizational structure
lack of security policies
3 types of social engineering attacks
human
computer
mobile
Trash Intelligence, TRASHINT
ECC considers dumpster diving as social engineering
Impersonation
Social Engineer pretends to be someone else that the target either:
respects
fears
trusts
Authority Support
Attacker poses as a user, calls help desk and requests a password reset
Tailgating vs Piggybacking
Tailgating - attacker has fake badge and follows someone through the door
Piggybacking - attacker doesn’t have a badge, and asks someone to let them in anyway
RFID Skimming
cloning an RFID access card or credit card
Reverse Social Engineering
Attacker gets target to call them with information
3 steps of reverse Social Engineering
Advertisement
Sabotage
Support
Advertisement - attacker advertises his position as technical support of some kind
Sabotage - attacker pulls cables, performs DoS or something else to interrupt the target’s service
Support - target calls technical support and attacker “helps” by getting login credentials and gaining access
Items that may indicate a phishing email
beware unknown, unexpected, suspicious originators
beware whom the email is addressed to
Verify phone numbers
beware bad spelling/grammar
always check links
if you don’t know the sender, be cautious. If you know the sender and the message is out of context, be cautious
companies typically address you personally
if you see a phone number in the email, call it to verify it’s legitimate
professional email won’t have misspelled words
Spear Phishing
Targeted phishing against an individual or small group of individuals
Result of reconnaissance and a specially crafted email
Most successful SE attack globally. Because attacker has a small audience, it’s easier to craft an email to them
ex. you learn about a shipping and receiving clerk and craft an email to look like a bill of lading
Whaling
spear phishing against a high-level target, like a CEO
Chat or Messenger channels usage for SE
Used to find out personal information and spread malicious code and install software
IRC is one of the main ways that zombie computers are manipulated by attackers
Mitigating Social engineering
multiple layers of defense
change management procedures
strong authentication
Best is to train users, especially tech support staff
Mobile-based social engineering attacks
take advantage of mobile devices, applications or services to carry out their goal
ZitMo (Zeus in the Middle)
Android malware that captured the phone; target installed application thinking it would receive security messages, but it was a way for attacker to receive their SMS authentication factor
Mobile malware for profit
malware activated SMS message from victim’s phone that requested premium services. Attacker deletes return SMS messages acknowledging charges.
ECC’s 4 categories of mobile SE attacks
publishing malicious apps
repackaging legitimate apps
fake security applications
SMS
publishing malicious apps
attacker creates app that’s similar to legitimate apps
repackaging legitimate apps
attacker modifies legitimate app to contain malware, posting it on 3rd party app store. Happened to Angry Birds
fake security applications
Attacker infects PC with malware, uploads malicious app to app store. When user logins in, malware popup says to download bank security software. User complies and infects mobile device
SMS
attacker sends SMS texts that look like legitimate security notifications, with a phone number. Target calls number and provides sensitive data
ECC Term - “smishing”
SMS phishing
same as 4th category of mobile SE attack
Physical Security
Plans, Procedures, steps taken to protect assets from deliberate or accidental events that could cause damage or loss
Not just locks and gates. Also protection from floods, earthquakes, theft, vandalism, etc.
3 components of physical security (exam tip)
physical
technical
operational
physical - all things you can touch, taste, smell or get shocked by. Bollards, lights, fences, locks, parking areas, guards
technical - technological measures that protect at the physical level. Authentication and Permissions as smart cards and biometrics.
operational - policies and procedures, background checks, risk assessments, key management and storage policies
Examples of physical considerations for physical security
taking out the AC can DoS your entire network
dust, humidity, static electricity, temperature
positive air pressure in data center reduces contaminates
Examples of technical considerations for physical security
PIN and proximity card. biometrics.
Examples of operational considerations for physical security
who controls the physical keys, where are they, and how are they managed?
Access Control Types
biometrics
ID / Entry cards
door locks
man traps
Biometrics
pros - hard to fake them
cons - easy for system to read false negatives and reject legitimate access
False Rejection Rate (FRR)
FRR
percentage of time a biometric reader denies access to legitimate user
False Acceptance Rate (FAR)
FAR
percentage of time an unauthorized user is granted access by the system
Crossover Error Rate (CER)
the point where FRR and FAR intersect on a graph
a ranking methods to determine how well the system works overall
The lower the number, the better the ranking