Chapter 11 - Low Tech Social Engineering, Physical Security

Question 1

ECC Defines 4 Phases of Social Engineering

Answer 1

Research (dumpster dive, websites, etc)
Select the victim (id frustrated employee, etc)
Develop a relationship
Exploit the relationship

Question 2

ECC 5 Reasons why social engineering works

Answer 2

human nature (trusting)

ignorance of social engineering efforts

fear (of consequences of not complying with SE)

greed (promised gain from the SE)

sense of moral obligation

Question 3

ECC 4 factors that allow social engineering to happen

Answer 3

insufficient training

unregulated information (or physical) access

complex organizational structure

lack of security policies

Question 4

3 types of social engineering attacks

Answer 4

human

computer

mobile

Question 5

Trash Intelligence, TRASHINT

Answer 5

ECC considers dumpster diving as social engineering

Question 6

Impersonation

Answer 6

Social Engineer pretends to be someone else that the target either:

respects
fears
trusts

Question 7

Authority Support

Answer 7

Attacker poses as a user, calls help desk and requests a password reset

Question 8

Tailgating vs Piggybacking

Answer 8

Tailgating - attacker has fake badge and follows someone through the door

Piggybacking - attacker doesn’t have a badge, and asks someone to let them in anyway

Question 9

RFID Skimming

Answer 9

cloning an RFID access card or credit card

Question 10

Reverse Social Engineering

Answer 10

Attacker gets target to call them with information

Question 11

3 steps of reverse Social Engineering

Advertisement
Sabotage
Support

Answer 11

Advertisement - attacker advertises his position as technical support of some kind

Sabotage - attacker pulls cables, performs DoS or something else to interrupt the target’s service

Support - target calls technical support and attacker “helps” by getting login credentials and gaining access

Question 12

Items that may indicate a phishing email

beware unknown, unexpected, suspicious originators

beware whom the email is addressed to

Verify phone numbers

beware bad spelling/grammar

always check links

Answer 12

if you don’t know the sender, be cautious. If you know the sender and the message is out of context, be cautious

companies typically address you personally

if you see a phone number in the email, call it to verify it’s legitimate

professional email won’t have misspelled words

Question 13

Spear Phishing

Answer 13

Targeted phishing against an individual or small group of individuals

Result of reconnaissance and a specially crafted email

Most successful SE attack globally. Because attacker has a small audience, it’s easier to craft an email to them

ex. you learn about a shipping and receiving clerk and craft an email to look like a bill of lading

Question 14

Whaling

Answer 14

spear phishing against a high-level target, like a CEO

Question 15

Chat or Messenger channels usage for SE

Answer 15

Used to find out personal information and spread malicious code and install software

IRC is one of the main ways that zombie computers are manipulated by attackers

Question 16

Mitigating Social engineering

Answer 16

multiple layers of defense

change management procedures

strong authentication

Best is to train users, especially tech support staff

Question 17

Mobile-based social engineering attacks

Answer 17

take advantage of mobile devices, applications or services to carry out their goal

Question 18

ZitMo (Zeus in the Middle)

Answer 18

Android malware that captured the phone; target installed application thinking it would receive security messages, but it was a way for attacker to receive their SMS authentication factor

Question 19

Mobile malware for profit

Answer 19

malware activated SMS message from victim’s phone that requested premium services. Attacker deletes return SMS messages acknowledging charges.

Question 20

ECC’s 4 categories of mobile SE attacks

publishing malicious apps
repackaging legitimate apps
fake security applications
SMS

Answer 20

publishing malicious apps
attacker creates app that’s similar to legitimate apps

repackaging legitimate apps
attacker modifies legitimate app to contain malware, posting it on 3rd party app store. Happened to Angry Birds

fake security applications
Attacker infects PC with malware, uploads malicious app to app store. When user logins in, malware popup says to download bank security software. User complies and infects mobile device

SMS
attacker sends SMS texts that look like legitimate security notifications, with a phone number. Target calls number and provides sensitive data

Question 21

ECC Term - “smishing”

Answer 21

SMS phishing

same as 4th category of mobile SE attack

Question 22

Physical Security

Answer 22

Plans, Procedures, steps taken to protect assets from deliberate or accidental events that could cause damage or loss

Not just locks and gates. Also protection from floods, earthquakes, theft, vandalism, etc.

Question 23

3 components of physical security (exam tip)

physical
technical
operational

Answer 23

physical - all things you can touch, taste, smell or get shocked by. Bollards, lights, fences, locks, parking areas, guards

technical - technological measures that protect at the physical level. Authentication and Permissions as smart cards and biometrics.

operational - policies and procedures, background checks, risk assessments, key management and storage policies

Question 24

Examples of physical considerations for physical security

Answer 24

taking out the AC can DoS your entire network

dust, humidity, static electricity, temperature

positive air pressure in data center reduces contaminates

Question 25

Examples of technical considerations for physical security

Answer 25

PIN and proximity card. biometrics.

Question 26

Examples of operational considerations for physical security

Answer 26

who controls the physical keys, where are they, and how are they managed?

Question 27

Access Control Types

Answer 27

biometrics
ID / Entry cards
door locks
man traps

Question 28

Biometrics

Answer 28

pros - hard to fake them

cons - easy for system to read false negatives and reject legitimate access

Question 29

False Rejection Rate (FRR)

Answer 29

FRR

percentage of time a biometric reader denies access to legitimate user

Question 30

False Acceptance Rate (FAR)

Answer 30

FAR

percentage of time an unauthorized user is granted access by the system

Question 31

Crossover Error Rate (CER)

Answer 31

the point where FRR and FAR intersect on a graph

a ranking methods to determine how well the system works overall

The lower the number, the better the ranking