Sec+ Chapter 04: Social Engineering, Physical, and Password Attacks Flashcards
Social engineering
The practice of manipulating people to accomplish a desired action
7 social engineering principles
1) Authority
2) Intimidation
3) Consensus
4) Scarcity
5) Familiarity
6) Trust
7) Urgency
Phishing
Fraudulent acquisition credentials, sensitive PII, etc
Usually done over email
Smishing
Phishing via SMS text messages
Vishing
Phishing over the phone
Spearphishing
Targets specific individuals or groups to gather desired information or access
Whaling
Aimed at senior employees like CEOs and CFOs (the big fish)
Phishing defense
Security awareness
Reputation tools
Spam filters on email
Credential harvesting
The process of gathering credentials like user / pass combos
Often done via phishing attacks
Pharming
Attack that redirects traffic from legit sites to bad ones
Requires altered DNS entries
Typosquatting
Misspelled and slightly off, but similar, to legit website URL
Watering hole attacks
Attacks on websites users frequent to infect them there, and they take it back home
Spam
Unsolicited or junk email
Employs SE techniques to get you to open a message or click a link
SPIM
Spam over IM
Dumpster diving
Retrieving potentially sensitive information from a dumpster or trash
Dumpster diving defense
Use secure disposal services for documents, secure dumpsters, ensure trash doesn’t have sensitive info in it
Shoulder surfing
Looking over a person’s shoulder, through mirrors, etc, etc to capture info
Shoulder surfing defense
Security awareness
Security screens
Polarized screen covers
Tailgating
Following someone who has authorized access into an area as they open secure doors.
Tailgating defnese
Make anyone present show credentials if they follow you in
Elicitation
Technique to gather info without targets realizing they’re providing it
Elicitation defense
Be aware, don’t be an idiot
Prepending
Adding expression or phrase to emails to make it look like it passed spam filter
Pretexting
Using a made up scenario to justify why you’re approaching an individual
Identity fraud / theft
The illicit use of someone else’s identity
Hoaxes
Intentional falsehoods
Invoice scam
Sending fake invoices to organizations in the hopes of receiving payment
Brute force attack
An attack that iterates through passwords until you find one that works
Password spraying
Brute force attack that attempts to use a single password or small set of passwords against many accounts
Dictionary attacks
Brute force attack that uses a word list for its attempts
Hashing
One-way cryptographic function that takes an input and generates a unique, repeatable output
Malicious flash drive attacks
Drop flash drives in a place where they’ll be picked up and plugged in by victim
Drives will have malicious code / programs on them
Malicious USB cables
Cables that can capture keystrokes, capture data, or deploy malware
Card cloning
Focuses on capturing information from cards like RFID and magnetic stripes often used for entry access
Skimming
Attacks that use hidden or fake readers to skim cards
Supply chain attacks
Attacks that compromise devices, systems, or software before it ever reaches and organization
