Security, Usability, Psychology Flashcards
What are humans weak at?
- Repeating prescribed actions
- Compartmentalization of tasks
- Working without context
- Monitoring of seldom changing events
What are humans strong at?
- Inventing new tools and practices
- Mixing and matching
- Helping and learning with others
- Adapting to new situations
Name five authentication factors
- ownership factors
- knowledge factors
- inherence factors
- time-based authentication
- location-based authentication
Name the 6 key principles of social engineering by Cialdini
Reciprocity, Commitment and consistency, Social proof, Authority, Liking, Scarcity
Explain the principle of “Reciprocity”
People tend to return the favor. Example: Nigerian prince scam
Explain the principle of “Commitment and consistency”
If people commit to an ideal or goal they are likely to honor that commitment
Explain the principle of “Social proof”
People will do things that they see other people doing
Explain the principle of “Authority”
People will tend to obey authoritative figures, even if asked to perform objectionable tasks
Explain the principle of “Liking”
People are easily persuaded by people the like or know
Explain the principle of “Scarcity”
Perceived scarcity will generate demand
What are the categories of Krombholz’ taxonomy of social engineering?
type, operator, channel
What different social engineering types are there?
Physical, Social, Technical, Socio-Technical
What different social engineering channels are there?
Email, Instant messaging, Telephone / VoIP, social networks, cloud, website
What different social engineering operators are there?
human, software
Name 7 different social engineering attack vectors
Phishing, Dumpster diving, Shoulder surfing, Reverse social engineering, waterholing
What is Dumpster diving?
Sifting through trash of individuals or companies to find sensitive information
What is Shoulder surfing?
Using direct observation techniques to gain information, such as looking at a screen over someone’s shoulder
What is Reverse social engineering?
An attacker gains a victims trust by creating a situation where the attacker helps the victim
What is waterholing?
Attackers compromise a website that is likely to be visited by victims, wait for the victim at website
What is Advanced Persistent Threat?
Long-term mostly internet based espionage attack
What is Baiting?
Malware-infected storage medium is left at a place where it is likely to be found by victims
What differentiates Dynamite Phishing from regular Phishing?
Personal information is used to make Phishing attack more trustworthy
Name 4 countermeasures agains social engineering
Training, Security protocols, Standard framework, Event test