Social Engineering and Physical Security

Question 1

Social Engineering Phases

Answer 1

1. Research (dumpster dive, visit websites, tour the company)
2. Select the victim (identify frustrated employees)
3. Develop a relationship
4. Exploit the relationship (collect sensitive information)

Question 2

Why do social engineering attacks work?

Answer 2

Human nature - trusting
Ignorance of social engineering efforts
Fear (of consequences for not providing the requested information)
Greed (promised gain for providing the requested information)
A sense of moral obligation
Insufficient training
Unregulated information or physical access
Complex organizational structure
Lack of security policies
Halo effect = a single human trait influences the perception of other traits, an attractive person, a smile

Question 3

Human based social engineering attacks

Answer 3

Information gathering through conversation
Dumpster Diving - TRASHINT
Impersonation
Posing as a user and requesting a password reset
Authority support - posing as a support professional and requesting a user reset their password to one provided by the attacker
Shoulder surfing - up close or long distance observation
Eavesdropping
Tailgating - have a fake badge and follow in someone with a valid badge
Piggybacking - no fake badge, just follow someone in

Question 4

RFID identity theft

Answer 4

Also known as RFID skimming

Question 5

Reverse social engineering

Answer 5

Advertising that you are the support and wait for a user to contact you for help. Inside to outside communication is always more trusted than outside to inside communication

Question 6

Insider attacks

Answer 6

Disgruntled employees

Question 7

Computer Based Attacks

Answer 7

Malicious Pop Ups
Fake AV or Rogue Security
Phishing: To mitigate:
1. Beware unknown, unexpected or suspicious originators
2. Be aware of whom the email is addressed to
3. Verify phone numbers
4. Beware bad spelling or grammar
5. Always check links
6. Use tools like Netcraft Toolbar and Phishtank Toolbar

Question 8

Spear Phishing

Answer 8

Targeted phishing attack against an individual. If targeted against high-level targets within an organization, it is called whaling

Question 9

Pharming

Answer 9

The use of malicious code of some sort that redirects a user’s web traffic, also known as phishing without a lure

Question 10

Spimming

Answer 10

Spam messages over instant messaging

Question 11

Sign in seal

Answer 11

An email protection method that uses a secret-message or image that can be referenced on any official communication within the site. This sign-in seal is kept locally on your computer so no one can copy or spoof it.

Question 12

Phishing Countermeasures

Answer 12

Set up multiple layers of defense
Change management procedures
Strong authentication measures
Promoting policies and procedures
User education - is the most effective

Question 13

Mobile Based Attacks

Answer 13

ZitMo (Zeus in the middle) - android malware that asked a banking user to install two factor authentication that was in actuality the malware

Question 14

Mobile based social engineering attacks

Answer 14

1. Publishing malicious apps
2. Repackaging legitimate apps
3. Fake security applications
4. SMS - fake security notifications that prompt the victim to call a support number, also known as smishing

Question 15

Physical security measures

Answer 15

All the things that you can touch like fences and gates

Question 16

Technical security measures

Answer 16

Access control systems

Question 17

Operational mesures

Answer 17

Policies and procedures like background checks on employees, risk assessments on devices, polices regarding key management and storage

Question 18

Biometrics

Answer 18

False Rejection Rate (FRR) - percentage of time a biometric device will deny access to a legitimate user
False Acceptance Rate (FAR) - percentage of time that an unauthorized user is granted access by a biometric device
Crossover Error Rate (CER) - The intersection mark of the FRR and the FAR