Social Engineering Attacks( Comptia Objective 2.5) Flashcards
1
Q
When it comes to Social Engineering what makes it so difficult to manage?
A
- It is constantly changing. You never know what they’ll use next.
- May involve multiple people and involve multiple organizations. There are ties connecting many organizations
- May be in person or electronic( Phone calls from aggressive “ customers” ), Emailed funeral notifications of a friend or associate
2
Q
What exactly is Social engineering and what are some of it’s principles?
A
- Authority. the social engineer is in charge. E.G. “ Hi I’m calling from the help desk/office of the CEO/police”
- Intimidation. There will be bad things that happen if you don’t help. E.G. “ If you don’t help me, the payroll checks won’t be processed”
- Consensus/ Social Proof. Convince based on what’s normally expected. E.G. your co-worker Jill did this for me last week.
- Scarcity. The situation will not be this way for long, must make the change before time expires.
- Urgency. Works alongside scarcity. “ Act quickly, don’t think”
- Familiarity/ Liking. Someone you know, we have common friends etc.
- Trust( Someone who’s safe) . “ I’m with IT, and I’m here to help”
3
Q
What is phishing and how does it work?
A
- Social engineering with a touch of spoofing. Often delivered by spam, IM, etc. Very remarkable when well done. Essentially tricks you into providing personal information.
- Can be fake websites posing as trusted ones. Don’t be fooled! Check the URL in the address bar.
- Usually there’s something not quite right( Spelling, fonts, graphics etc)
- Another type of phishing that occurs over the phone is known as “Vishing”. Fake security checks or bank updates etc.
4
Q
What is Spear phishing and how does it work?
A
- Phishing with inside information( Makes the attack more believable). Note spear phishing the CEO is “whaling”
- An example of a phishing scheme would be Epsilon event that occurred in April 2011. Less than 3000 email addresses attacked. 100% of email operations staff. Downloaded anti-virus disabler, keylogger and remote admin tool
- April 2011 Oak Ridge National Laboratory
Email from the “ Human Resources Department”. 530 employees targetted, 57 people clicked, 2 were infected. Data was downloaded, servers infected with malware.
5
Q
What is impersonation and how does it work?
A
- Pretend to be someone you aren’t. ( Halloween for fraudsters)
- Use some of those details you got from a dumpster. “You can trust me, I’m with your help desk”
- Attack the victim as someone higher in rank( Office of the vice president of Scamming)
- Throw tons of technical details around. “ Catastrophic feedback due to the depolarization of the differential magnetometer”
- Be a buddy. “ How about those Cubs? “
6
Q
What is shoulder surfing and how can it be used to gain access to your sensitive data?
A
- You have access to important information. Many people want to see this data. Be it for sake of curiosity, industrial espionage, competitive advantage
- This is surprisingly easy. Places such as Airports/ flights, hallway facing monitors, coffee shops etc.
- Also people can see what you’re doing from a building across the street using binoculars or a Telescope( Easy in the big city)
- Webcam monitoring.
7
Q
What is tailgating and what are some examples of it in use?
A
- Use someone else to gain access to a building without an access card( not an accident)
- In Johnny Long’s book “ No Tech Hacking” he talks about people who use clothing to blend in, or use a 3rd party with a legitimate reason to be in the building such as a Telephone installation guy when there is work being done on the lines. Other example could be somebody carrying a box of donuts and then somebody lets them in
- Once they are inside there’s little to stop you( Most security stops at the border)
8
Q
What is dumpster diving?
A
- a Dumpster is a mobile garbage can. Called a Dumpster due to the brand name in the US
- Important information thrown out with the trash( Thanks for bagging your trash for me)
- Gather details that can be used for a different attack( Impersonate names, use phone numbers etc)
- Timing is important. Just after month end, end of quarter etc
- An important thing to note about dumpster diving is that in the US it is perfectly legal to dive into the dumpster and take whatever is there unless it’s on private property. Any questions talk to a legal professional.