✅Social Engineering
Technique in which the attacker uses deceptive practices to
Convince someone to divulge information they normally would not divulge.
Convince someone to do something they normally wouldn't do.
Why social engineering is successful - People desire to be helpful.
- People desire to avoid confrontation.
Seemingly innocuous information can be used
- Directly, in an attack
- Indirectly, to build a bigger picture to create an aura of authenticity during an attack
Indirect methods
- Phishing
- Vishing
✅Phishing
Type of social engineering
Attacker masquerades as a trusted entity
Typically sent to a large group of random users via e-mail or instant messenger
Typically used to obtain
Usernames, passwords, credit card numbers, and details of the user's bank accounts
Preys on users
- PayPal, eBay, major banks, and brokerage firms
✅Vishing
Use of voice technology to obtain information
- Variation of phishing
Takes advantage of the trust people place in the telephone network Attackers spoof calls from legitimate entities using VoIP
Voice messaging can be compromised and used in these attempts.
Attackers hope to obtain credit card numbers or other information for identity theft.
Successful because
Individuals trust in the telephone system.
- - With caller ID, people believe they can identify who is calling them.
Caller ID can be spoofed.
✅Spear Phishing & Pharming
Spear phishing
Relatively new term
Modification to normal phishing attacks
Special targeting using specific information
Designed to trick user into believing message is genuine
Pharming
Redirects the user to a bogus website
Appears similar to the original
Convinces the user to give information
✅Shoulder Surfing
Attacker directly observes sensitive information by
- Looking over the shoulder of the user
- Setting up a camera
- Using binoculars
✅Targeted information
Personal identification number (PIN) at an ATM
- Access control entry code at a secure gate or door
Calling card or credit card number
✅Defenses
- Small shield to surround a keypad
Scramble the location of the numbers
Le, the top row at one time includes the numbers 1, 2, and 3 and the next time 4,8, and 0.
Poor Security Practices
• Users create security problems via poor practices
- Writing secrets down
Password selections
- Piggybacking
- Dumpster diving
- Installing unauthorized hardware/software
✅Password Selection
• Users tend to pick passwords that are easy for them to remember
Dates
Names
+1,2,3 on changes Mary1, Mary2, Mary3
If it's easy for them to remember, it means that the more you know about the user, the better your chance of discovering their password.
✅The rules for good password selection in general:
Use eight or more characters in your password - Include a combination of upper- and lowercase letters
- Include at least one number and one special character - Do not use a common word, phrase, or name, and
Choose a password that you can remember so that you do not need to write it down.
- Think of a phrase, song, poem or speech that you know by heart.
Use the first letter of each word in the phrase.
Jack be nimble, jack be quick, jack jumped over the candlestick Becomes Jbnjbqjj0tcs!
✅Piggybacking
Following closely behind a person who has just used their own access card to gain physical access to a room or building.
- Relies on the attacker taking advantage of an authorized user not following security procedures.
i.e. returning from a smoking area
Countered by
- Training and awareness
Guards
Man trap
0 Comments