12.4.6 Social Engineering
An organization's receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. Which type of social engineering is this individual engaging in? - Authority - Social validation - Commitment - Persuasive
Authority Authority social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions that exceed their authorization level. Persuasive social engineering entails an attacker convincing a person to give them information or access that he or she shouldn't. Social validation entails an attacker using peer pressure to coerce someone else to bend rules or give information he or she shouldn't. Commitment social engineering entails convincing someone to buy into an overall idea and then demanding or including further specifics that were not presented up front.
What is the primary countermeasure to social engineering? - A written security policy - Heavy management oversight - Traffic filters - Awareness
Awareness The primary countermeasure to social engineering is awareness. If users are unaware of the necessity for security and are not properly trained, they are vulnerable to numerous social engineering exploits. Awareness training focused on preventing social engineering should include methods for authenticating personnel over the phone, assigning classification levels to information and activities, and educating your personnel on which information should not be distributed. A written security policy is a countermeasure against social engineering, but without awareness training, it is useless. Heavy management oversight may provide some safeguards that protect users from social engineering, but management is less effective than awareness. Traffic filters are not countermeasures for social engineering because they do not focus on solving the human problem inherent in social engineering attacks.
On your way into the back entrance of your work building one morning, a man dressed as a plumber asks you to let him in so he can fix the restroom. What should you do? - Let him in. - Tell him no and quickly close the door. - Let him in and help him find the restroom. Then let him work. - Direct him to the front entrance and instruct him to check in with the receptionist.
Direct him to the front entrance and instruct him to check in with the receptionist. You should direct him to the front entrance where he can check in with the proper authorities in your organization. Letting him in without knowing if he should be there could compromise security. Turning him away would be unprofessional.
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that as part of a system upgrade, you need enter your username and password in a new website so you can manage your email and spam using the new service. What should you do? - Click on the link in the email and follow the directions to enter your login information. - Click on the link in the email and look for company graphics or information before you enter the login information. - Open a web browser, type in the URL included in the email, and follow the directions to enter your login credentials. - Delete the email. - Verify that the email was sent by the administrator and that this new service is legitimate.
Verify that the email was sent by the administrator and that this new service is legitimate. You should verify that the email is legitimate and has come from your administrator. It is possible that the network administrator has signed up for a new service. If you ignore the message or delete it, you might not get the benefits the company has signed up for. However, the email might be a phishing attack. An attacker might be trying to capture personal information. By verifying the email with the administrator, you will be able to tell if it is legitimate.
A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of attack BEST describes the scenario? - Passive - Whaling - Masquerading - MAC spoofing
Whaling Whaling is a form of social engineering attack that targets senior executives and high-profile victims. Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity. Masquerading is convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Passive social engineering attacks take advantage of the unintentional actions of others to gather information or gain access to a secure facility. MAC spoofing is changing the source MAC address on frames sent by the attacker. MAC spoofing can be used to hide the identity of the attacker's computer or to impersonate another device on the network.
Which of the following are examples of social engineering attacks? (Select two.) - War dialing - Dumpster diving - Impersonation - Port scanning - Shoulder surfing
Dumpster diving Shoulder surfing Social engineering leverages human nature. Internal employees are often the targets of trickery, and false trust can quickly lead to a serious breach of information security. Shoulder surfing and dumpster diving are examples of social engineering. Shoulder surfing is the act of looking over an authorized user's shoulder in hopes of obtaining an access code or credentials. Social engineers often employ keystroke loggers to capture usernames and passwords. These low-tech attack methods are often the first course of action that a hacker pursues. Port scanning and war dialing are technical attacks that seek to take advantage of vulnerabilities in systems or networks. Impersonation is pretending to be trustworthy and having a legitimate reason for approaching the target. This is done with the purpose of asking for sensitive information or access to protected systems.
Dumpster diving is a low-tech way of gathering information that may be useful for gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving? - Mandate the use of Integrated Windows Authentication. - Create a strong password policy. - Establish and enforce a document destruction policy. - Secure all terminals with screensaver passwords.
Establish and enforce a document destruction policy. Dumpster diving is best addressed with a Document Destruction Policy. All sensitive documents should be shredded or burned, and employees should be trained on the proper use of disposal equipment and the policies governing the disposal of sensitive information. A strong password policy, authentication types, and screensaver passwords are not enough to prevent the risks associated with dumpster diving. Username and password complexity efforts are wasted if employees document and dispose of this information in an unsecure fashion.
Which of the following is a common social engineering attack? - Hoax virus information emails. - Distributing false information about your organization's financial status. - Using a sniffer to capture network traffic. - Logging on with stolen credentials.
Hoax virus information emails. Hoax virus information emails are a form of social engineering attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double-check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually, these hoax messages instruct the reader to delete key system files or download Trojan horses. Social engineering relies on the trusting nature of individuals to incentivize them to take an action or allow an unauthorized action.
Match each social engineering description on the left with the appropriate attack type on the right. Phishing Whaling Spear phishing Dumpster diving Piggybacking Vishing - An attacker gathers personal information about the target individual, who is a CEO. - An attacker gathers personal information about the target individual in an organization. - An attacker sends an email pretending to be from a trusted organization, asking users to access a website to verify personal information. - An attacker searches through an organization's trash for sensitive information. - An attacker uses a telephone to convince target individuals to reveal their credit card information. - An attacker enters a secure building by following an authorized employee through a secure door without providing identification.
Phishing- An attacker sends an email pretending to be from a trusted organization, asking users to access a website to verify personal information. Whaling- An attacker gathers personal information about the target individual, who is a CEO. Spear phishing- An attacker gathers personal information about the target individual in an organization. Dumpster diving- An attacker searches through an organization's trash for sensitive information. Piggybacking- An attacker enters a secure building by following an authorized employee through a secure door without providing identification. Vishing- An attacker uses a telephone to convince target individuals to reveal their credit card information.
What is the definition of any attack involving human interaction of some kind? - Attacker manipulation - An authorized hacker - An opportunistic attack - Social engineering
Social engineering Social engineering refers to any attack involving human interaction of some kind. Attackers who use social engineering try to convince a victim to perform actions or give out information they wouldn't under normal circumstances. An opportunistic attack is typically automated and involves scanning a wide range of systems for known vulnerabilities, such as old software, exposed ports, poorly secured networks, and default configurations. An authorized hacker helps companies find vulnerabilities in their security infrastructure. Social engineers are master manipulators and use multiple tactics on their victims.
