Chapter 11

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

tokens

"something you have" generally ensure at least a two factor authentication method because you need the item itself and a PIN you memorize to go along with it.

smartcards

"something you have" have a chip inside that holds tons of info, including identification certificates from a PKI system to identify the user. May also have RFID features to broadcast info for near swipe readers.

Five main reasons social engineering is effective

1. human nature 2. ignorance of social engineering 3. fear (consequence of not providing requested info.) 4. greed (promised gain for providing the info) 5. a sense of moral obligation

Four phases of successful social engineering

1. research (dumpster dive, visit websites, tour the company etc.) 2. select the victim (frustrated employee or other target) 3. develop a relationship 4. exploit the relationship (collect sensitive information)

Can help in identifying risky sites and phishing behavior

Netcraft Toolbar and the PhishTank Toolbar, Sign-in seal

ZitMo (ZeuS-in-the-mobile)

a piece of malware that turned up on android phones ensured that one time passwords also belonged to bad guys.

real world phishing example that is common and successful

adding "-benefits" to the end of a company name

Steps in reverse social engineering

advertisement, sabotage, support

Fake AV aka Rogue Security

allows an attacker potential access to PII such as billing address and credit card details. Be sure to verify any link in an email or other notification regarding this.

publishing malicious apps

an attacker creates an app that looks like, acts like, and is namely similar to a legitimate application.

SMS aka Smishing

an attacker sends SMS text messages crafted to appear as legitimate security notifications, with a phone number provided. the user unwittingly calls the number and provides sensitive data in response.

repackaging legitimate apps

an attacker takes a legitimate app from the app store and modifies it to contain malware, posting it on a third party app store for download.

Physical measures

anything you can touch, taste, smell, or get shocked by. ie. lighting, locks, fences, guards with tasers, etc.

mobile based attack

app or SMS issue

Social Engineering

art of manipulating a person, or group of people. into providing information or a service they otherwise would never have given.

authority support

attacker calls help desk posing as a locked out user, help desk wants to help, and resets the password to something the attacker knows.. granting him access.

piggybacking

attacker doesn't have a badge but asks for someone to let them in anyway

tailgating

attacker has a fake badge and simply follows an authorized person through the opened security door

computer based social engineering attacks

attacks carried out with the use of a computer

pop-ups

attacks use code to create windows users will unknowingly click. Takes the user to a malicious site where stuff is downloaded to their machines. or users are prompted for credentials.

Yubikey

basic two factor authentication token that works right over a standard USB port. Every time it is used, it generates a one time password that renders all before it useless. As long as the user has the toke. and knows their own access code, every login is fresh and secure.

Might indicate a phishing email-can be checked to verify legitimacy

beware unknown, unexpected, or suspicious originators. beware whom the email is addressed to (company email are usually personally addressed). Verify phone numbers. beware bad spelling or grammar. Always check links (changing a letter, adding or removing a letter, changing letter o to 0, or changing letter l to a one changes the DNS lookup for the click. hovering mouse over it will show where the link really intends to send you)

chat or messenger channels

computer based social engineering attack; find out person info for future attacks, make use of channels to spread malicious code and install software.

mantrap

designed as a pure physical access control, provides additional control and screening at the door or access hallway to the controlled area. Two doors are used to create a small space to hold a person until appropriate authentication has occurred.

event something catastrophic occurs

disaster recovery and contingency plans

TRASHINT or Trash Intelligence

dumpster diving

RFID Identity theft aka RFID skimming

duplicating RFID signal from access card to gain physical access

sign-in seal

email protection method that uses a secret message or image that can be referenced on any official communication with the site. kept locally on your computer, so the theory is no one can copy or spoof it.

categories of social engineering attacks

human based, computer based, or mobile based

Why spear phishing is more effective than phishing

if the audience is smaller and has a specific interest or set of duties I. common, it makes it easier for the attacker to craft an email they'd be interested in reading.

most common form of social engineering

impersonation

reverse social engineering

impersonation attack involves getting that target to call you with the information. Attacker sets up a scenario in which user feels he must dial in for support.

physical security

includes the plans, procedures, and steps taken to protect your assets from deliberate or accidental events that could cause damage or loss.

single biggest threat to your security

insider attack

factors that allow social engineering to succeed

insufficient training, unregulated information (or physical) access, complex organizational structure, and lack of security policies.

phishing

involves crafting an email that appears legitimate but in fact contains links to fake websites or to download malicious content.

spear phishing

is a targeted attack against an individual or a small group of individuals within an organization. (usually the result of a little reconnaissance work)

potential targets for social engineering

known as rebecca or Jessica (can provide information on whom to target to other attackers)

technical measures

measures taken with technology in mind to protect explicitly at the physical level. i.e. smartcards and biometrics

Prevent social engineering attacks

multiple layers of defense, including change management procedures and strong authentication measures, promoting policies and procedures. setting up physical or technical controls. Most importantly user education. Training users how to recognize and prevent.

Physical circumstances you need to protect against

natural or manmade

Internet Relay Chat (IRC)

one of the primary ways zombies (computers that have been compromised by malicious code and are part of a bot-net) are manipulated by their malicious code masters

preventing phishing emails

perimeter email filters, but impossible to prevent them all. Best method is to educate users on methods to spot a bad email

simplest and most common method of computer based social engineering

phishing

access controls

physical measures designed to prevent access to controlled areas. include biometric controls, identification/entry cards, door locks, and man traps.

three major components of physical security measures

physical, technical, and operational

operational measures

policies and procedures you set up to enforce a security minded operation. i.e. background checks on employees, risk assessments on devices, and policies regarding key management and storage.

computer based attack

pop ups and phishing

impersonation

pretends to be someone he or she is not, and that someone or something-an employee, valid user, repairman, help desk, executive, IT security expert, FBI agent (illegal)-is someone or something the target either respects, fears, or trusts.

four categories of mobile based social engineering attacks

publishing malicious apps, repackaging legitimate apps, fake security applications, SMS

disgruntled employees social engineering deterrent

separation of duties. least privilege. controlled access. but at some point you must trust the individuals that work in your org. best efforts include vetting employees, providing everything necessary for them to succeed at work, and having really good disaster recovery and continuity of operations procedures in place.

halo effect

single trait influences the perception of other traits

Number one social engineering attack in today's world

spear phishing

whaling

spear phishing against high level targets in an organization (board of directors, CEO etc.)

computer based attacks

specially crafted pop up windows, hoax emails, chain letters, instant messaging, spam, and phishing. consider social networking.

Fake security applications

starts with a victimized pc: that attacker infects a PC with malware and then uploads a malicious app to an app store. once the user logs in, a malware pop up advises them to download bank security software to their phone. the user complies, thus infecting their mobile device.

mobile social engineering attacks

those that take advantage of mobile devices-applications or services in mobile devices-in order to carry out their end goal.

"defense in depth" or "layered security"

thought process involves not relying on any single method of defense but, rather, stacking several layers between the asset and the attacker.

Spear phishing is more effective than regular phishing

true

disgruntled employee doesn't need to still be employed at your organization to cause problems

true

inside to outside communication is always more trusted than outside to inside communication

true

human based social engineering

uses interaction in conversation or other circumstances between people to gather useful information (shoulder surfing, eavesdropping). presentation is everything.

Vishing (Voice Phishing)

using a phone during a social engineering effort

phishing

usually involves a mass mailing of a crafted email in Hope's of snagging some unsuspecting reader

monitoring mantraps

video surveillance or gaurds


Kaugnay na mga set ng pag-aaral

Ch 25: Assessment of Cardiovascular Function (3)

View Set

OSHA: Fall Protection for General Industry

View Set

NUR112 Pharmacology: Cardiovascular Drugs; Anticoagulants, Antiplatelet

View Set