Social Engineering

A: The use of persuasion or influence to deceive personnel into divulging confidential information or allowing the adversary to perform unauthorized actions. It relies on human weaknesses such as the willingness to help and unwillingness to question authority.

Q: Define the term social engineering.

A: Practicing the principles of separation (and rotation) of duties, least privilege, access control, logging/auditing, legal policies, archiving (restore backups).

Q: Discuss how to mitigate the insider threat.

A: Information gathering (the social engineer must have a working knowledge of the organization), development of a relationship (rapport building, sympathy, crisis manufacturing, etc.), exploitation of relationship (exploiting helpfulness or submission to authority using knowledge), execution to achieve objective (gain confidential info, unauthorized access).

Q: Discuss the various phases of the social engineering cycle.

A: The attacker can either steal the cookies, or use phishing to take the logon credentials of a target. Alternatively, the social engineer could simply create an account with the same name as a target, or a supposed acquaintance of the target.

Q: Explain how to impersonate on social networking sites.

A: The best way to prevent identity theft is to secure private information at home and work, as well as monitoring financials and utilizing local/national resources.

Q: List some examples of how to guard against identity theft.

A: Some major attack methods used by social engineers include: online, telephone, personal, and reverse social engineering.

Q: List some of the major attack methods a social engineer would use.

A: Social engineering targets often include personnel whose job is to assist. These include receptionists, help desks, technical support execs, vendors outside the organization, sysads, and regular users.

Q: List the common targets of social engineering.

A: Account setup, password change, help desk procedures (caller ID, documentation, tickets), access privileges, defined violations, employee identifications, privacy policy, paper documents, virus control

Q: List the security policy checklist.

A: There are two main subtypes of social engineering: computer-based (pop-ups, mail attachments, IM, faked web sites), which depends on software, and human-based (impersonation, dumpster diving, tailgating), which depends on human interaction.

Q: What are the types of social engineering?

A: Identity theft is the illegal use of another individual's identity. This can be accomplished through multiple methods of social engineering.

Q: What is meant by the term identity theft?