12.4.6 Social Engineering
Piggybacking
An attacker enters a secure building by following an authorized employee through a secure door without providing identification.
Spear phishing
An attacker gathers personal information about the target individual in an organization.
Whaling
An attacker gathers personal information about the target individual, who is a CEO.
Dumpster diving
An attacker searches through an organization's trash for sensitive information.
Phishing
An attacker sends an email pretending to be from a trusted organization, asking users to access a website to verify personal information.
Vishing
An attacker uses a telephone to convince target individuals to reveal their credit card information.
An organization's receptionist received a phone call from an individual claiming to be a partner in a high-level project and requesting sensitive information. Which type of social engineering is this individual engaging in?
Authority Authority social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions that exceed their authorization level.
What is the primary countermeasure to social engineering?
Awareness The primary countermeasure to social engineering is awareness. If users are unaware of the necessity for security and are not properly trained, they are vulnerable to numerous social engineering exploits. Awareness training focused on preventing social engineering should include methods for authenticating personnel over the phone, assigning classification levels to information and activities, and educating your personnel on which information should not be distributed.
On your way into the back entrance of your work building one morning, a man dressed as a plumber asks you to let him in so he can fix the restroom. What should you do?
Direct him to the front entrance and instruct him to check in with the receptionist.
Dumpster diving is a low-tech way of gathering information that may be useful for gaining unauthorized access or as a starting point for more advanced attacks. How can a company reduce the risk associated with dumpster diving?
Establish and enforce a document destruction policy. Dumpster diving is best addressed with a Document Destruction Policy. All sensitive documents should be shredded or burned, and employees should be trained on the proper use of disposal equipment and the policies governing the disposal of sensitive information.
Which of the following is a common social engineering attack?
Hoax virus information emails. Hoax virus information emails are a form of social engineering attack. This type of attack preys on email recipients who are fearful and will believe most information if it is presented in a professional manner. All too often, the victims of these attacks fail to double-check the information or instructions with a reputable third-party antivirus software vendor before implementing the recommendations. Usually, these hoax messages instruct the reader to delete key system files or download Trojan horses.
Which of the following are examples of social engineering attacks? (Select two.)
Shoulder surfing Keylogger Social engineering leverages human nature. Internal employees are often the targets of trickery, and false trust can quickly lead to a serious breach of information security. Shoulder surfing and dumpster diving are examples of social engineering. Shoulder surfing is the act of looking over an authorized user's shoulder in hopes of obtaining an access code or credentials. Social engineers often employ keystroke loggers to capture usernames and passwords. These low-tech attack methods are often the first course of action that a hacker pursues.
What is the definition of any attack involving human interaction of some kind?
Social engineering Social engineering refers to any attack involving human interaction of some kind. Attackers who use social engineering try to convince a victim to perform actions or give out information they wouldn't under normal circumstances.
You have just received a generic-looking email that is addressed as coming from the administrator of your company. The email says that as part of a system upgrade, you need enter your username and password in a new website so you can manage your email and spam using the new service. What should you do?
Verify that the email was sent by the administrator and that this new service is legitimate. You should verify that the email is legitimate and has come from your administrator. It is possible that the network administrator has signed up for a new service. If you ignore the message or delete it, you might not get the benefits the company has signed up for. However, the email might be a phishing attack. An attacker might be trying to capture personal information. By verifying the email with the administrator, you will be able to tell if it is legitimate.
A senior executive reports that she received a suspicious email concerning a sensitive internal project that is behind production. The email was sent from someone she doesn't know, and he is asking for immediate clarification on several of the project's details so the project can get back on schedule. Which type of attack BEST describes the scenario?
Whaling Whaling is a form of social engineering attack that targets senior executives and high-profile victims. Social engineering is an attack that exploits human nature by convincing someone to reveal information or perform an activity.
