CompTIA Security Plus - Chapter 1: Social Engineering Techniques

Whales

High-value targets

Familiarity

People do things for people they like or feel connected to. Attackers appeal to others which can lead to mislead trust

Smishing attack begins with...

SMS message - Link to URL that serves up a variety of attack vectors (malware)

Watering Hole Attack (complex)

A malicious attack that is directed toward a small group of specific individuals who visit the same website. involves the infecting of a target website with malware

consensus

a group-wide decisio

Typosquatting

an attack form that involves capitalizing upon common typographical errors - URL hijacking, fake URL, or brandjacking if the objective is to deceive based on branding.

Smishing

an attack using Short Message Service (SMS) on victims' cell phones. It is a version of phishing via SMS

Trust

as having an understanding of how something will act under specific conditions

Spam

bulk unsolicited e-mail

How can a social engineer elicit information?

by convincing people, whose main job is to help others, to perform tasks resulting in security compromises.

How can attacker utilize the consensus?

by manipulating them to achieve desired outcomes.

The pretext_____have to be true...

does not it only needs to be believable and relevant in convincing the victim to give help. -deception and false motives to manipulate the victim

The purpose of hostile SPIM...

getting an unsuspecting user to click malicious content or links, thus initiating the attack.

Using phishing, attackers target... by sending out e-mails. To become a victim, the recipient must take an action (for example, respond by providing personal information).

individuals

Pharming

misdirecting users to fake websites made to look official

In most locations, trash is... private property after it has been discarded

no longer considered (and even where dumpster diving is illegal, little enforcement occurs).

Identity fraud can also happen where?

online as well, using known information about the person you are impersonating

The effectiveness of social engineering attacks is...

technical and part psychological

Spear Phishing Ratio

the # of responses received (successful attacks) : the total number of e-mails or messages sent usually increases because a targeted attack will seem more plausible than a message sent to users randomly

Prepending

the act of adding something else to the beginning of an item - the act of supplying information that another will act upon, frequently before they ask for it, in an attempt to legitimize the actual request, which comes later.

Pretexting

the attacker uses a narrative (the pretext) to influence the victim into giving up some item of information.

How are influence campaigns effective?

the bandwagon effect, where when one leads, many follow, typically without critically examining the premise they are then following. (previously called propaganda)

hybrid warfare

the information is used to sway people toward a position favored by those spreading it.

Influence campaigns

the use of collected information and selective publication of material to key individuals in an attempt to alter perceptions and change people's minds on a topic.

Examples of Defense against identity fraud

- All packages must be dropped at the security desk - all visitors who need access must be escorted - disclosure policies, like resetting passwords or giving a party access.

In pharming, the user will be directed to the fake website as a result of activity such as... (Two ways)

- DNS poisoning: (an attack that changes URLs in a server's domain name table) - Modification of local host files: (which are used to convert URLs to the appropriate IP address).

Examples of Online Attacks

- Impersonation - Popup Windows - Phishing (email + social media)

What can employees do to prevent social engineering attacks?

- Maintaining vigilance - employee training - frequent reminders, retraining, and notification of violations - public awareness campaigns

A countermeasure against piggybacking

- Mantrap, which utilizes two doors to gain access to the facility.

Examples of eliciting info

- Posing as an employee, an attacker can get a password reset, information about some system, or other useful information - Posing as the help desk or tech support person. Then, by calling employees, the attacker can get information on system status and other interesting elements that they can use later.

SPIM

- SPAM OVER INSTANT MESSAGING - variation of Spam

Organization Policies about discarding materials

- Sensitive information should be shredded - should consider securing the trash receptacle so that individuals can't forage through it. Get a SHEDDER

What is common method used against whales and WHY?

- Spear phishing - The communication is designed to appear to be ordinary business for the target, being crafted to appear nonsuspicious.

Ways to fight against piggybacking and shoulder surfing

- Training employees simple procedures to ensure nobody follows them too closely or is in the position to observe their actions.

How do Invoice scams function?

- Urgency - Final Notice - Threatening to report the organization to a collection agency

Spam use... (malicious - two)

- an attachment that contains malicious software designed to harm your system - a link to a malicious website that may attempt to obtain personal information from you

How do Social engineers use trust?

- by shaping the perceptions of a target to where they will apply judgments to the trust equation and come to false conclusions (not forcefully but guide)

Spam use... (legitimate)

- company advertising a product or service

The best defense against social engineering attacks is a ... training should... but doing so in an environment where trust is...

- comprehensive training and awareness program - emphasize the value of being helpful and working as a team - verified and is a ritual

Shoulder surfing

- does not necessarily involve direct contact with the target; instead, the attacker directly observes the individual entering sensitive information on a form, keypad, or keyboard.

Tailgating (or piggybacking) exploits people who are... (three ways)

- in a hurry - who is not following security procedures - uses the sense of familiarity

Examples of Shoulder Surfing

- look over the shoulder of the user at work - may set up a camera or use binoculars to view the user entering sensitive data.

Vishing Attack

- may send an email to ask to call a number/ or receive a recorded message - spoof (simulate) calls from legitimate entities using Voice over IP (VoIP) technology - gain sensitive info - used in identity theft

How to prevent/stop social engineering techniques?

- policies and procedure - verification - Visitor access - rules before assisting a customer -have multiple layers of defenses, including approvals and related safeguards - a healthy dose of knowledge

Defense against all cases of impersonation

- require employees to ask to see a person's ID before engaging - Training and awareness -to conduct training on a regular basis and to tailor it to what is currently being experienced, rather than a generic recitation of best practices.

Influence campaigns are even more powerful when used in conjunction with.... to spread influence through influencer propagation which acts as an...

- social media -amplifying mechanism

Example of prepending

- stating that they were sent by the target's boss, or another authority figure, as a means to justify why the target should perform a specific action—typically one that, in the absence of the prepending, would not be normal.

Shoulder Surfing attackers may attempt to...

- to obtain information such as a personal identification number (PIN) at an automated teller machine (ATM) - an access control entry code at a secure gate or door, or a calling card or credit card number

Time can be manipulated to drive a sense of... and prompt shortcuts that can lead to opportunities for interjection into processes.

- urgency (Perception is the key)

Protection against Shoulder Surfers (two)

- use a privacy screen or filter to surround a keypad so that it is difficult to observe somebody as they enter information. - More sophisticated systems can actually scramble the location of the numbers so that the top row at one time includes the numbers 1, 2, and 3 and the next time includes 4, 8, and 0.

During a Phishing Attack, The attacker attempts to obtain information such as...

- usernames - passwords - credit card numbers - details about the users' bank accounts

Vishing

- uses voice communication technology to obtain the information the attacker is seeking

Examples of Reconnaissance: (to obtain information that goes into a description of the system that will be under attack)

- victim's google searches, public record searches -surveying a company's org charts - calling and asking for people's contact information and building a personnel directory - asking questions about hardware and software via surveys, and reading press releases (Known weaknesses against specific products can be employed and are easier to find if the attacker knows what products the company is using)

Social engineering is very successful for two general reasons

-1. Basic desire of most people to be helpful (either directly in an attack or indirectly to build a bigger picture that an attacker can use to create an aura of authenticity during an attack) 2. Individuals normally seek to avoid confrontation and trouble (concepts of authority, intimidation, consensus, scarcity, familiarity, trust, and urgency)

Examples of Impersonation

-third parties - help desk operators - vendors - online sources.

Methods - Social Engineering

1. The Sense of Familiarity - making it seems as if you belong to group 2. Involves creating a hostile situation - sympathy 3. Body language

Social Engineering

1. an attack against a user, and typically some form of social interaction 2. involves manipulating the very social nature of interpersonal relationships - preys on several characteristics we tend to desire

What is a way to combat attacks designed to get user's credentials?

Two-factor authorization

How to combat Hoaxes

Users should be trained to be suspicious of unusual e-mails and stories and should know who to contact in the organization to verify their validity if they are received. -"spread the word" ':7

Third-Party Authorization

Using the name of a trusted third person, usually someone in authority, to add credibility to the social engineering attempt

During a vishing attack,... can also be compromised and used in these attempts.

Voice messaging (to establish a form of trust that can be exploited over the phone)

Invoice Scams

a fake invoice in an attempt to get a company to pay for things it has not ordered.

Phishing

An attacker attempts to obtain sensitive information from users by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users

Whaling

an attack where the target is a high-value person, such as a CEO or CFO

Contractors/Outside Parties

an attacker can simply put on clothing that matches a contractor's uniform, show up to do the job at a slightly different time than it's usually done, and, if challenged, play on the sympathy of the workers by saying they are filling in for X or covering for Y.

The use of authority in social situations can lead to...

an environment where one party feels at risk in challenging another over an issue.

Social engineers will employ strategies aimed at...

at exploiting people's own biases and beliefs in a manner to momentarily deny them the service of good judgment and the use of standard procedures.

The fake site will... (typosquatting)

collects credentials, passing them on to the real site, and then steps out of the conversation to avoid detection once the credentials are obtained

The phishing target could be a... and access to the information found on it, or it could be personal information, generally financial, about an individual.

computer system

Spear phishing

created to refer to a phishing attack that targets a specific person or group of people with something in common

Intimidation

creates an air of authority around one's persona. (can be either subtle, through perceived power, or more direct, through the use of communications that build an expectation of superiority)

Credential Harvesting (highly successful)

involves the collection of credential information, such as user IDs, passwords, and so on, enabling an attacker a series of access passes to the system

Vishing takes advantage of the... that some people place in the telephone network.

trust

Smishing attacks gives out the sense of...

urgency and intimidation in the message, which might use a warning

identity fraud

use of fake credentials to achieve an end

Defense against identity fraud is...

use strong policies and procedures without exceptions

Typosquatting can also be used to do what?

used to plant drive-by malware on the victim machine. It can move the packets through an affiliate network, earning click-through revenue based on the typos.

Eliciting Information

Calls to or from help desk and tech support units

Key Example of Identity Fraud

TSA security

Impersonation

The attacker assumes a role that is recognized by the person being attacked, and in assuming that role, the attacker uses the potential victim's biases against their better judgment to follow procedures.

Dumpster Diving

The process of going through a target's trash in hopes of finding valuable information that might be used in a penetration attempt (common place)

Another way of identifying the user and a limited time limit

The second factor verification

Tailgating (or piggybacking)

The simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building.

Hoax

can be very damaging if it causes users to take some sort of action that weakens security.

Phishing Attack

Attacker sends a bulk e-mail Message (saying that account was compromised, ex. bank) - Website (verification)- Supply Sensitive Info - Attack

The tools in a social engineer's toolbox are based on...

a knowledge of psychology and don't necessarily require a sophisticated knowledge of software or hardware.

Reconnaissance (most accepted as inevitable)

a military term used to describe the actions of surveying a battlefield to gain information prior to hostilities. - plan where to attack gaining an understanding of the victim: sometimes directly manipulating people to gain information google searches, public record searches

Since credential harvesting is so successful, what must financial firms do now?

a normal user ID and password with a second-factor, out-of-band inquiry to prevent subsequent use of harvested credentials.

A defense against attackers who impersonate the use of authority is...

a strong set of policies that has no exceptions.

A pretext attack can occur in...

person, by email, over the phone, or virtually any other form of communication.

What is the common way for credential harvesting to start?

phishing e-mail that convinces a user to click a link and, in response, brings up a replica of their bank's web page.

Whaling attacks are not performed by attacking multiple targets and rather are...

rather are custom built to increase the odds of success (group = limited, so an attacker cannot rely upon random returns from a wide population of targets)

The message that is sent often encourages the user to go to a website that appears to be for a... such as PayPal or eBay, both of which have frequently been used in phishing attempts.

reputable entity (masquerading)

Scarcity

short supply implied scarcity, or implied future change in availability, can create a perception of scarcity = fear

- Users are unaware that attackers can... using Voice over IP (VoIP) technology

spoof (simulate) calls from legitimate entities