CompTIA Security+ Section 1.1 Social Engineerin

Ace your homework & exams now with Quizwiz!

Principles

Authority, Intimidation, Consensus, Scarcity, Familiarity, Trust, Urgency

hybrid warfare

Combining classical military strategy with modern capabilities, including digital influence campaigns, psychological warfare efforts, political tactics, and cyber warfare capabilities.

Pretext

a false statement crafted to sound believable to convince you to act or respond

Session hijacking (a.k.a. TCP/IP hijacking)

a form of attack in which the attacker takes over an existing communication session

Social engineering

a form of attack that exploits human nature and human behavior. The only direct defense against social engineering attacks is user education and awareness training

Business Email Compromise (BEC)

a form of spear phishing that is often focused on convincing members of accounting to transfer funds, pay invoices, or purchase products from a message that appears to originate from a boss, manager, or executive

Whaling

a form of spear phishing that targets specific high-value individuals, such as the CEO or other C-level executives, administrators, or high-net-worth clients. Often the goal of a whaling attack is to steal credentials from the high-level target or to use that target to steal funds or redirect resources to the benefit of the attacker.

Watering hole attack

a form of targeted attack against a region, a group, or an organization. The attacker observes the target's habits to discover a common resource that one or more members of the target frequent. This location is considered the watering hole. Malware is planted on the watering hole system. The target visits the poisoned watering hole, and they bring the infection back into the group or at least their system.

Clickjacking

a means to redirect a user's click or selection on a web page to an alternate, often malicious target instead of the intended and desired location.

Spear phishing

a more targeted form of phishing where the message is crafted and directed specifically to an individual or group of individuals.

Typosquatting

a practice employed to take advantage of when a user mistypes the domain name or IP address of an intended resource.

SMS phishing or smishing

a social engineering attack that occurs over or through standard text messaging services or apps

Scarcity

a technique used to convince someone that an object has a higher value based on the object's limited quantity.

Authority

an effective technique because most people are likely to respond to authority with obedience.

Spoofing

any action to hide a valid identity often by taking on the identity of something else.

Familiarity

attempts to exploit a person's native trust in that which is familiar. The attacker often tries to appear to have a common contact or relationship with the target, such as mutual friends or experiences, or uses a facade to take on the identity of another company or person.

Intimidation

can sometimes be seen as a derivative of the authority principle. Intimidation uses authority, confidence, or even the threat of harm to motivate someone to follow orders or instructions

Reconnaissance

collecting information about a target, often for the purposes of planning an attack against that target. Social engineering reconnaissance can include all of the previously mentioned techniques.

hoax

designed to convince targets to perform an action that will cause harm or reduce their IT security. Victims may be instructed to delete files, change configuration settings, or install fraudulent security software. A hoax often presents a threat and then provides or suggests a response or solution, while claiming taking no action will result in harm

Social media

has become a weapon in the hands of nation-states as they wage elements of hybrid warfare against their targets. They are also used by anyone wanting to control information, distribute propaganda, or change public opinion. We cannot just assume that content we see on a social network is accurate, valid, or complete.

Trust

involves an attacker working to develop a relationship with a victim. This may take seconds or months, but eventually the attacker attempts to use the value of the victim's trust in the attacker to convince the victim to reveal information or perform an action that violates company security.

Spam

not just unwanted advertisements; it can also include malicious content and attack vectors as well

Piggybacking

occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker by tricking the victim into providing consent.

Shoulder surfing

occurs when someone is able to watch a user's keyboard or view their display.

Invoice scams

often attempts to steal funds from an organization or individuals through the presentation of a false invoice often followed by strong inducements to pay.

Urgency

often dovetails with scarcity, because the need to act quickly increases as scarcity indicates a greater risk of missing out.

Vishing

phishing done over any telephony or voice communication system. This includes traditional phone lines, Voice-over-IP (VoIP) services, and mobile phones.

URL hijacking

refers to the practice of displaying a link or advertisement that looks like that of a well-known product, service, or site, but when clicked redirects the user to an alternate location, service, or product.

Influence campaigns

social engineering attacks that attempt to guide, adjust, or change public opinion, often waged by nation-states against their real or perceived foreign enemies

Dumpster diving

the act of digging through trash, discarded equipment, or abandoned locations to obtain information about a target organization or individual.

Identity theft

the act of stealing someone's identity. This can refer to the initial act of information gathering or elicitation where usernames, passwords, credit card numbers, Social Security numbers, and other related, relevant, and personal facts are obtained by the attacker.

Consensus

the act of taking advantage of a person's natural tendency to mimic what others are doing or are perceived as having done in the past. The attacker attempts to convince the victim that a particular action or response is preferred to be consistent with social norms or previous occurrences.

Impersonation

the act of taking on the identity of someone else to use their access or authority. Impersonation can also be known as masquerading, spoofing, and even identity fraud.

Credential harvesting

the activity of collecting and stealing account credentials

Eliciting information

the activity of gathering or collecting information from systems or people.

Prepending

the adding of a term, expression, or phrase to the beginning or header of a communication. Often prepending is used to further refine or establish the pretext of a social engineering attack.

Doxing

the collection of information about an individual or an organization to disclose the collected data publicly for the purpose of chaining the perception of the target

Pharming

the malicious redirection of a valid website's URL or IP address to a fake website that hosts a false version of the original, valid site. This is often an element of a phishing attack, on-path attack, or Domain Name System (DNS) abuse.

Phishing

the process of attempting to obtain sensitive information in electronic communications.

Spam over instant messaging (SPIM)

the transmission of unwanted communications over any messaging system that is supported by or occurs over the Internet.

Tailgating

when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge. An attacker may be able to sneak in behind a valid worker before the door closes.

Identity fraud

when you falsely claim to be someone else through the use of stolen information from the victim.


Related study sets

Chapter 20: Blood Vessels and Circulation

View Set

Economy and Society - Socialist Realism and New Soviet Man

View Set

Karch's Focus on Pharmacology 8th Ed. | Chapter 3

View Set

Module 4: Transcultural Module 4.05: Culturally Congruent Health History and Physical Assessment

View Set

ASUB Microcomputer Applications Final Study Guide (Online)

View Set