1.1 - Social Engineering Flashcards

1
Q

Define Phishing.

A

A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define Typosquatting.

A

A type of social engineering attack which targets internet users who incorrectly type a URL into their web browser rather than using a search engine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define Pretexting.

A

When the social engineer comes up with a story before interacting. Attacker acts as a character in a situation that they create. Lying to get information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define Prepending.

A

Adding a letter to the beginning of a URL or adding a trustworthy value to the beginning of an email like “RE:” or “MAILSAFE:PASSED”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define Pharming.

A

Redirecting a legit website to a bogus site. This can be caused by a poisoned DNS server or client vulnerabilities being taken advantage of.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define Vishing.

A

Phishing that is done over the phone. Caller ID spoofing is common.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define Smishing.

A

Phishing that is done by SMS. Often forwards links or asks for personal information. Can spoof numbers to seem official.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How might a social engineer prepare to Phish?

A

Reconnaissance:
Gathering information on the victim
Background information:
Lead generation sites
Social media
Corporate website
Attacker builds believable pretext
Where you work
Where you bank
Recent financial transactions
Family and friends

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define Spear phishing.

A

Targeted phishing with inside information. Focusing on information tied to an individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define Whaling.

A

Targeted phishing with the possibility of a large catch. Often focuses on high-level executives or people whose position includes high-level information, credentials, or access to resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define Dumpster Diving.

A

The act of going through an individual or organization’s garbage in order to gather valuable information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Is dumpster diving legal in the U.S.?

A

Yes unless it is on private property behind a no trespassing sign.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give three ways that you can protect information that could be obtained while someone is dumpster diving.

A
  1. Secure your garbage (i.e. fence and a lock)
  2. Destroy vital documents (shred or burn)
  3. Check what is in the trash
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define Shoulder Surfing.

A

Trying to get vital information from someone’s screen by either standing over their shoulder or viewing it from afar.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are two ways to prevent data loss from shoulder surfing?

A
  1. Control your input
  2. Use privacy filters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Define Hoax.

A

A threat that seems like it could be real, but it does not actually exist. Often consumes a lot of resources or may be an attempt to take money.

17
Q

What are 4 ways to prevent hoaxes from doing damage?

A
  1. Believe no one
  2. Cross reference with a reputable source
  3. Spam filters
  4. Make sure that it doesn’t sound too good to be true.
18
Q

Define Watering Hole Attack.

A

An attack that infects a third-party website that is frequented by certain organization(s) in an attempt to spread the infection from the third-party to the intended target.

19
Q

What are ways to protect against watering hole attacks?

A
  1. Maintain a layered defense
  2. Firewalls and IPS
  3. Anti-virus/ Anti-malware signature updates
20
Q

What is SPIM?

A

Spam over Instant Messaging

21
Q

Define Spam.

A

Unsolicited messages in various mediums sent out to many people. Can be for advertising, proselytizing, and phishing attempts.

22
Q

What are ways to identify and defend against Spam?

A
  1. Allowed list
    Only receive email from trusted senders
  2. SMTP standards checking
    Block anything that doesn’t follow RFC standards
  3. rDNS - Reverse DNS
    Block email where the sender’s domain doesn’t
    match the IP address
  4. Tarpitting
    Intentionally slow down the server conversation
  5. Recipient filtering
    Block all email not addressed to a valid recipient
    email address
23
Q

Define Influence Campaign.

A

An attempt to sway public opinion on political and social issues through social media and fake accounts. Can be directed by nation-state actors and be a part of hybrid warfare (cyberwarfare).

24
Q

Define Tailgating.

A

Using an authorized person to gain unauthorized access to a building. The attacker may: follow a regular employee in especially if the door is held open for them, hang out in the smoking area, bring food, act like a third party vendor, or blend in with clothing.

25
Q

What are 4 ways to prevent tailgating?

A
  1. Have a policy for visitors
  2. One scan per person
  3. Access control vestibule / airlock (mantrap)
  4. Security conscious campus (have people ask
    strangers for identification.
26
Q

Define Social Engineering.

A

Using some form of manipulation to trick employees, end users, etc. into giving up vital information (credentials, accounts, etc.). It can involve many people or organizations. Can be in person or electronically.

27
Q

Give 7 ways that social engineers trick people.

A
  1. Authority
    Act as if they are in authority over you
  2. Intimidation
    There will be bad things if you don’t help
  3. Consensus / Social proof
    Convince based on what’s normally expected
  4. Scarcity
    The situation will not be this way for long
  5. Urgency
    Act quickly, don’t think
  6. Familiarity / Liking
    Someone you know
  7. Trust
    Someone who is safe (can be IT)
28
Q
A