ch4

Question 1

Social engineering

Answer 1

is the process of an unauthorized individual
convincing an authorized individual to provide them with confidential
information or access to something that they shouldn’t have.

Question 2

Social engineering is very successful for two general reasons:

Answer 2

1- The basic desire of most people to be helpful.
2- Individuals normally seek to avoid confrontation and trouble

Question 3

Principles (Reasons for Social Engineering Effectiveness)

Answer 3

• Authority: The use of authority in social situations can lead to an environment
  where one party feels at risk in challenging another over an issue.
• Intimidation: can be either subtle, through perceived power, or more direct,
  through the use of communications that build an expectation of superiority.
• Consensus: Consensus is a group-wide decision.
• Scarcity: If something is in short supply and is valued, then arriving with what
  is needed can bring rewards—and acceptance.
• Familiarity: People do things for people they like or feel connected to.
• Trust: is defined as having an understanding of how something will act under
  specific conditions.
• Urgency: Time can be manipulated to drive a sense of urgency and prompt
  shortcuts that can lead to opportunities for interjection into processes.

Question 4

the best defense is simple:

Answer 4

• Have processes in place that require employees to ask to see a
  person’s ID before engaging with them if the employees do not
  personally know them.
• Periodic training and awareness do work, as proven by trends such as
  the diminished effectiveness of pop-up windows.

Question 5

Social Engineering Attacks

Answer 5

• Impersonation
• Phishing
• Smishing
• Vishing
• Spam
• Spam over Internet
  Messaging (SPIM)
• Spear Phishing
• Whaling
• Pharming
• Dumpster Diving
• Shoulder Surfing
• Tailgating/
  Piggybacking
• Eliciting Information
• Prepending
• Identity Fraud
• Invoice Scam
• Credential Harvesting
• Reverse Social
  Engineering
• Reconnaissance
• Hoax
• Watering Hole Attack
• Typo Squatting
• Influence Campaigns

Question 6

Impersonation

Answer 6

• It can occur in person, over a phone, or online.
• Impersonation can take a variety of forms—third parties, help desk
  operators, vendors, and even online sources.

Question 7

Phishing

Answer 7

attacker attempts to obtain
sensitive information from users by masquerading as a trusted entity in an e-mail or instant message sent to a large group of often random users.

Question 8

Smishing

Answer 8

version of a phishing attack using Short Message Service (SMS) on victims’ cell phones.

Question 9

Vishing

Answer 9

variation of phishing that uses voice communication technology to obtain the information the attacker is seeking.

Question 10

Dumpster Diving

Answer 10

The process of going through a target’s trash in hopes of finding valuable information that might be used in a penetration attempt is known as dumpster diving.

Question 11

Shoulder Surfing

Answer 11

attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard.

Question 12

To avoid shoulder surfing:

Answer 12

• Use a privacy screen or filter to surround a keypad
• More sophisticated systems can actually scramble the location of the numbers.
• Be aware of surroundings.
• Do not allow individuals to get into a position from which they can observe what the user is entering

Question 13

Tailgating/Piggybacking

Answer 13

simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a
room or building.

Question 14

Piggybacking can be easily countered by:

Answer 14

• training employees to use simple procedures to ensure nobody follows them too
  closely.
• A more sophisticated countermeasure to piggybacking is a mantrap, which utilizes
  two doors to gain access to the facility. The second door does not open until the first
  one is closed, and the doors are closely spaced so that an enclosure is formed that
  only allows one individual through at a time.

Question 15

Eliciting Information

Answer 15

Calls to or from help desk and tech support units can be used to elicit
information.

Question 16

Reverse Social Engineering

Answer 16

Attacker hopes to convince the target to initiate the contact.

Question 17

Hoax

Answer 17

can be very damaging if it causes users to take some sort of action that weakens security

Question 18

Poor Security Practices

Answer 18

Poor security practices include:
* Poor password selection
* Using the same PIN for all different accounts&raquo_space; shoulder surfing.
* People are often in a hurry and will frequently not follow good physical security
practices and procedures.&raquo_space; Piggybacking.
* Throwing useful information in unsecured trash receptacles&raquo_space; Dumpster Diving.
* Installing unauthorized hardware and software.
* Allowing physical access by non-employees.
* Leaving sensitive information unsecured in the work area when the worker is not
present to act as custodian.

Question 19

People as a Security Tool

Answer 19

. Organizations should create the policies and procedures that establish
the roles and responsibilities for all users.
2. Users should always be on the watch for attempts by individuals to gain
information about the organization and should report suspicious activity
to their employer.
3. Organizations should provide an active security awareness program
(Initial employee training on social engineering at the time a person is
hired is important, as well as periodic refresher training).
4. Organizations should provide security training on social engineering and
desired employee security habits.

Question 20

Security Awareness

Answer 20

• Probably the single most effective method to counter potential social engineering attacks, after establishment of the
  organization’s security goals and policies, is an active security awareness program.
• The extent of the training will vary depending on the organization’s environment and the level of threat, but initial
  employee training on social engineering at the time a person is hired is important, as well as periodic refresher training.
• An important element that should be stressed in training about social engineering is the type of information that the
  organization considers sensitive and may be the target of a social engineering attack.
• There are undoubtedly signs that the organization could point to as indicative of an attacker attempting to gain access to
  sensitive corporate information.
• All employees should be aware of these indicators. The scope of information that an attacker may ask for is very large, and many
  questions attackers pose might also be legitimate in another context (asking for someone’s phone number, for example).
  Employees should be taught to be cautious about revealing personal information and should especially be alert for questions
  regarding account information, personally identifiable information, and passwords.
• As a final note on user responsibilities, corporate security officers must cultivate an environment of trust in their office,
  as well as an understanding of the importance of security.
• If users feel that security personnel are only there to make their life difficult or to dredge up information that will result
  in an employee’s termination, the atmosphere will quickly turn adversarial and be transformed into an “us-versus-them”
  situation.
• Security personnel need the help of all users and should strive to cultivate a team environment in which users, when
  faced with a questionable situation, will not hesitate to call the security office. In situations like this, security offices
  should remember the old adage of “don’t shoot the messenger.”