Chapter 13: Social Engineering

Social Engineering Definition
Social engineering is an attack against a user, and typically involves some form of social interaction. The weakness that is being exploited in the attack is not necessarily one of technical knowledge, or even security awareness. Social engineering at its heart involves manipulating the very social nature of interpersonal relationships.
The best defense against social engineering?
The best defense against social engineering attacks is a comprehensive training and awareness program that includes social engineering. The training should emphasize the value of being helpful and working as a team, but doing so in an environment where trust is verified and is a ritual without social stigma.
Two types of ruses
1) Familiarity
2) Avoiding hostility
For the exam, be familiar with all of the various social engineering attacks and the associated effectiveness of each attack.
Shoulder Surfing
Shoulder surfing does not necessarily involve direct contact with the target but instead involves the attacker directly observing the individual entering sensitive information on a form, keypad, or keyboard. The attacker may simply look over the shoulder of the user at work or may set up a camera or use binoculars to view the user entering sensitive data.
Dumpster Diving
The process of going through a target’s trash in hopes of finding valuable information that might be used in a penetration attempt is known in the security community as dumpster diving.
– Through this, an attacker might gather a variety of information that can be useful in a social engineering attack. IN MOST LOCATIONS, TRASH IS NO LONGER CONSIDERED PRIVATE PROPERTY AFTER IT HAS BEEN DISCARDED.
– An organization should have policies about discarding materials. Sensitive information should be shredded and trash should be secured.
– How to counter?
– Tailgating or piggybacking is the simple tactic of following closely behind a person who has just used their own access card or PIN to gain physical access to a room or building.
– This can be countered with good security practices and mantraps.
Impersonation: Third-Party Authorization
– Using previously obtained information about a project, deadlines, bosses, and so on, the attacker arrives with 1) something the victim is quasi-expecting or would see as normal, 2) uses the guise of a project in trouble or some other situation where the attacker will be viewed as helpful or as one not to upset, and 3) they name-drop “Mr. Big,” who happens to be out of the office and unreachable at the moment, avoiding the reference check. And the attacker seldom asks for anything that on the face of it seems unreasonable, or is unlikely to be shared based on the circumstances.
Impersonation: Help Desk/Tech Support
– Calls to or from help desk and tech support units can be used to elicit information. Posing as an employee, you can get a password reset, information about some system, or other useful information. This works in both directions.
Impersonation: Contractors/Outside Parties
Impersonation: Defenses
– In all the cases of impersonation, the best defense is simple – have processes in place that require employees to ask to see a person’s ID before engaging with them if the employees do not personally know them. That includes challenging people such as delivery drivers and contract workers. Don’t let people in through the door, piggybacking, without checking their ID
Social Engineering Principles: two reasons it is successful
1) The basic desire of most people to be helpful.
2) Individuals normally seek to avoid confrontation and trouble. Ex: an attacker may attempt to intimidate the target, threatening to call his supervisor because of a lack of help, the target may give in and provide the information to avoid confrontation.
1) Authority
2) Intimidation
3) Consensus/Social proof
4) Scarcity
5) Urgency
6) Familiarity/liking
7) Trust