9.1 Understand social engineering
Exam Focus: Understand social engineering. Objective includes:
· Understand social engineering.
· Understand human weakness.
Social engineering
Social engineering is an art used to convince people and make them disclose useful information, such as account names and passwords. Hackers further exploit this information to gain access to a user's computer or network. In social engineering, the mental ability of people is involved to trick someone rather than their technical skills. Users should always distrust people who ask them for their account name, password, computer name, IP address, employee ID, or other information that can be misused.
Attackers can try social engineering attacks on office workers in order to extract the sensitive data, such as security policies, sensitive documents, office network infrastructure, and passwords. An attacker imitates as a valid employee and collects information from the staff of a company. The victim employee provides information to the attacker, thinking him as a valid employee.
Social engineering is effective due to the following reasons:
· Security policies are as strong as their weakest link. Humans are the most susceptible factor.
· Social engineering attempts are difficult to detect.
· No method is available to ensure complete security from social engineering attacks.
· No specific software or hardware is available for defending against a social engineering attack.
Sometimes users are enticed to download an application that will allow them to see SMS messages online of other people. Alternative filenames, including sms.exe, freetrial.exe, and smstrap.exe are used by the download file.
Common targets of social engineering
The following are common targets of social engineering:
· Receptionists and help desk personnel
· Technical support executives
· System administrators
· Vendors of the target organization
· Users and clients
Behaviors that are vulnerable to attacks
Any social engineering attack is based on human nature of trust. Organizations become an easy target when social engineering and its effect among the workforce are ignored. In case of non-compliance with the request of social engineers, they may threaten severe losses. Social engineers promise something for nothing to attract the targets to reveal information. Targets agree with a sense of moral obligation when asked for help.
Phases in a social engineering attack
The following are phases in a social engineering attack:
· Researching on a target company
· Selecting victims by identifying frustrated employees of the target's company
· Developing relationship with the selected employees
· Exploiting the relationship and collecting sensitive account information, financial information, and current technologies
Factors that make companies vulnerable to attacks
The following factors make companies vulnerable to attacks:
· Insufficient security training
· Easy access of information
· Several organizational units
· Lack of security policies
Warning signs of an attack
The following are warning signs of an attack:
· Showing haste and dropping the name inadvertently
· Unusually complaining or praising
· Showing discomfort when questioned
· Claiming authority and threatening if information is not provided
· Making informal requests
· Showing inability to give valid callback number
Command injection attacks
The following are command injection attacks:
· Online: Internet connectivity facilitates attackers to approach employees from an anonymous Internet source and convince them to provide information via a trusted user.
· Telephone: The telephone system can be accessed and remote access to computer systems can be gained by requesting information, usually imitating as a legitimate user.
· Personal approaches: In personal approaches, attackers directly ask for information.
Impacts of social engineering on an organization
The following are the impacts of social engineering on an organization:
· Economic losses
· Dangers of terrorism
· Lawsuits and arbitrations
· Temporary or permanent closure
· Damage of goodwill
Social engineering on Facebook
A fake user group is created on Facebook by attackers and is identified as "Employee of" the company. Attackers then use the false identity to send a friend request or invite employees to the fake group. Many times users join the group and give their personal information. Attackers can compromise a secured facility in order to access the building by using details of employees.
9.2 Identify the different types of social engineering
Exam Focus: Identify the different types of social engineering. Objective includes:
· Identify the different types of social engineering.
· Learn warning signs of an attack.
Types of social engineering
The following are the types of social engineering:
· Human-based: In human-based social engineering, sensitive information is gathered by human interaction. Trust, fear, and helping nature of humans are exploited by attacks of this category.
· Computer-based: Computers are used to perform social engineering.
Computer-based social engineering
Computer-based social engineering can be categorized in the following manner:
· Mail/IM attachments: The attacker can send malicious attachments to an innocent victim via mail/IM.
· Pop-up windows: Pop-up windows simulate an urgent condition on a user's computer and request sensitive information to restore it to the normal state. Pop-ups trick users into clicking a hyperlink. The hyperlinks redirects users to fake webpages that download malicious programs, such as keyloggers, Trojans, and spyware, or ask for personal information.
· Spam mail: Spam mail can contain fraudulent billing information, etc. and can make payment requests or ask for other information.
· Web sites: Fake Web sites can be used to request confidential information, such as the password or social security number of financial institutions.
· Chain letters: Chain letters are emails that urge the recipient to forward these emails to other people. Forwarding chain letters wastes network bandwidth and the user's time
· Hoax letters: Hoax letters are emails issuing warning to users on new viruses, Trojans, or worms, which may harm the system of a user.
· Instant chat messenger: Chatting with a selected online user in order to gather personal information.
Pretexting
Pretexting involves creating and using an invented scenario (the pretext) to engage a targeted victim in a way that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances. It is more than a simple lie because it most often involves some prior research or setup and use a priori information for impersonation (e.g., date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
This technique can be used to fool a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records, and other information directly from junior company service representatives. The information can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, get specific balances, etc.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or insurance investigators or any other individual who could have perceived authority or right-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases, all that are needed is a voice that sounds authoritative, an earnest tone, and an ability to think on one's feet.
Diversion theft
Diversion theft, also known as the "Corner Game" or "Round the Corner Game", originated in the East End of London. In summary, diversion theft is a "con" exercised by professional thieves, normally against a transport or courier company. The objective is to persuade the persons responsible for a legitimate delivery that the consignment is requested elsewhere hence, "round the corner". With a load/consignment redirected, the thieves persuade the driver to unload the consignment near to, or away from, the consignee's address, in the pretense that it is "going straight out" or "urgently required somewhere else". The "con" or deception has many different facets, which include social engineering techniques to persuade legitimate administrative or traffic personnel of a transport or courier company to issue instructions to the driver to redirect the consignment or load. The social engineering skills of these thieves are well rehearsed, and are extremely effective. Most companies do not prepare their staff for this type of deception.
Baiting
Baiting is like the real-world Trojan Horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot), gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device. In either case, as a consequence of merely inserting the disk into a computer to see the contents, the user would unknowingly install malware on it, likely giving an attacker unfettered access to the victim's PC and perhaps, the targeted company's internal computer network. Unless computer controls block the infection, PCs set to "auto-run" inserted media may be compromised as soon as a rogue disk is inserted.
Person-to-person social engineering
Person-to-person social engineering works on the personal level. It can be classified as follows:
· Impersonation: In an impersonation social engineering attack, the attacker pretends to be someone else, for example, the employee's friend, a repairman, or a delivery person. Attackers imitate or copy the behavior or actions of others to gather organization details, professional details, contacts and connection, and personal details. Social engineering through impersonation on social networking sites can take place in the following ways:
o Confidential information can be gathered from social networking sites and accounts can be created in other's name.
o Social engineering techniques can be used to create other's profiles by creating large networks of friends and extracting information.
o Gathered information can also be used to perform other forms of social engineering attacks.
· In person attack: In this attack, the attacker just visits the organization and collects information, such as current technologies and contact information. To accomplish such an attack, the attacker can call the victim on the phone, or might simply walk into an office and pretend to be a client or a new worker.
· Tailgating: It involves the following authorized persons in order to gain access to the environment. In tailgating, an authorized person wears a fake ID badge, enters a secured area, and closely follows an authorized person for key access.
· Important user posing: In this attack, the attacker pretends to be an important member of the organization. This attack works because there is a common belief that it is not good to question authority.
· Third-party authorization: In this attack, the attacker tries to make the victim believe that he has the approval of a third party. This works because people believe that most people are good and they are being truthful about what they are saying.
Risks of social networking to corporate networks
The following are the risks of social networking to corporate networks:
· Data theft: Many individuals access a social networking site. This increases the risk of information exploitation.
· Involuntary information leakage: Employees may unknowingly post sensitive data regarding their company on social networking sites if there is no strong policy.
· Targeted attacks: In a targeted attack, information on social networking sites can be used for preliminary reconnaissance.
· Network vulnerability: Vulnerabilities in the company's network may occur as all social networking sites are subject to flaws and bugs.
Threat statistics 2010
The following is the threat statistic 2010:
· There were 75% fraud attacks on existing credit card accounts.
· There were 13% victims who knew crimes were committed.
· There was 4.8% of population victimized by identity fraud.
· There were 11.1 million adults victims of identity theft.
· The total amount of fraud was $54 billion.
9.3 Understand dumpster diving, human-based social engineering, and insider attack
Exam Focus: Understand dumpster diving, human-based social engineering, and insider attack. Objective includes:
· Understand dumpster diving.
· Understand human-based social engineering.
· Understand insider attack and its countermeasures.
· Gain insights on social engineering threats and defense.
· Comprehend identity theft.
Dumpster diving
Dumpster diving is a term that refers to going through someone's trash in an attempt to find out useful or confidential information. Dumpster divers check and separate items from commercial or residential trash to get the information they desire. This information may be used for identity theft and for breaking physical information security. You may collect contact information, financial information, operations information, and phone bills by using dumpster diving.
Human-based social engineering
Human-based social engineering refers to person-to-person interaction to retrieve the desired information. Human based attackers normally impersonate a legitimate role to gain access to information; for example, by impersonating an IT support technician, an attacker may easily be able to get past the front desk of an office and even gain access to the server room. The following are some examples of human-based social engineering:
· Technical support example: A man calls a company's help desk and says he has forgotten his password. He adds that his boss might fire him if he misses the deadline on a big advertising project. The help desk worker quickly resets the password as he feels sorry for him and unintentionally gives the attacker clear entrance into the corporate network.
· Authority support example: A man calls and says that he is with an external auditor and they have been asked to perform a surprise inspection of disaster recovery procedures. He adds that you have 8 minutes to show him how you will recover from a website crash.
Shoulder surfing
Shoulder surfing is a type of in person attack. In shoulder surfing, the attacker collects information about the premises of an organization. This attack is often carried out by looking surreptitiously at the keyboard of an employee's computer while the employee is typing his password at any access point, such as a terminal/Web site. The attacker can also collect information by viewing open documents on the employee's desk.
Eavesdropping
Eavesdropping is an intentional interception of data (such as e-mail, username, password, credit card, or calling card number) as it passes from a user's computer to a server, or vice versa. There are high-tech methods of eavesdropping. It has been demonstrated that a laser can be bounced off a window and vibrations caused by the sounds inside the building can be collected and turned back into those sounds. The cost of high-tech surveillance has made such instruments available only to the professional information gatherer, however. But as with all high-tech electronics, falling prices are making these more affordable to a wider audience.