Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
10 Cards in this Set
- Front
- Back
|
Social engineering There are two forms of social engineering: ** * |
is an attack that exploits human nature by convincing someone to reveal information or perform an activity. |
|
|
* Persuasive social engineering entails an attacker convincing a person to give them information or access that they shouldn't. * Reciprocity social engineering entails an attacker "gifting" something of lesser or equal value to what they expect in return. * * Authority social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions or to give information that exceed their authorization level. * A fraudulent message (that appears to be legitimate) is sent to a target. * The message requests that the target visit a fraudulent Web site (which also appears to be legitimate). Graphics, links, and Web sites look almost identical to legitimate requests and Web sites they are trying to represent. * The fraudulent Web site requests that the victim provide sensitive information such as the account number and password. * A Rock Phish kit is a fake Web site that can be set up which imitates a real Web site (such as banks, PayPal®, eBay®, and Amazon®). Phishing e-mails direct you to the fake Web site to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. * A Nigerian scam, also known as a 419 scam, involves e-mail which requests a small amount of money to help transfer funds from a foreign country. For your assistance, you are to receive a reward for a much larger amount of money that will be sent to you at a later date. * In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing e-mails for the specific bank. * Whaling is another form of phishing that is targeted to senior executives and high profile victims. * Vishing is similar to phishing but instead of an e-mail, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. * Check the actual link destination within e-mails to verify that they go to the correct URL and not a spoofed one. * Do not click on links in e-mails. Instead, type the real bank URL into the browser. * Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. * Implement phishing protections within your browser. * Tricking users into unknowingly downloading malware. * Gathering information about the user and sending it to a third party for commercial gain. * Train employees to:Protect information by:Securely disposing of sensitive documents, disks, and devices. * Protecting sensitive information on a computer from prying eyes. * Protecting sensitive information from prying ears. * Implement online security by:Verifying the validity of Web sites * Verifying requests for privileged information are authorized. * Use bookmarked links instead of links in e-mails to go to Web sites. * Double checking e-mail information or instructions with a reputable third party antivirus software vendor before implementing recommendations. * Never opening a suspicious e-mail attachment. * Determine the value for types of information, such as dial-in numbers, user names, passwords, network addresses, etc. |
* Social validation entails an attacker using peer pressure to coerce someone else to bend rules or give information they shouldn't. |
|
|
* * Passive social engineering * *
|
takes advantage of the unintentional actions of others to gather information or gain access to a secure facility. |
|
|
* Active social engineering
|
involves direct interaction with users, asking them to reveal information or take actions. Attackers use the following methods to appear legitimate: |
|
|
* * Not allow others to use the employee's identification to enter a secure facility. * Demand proof of identity over the phone and in person. * Implement strong identity verification methods to gain access to a secure building.
|
* The greater the value, the higher the security around those items should be maintained. |
|
|
* Authority
* A fraudulent message (that appears to be legitimate) is sent to a target. * The message requests that the target visit a fraudulent Web site (which also appears to be legitimate). Graphics, links, and Web sites look almost identical to legitimate requests and Web sites they are trying to represent. * The fraudulent Web site requests that the victim provide sensitive information such as the account number and password. * A Rock Phish kit is a fake Web site that can be set up which imitates a real Web site (such as banks, PayPal®, eBay®, and Amazon®). Phishing e-mails direct you to the fake Web site to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. * A Nigerian scam, also known as a 419 scam, involves e-mail which requests a small amount of money to help transfer funds from a foreign country. For your assistance, you are to receive a reward for a much larger amount of money that will be sent to you at a later date. * In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing e-mails for the specific bank. * Whaling is another form of phishing that is targeted to senior executives and high profile victims. * Vishing is similar to phishing but instead of an e-mail, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. * Check the actual link destination within e-mails to verify that they go to the correct URL and not a spoofed one. * Do not click on links in e-mails. Instead, type the real bank URL into the browser. * Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. * Implement phishing protections within your browser. * Tricking users into unknowingly downloading malware. * Gathering information about the user and sending it to a third party for commercial gain. * Train employees to:Protect information by:Securely disposing of sensitive documents, disks, and devices. * Protecting sensitive information on a computer from prying eyes. * Protecting sensitive information from prying ears. * Implement online security by:Verifying the validity of Web sites * Verifying requests for privileged information are authorized. * Use bookmarked links instead of links in e-mails to go to Web sites. * Double checking e-mail information or instructions with a reputable third party antivirus software vendor before implementing recommendations. * Never opening a suspicious e-mail attachment. * Determine the value for types of information, such as dial-in numbers, user names, passwords, network addresses, etc. |
social engineering entails an attacker either lying about having authority or using their high status in a company to force victims to perform actions or to give information that exceed their authorization level. |
|
|
Specific social engineering attacks include: |
Shoulder surfingShoulder surfing involves looking over the shoulder of someone working on a computer. EavesdroppingEavesdropping refers to an unauthorized person listening to conversations of employees or other authorized personnel discussing sensitive topics. Dumpster divingDumpster diving is the process of looking in the trash for sensitive information that has not been properly disposed of. Tailgating and PiggybackingPiggybacking and tailgating refer to an attacker entering a secured building by following an authorized employee through a secure door and not providing identification. Piggybacking usually implies consent of the authorized employee; whereas tailgating implies no consent of the authorized employee. MasqueradingMasquerading refers to convincing personnel to grant access to sensitive information or protected systems by pretending to be someone who is authorized and/or requires that access. Masquerading is more passive compared to impersonating. PhishingA phishing scam is an e-mail pretending to be from a trusted organization, asking to verify personal information or send money. In a phishing attack: * A fraudulent message (that appears to be legitimate) is sent to a target.* The message requests that the target visit a fraudulent Web site (which also appears to be legitimate). Graphics, links, and Web sites look almost identical to legitimate requests and Web sites they are trying to represent. * The fraudulent Web site requests that the victim provide sensitive information such as the account number and password. * A Rock Phish kit is a fake Web site that can be set up which imitates a real Web site (such as banks, PayPal®, eBay®, and Amazon®). Phishing e-mails direct you to the fake Web site to enter account information. A single server can host multiple fake sites using multiple registered DNS names. These sites can be set up and taken down rapidly to avoid detection. * A Nigerian scam, also known as a 419 scam, involves e-mail which requests a small amount of money to help transfer funds from a foreign country. For your assistance, you are to receive a reward for a much larger amount of money that will be sent to you at a later date. * In spear phishing, attackers gather information about the victim, such as identifying which online banks they use. They then send phishing e-mails for the specific bank. * Whaling is another form of phishing that is targeted to senior executives and high profile victims. * Vishing is similar to phishing but instead of an e-mail, the attacker uses Voice over IP (VoIP) to gain sensitive information. The term is a combination of voice and phishing. * Check the actual link destination within e-mails to verify that they go to the correct URL and not a spoofed one. * Do not click on links in e-mails. Instead, type the real bank URL into the browser. * Verify that HTTPS is used when going to e-commerce sites. HTTPS requires a certificate that matches the server name in the URL that is verified by a trusted CA. You can also look for the lock icon to verify that HTTPS is used. * Implement phishing protections within your browser. Spear phishingSpear phishing is targeted at gaining access to information that will allow the attacker to gain commercial advantage or commit fraud. Spear phishing frequently involves sending seemingly genuine e-mails to all employees or members of specific teams. Caller ID spoofingCaller ID spoofing causes the telephone network to display a number on the recipient's caller ID display that would imply that a call is coming from a legitimate source. Hoax e-mailsHoax e-mails prey on e-mail recipients who are fearful and believe most information if it is presented in a professional manner. Usually these hoax messages instruct the reader to delete key system files or download Trojan horses.
|
|
|
Spyware/AdwareSpyware and adware sending it to a third party for commercial gain. |
are pop-up advertisements that can have malicious objectives such as: * Tricking users into unknowingly downloading malware.* Gathering information about the user and |
|
|
PretextingPretexting believable scenario.
|
is the use of a fictitious scenario to persuade someone to perform an action or give information for which they are not authorized. Pretexting usually requires the attacker to perform research to create a |
|
|
The most effective countermeasure for social engineering is employee awareness training on how to recognize social engineering schemes and how to respond appropriately. Specific countermeasures include: * |
* Train employees to: Protect information by:Securely disposing of sensitive documents, disks, and devices.* Protecting sensitive information on a computer from prying eyes. * Protecting sensitive information from prying ears. * Implement online security by:Verifying the validity of Web sites * Verifying requests for privileged information are authorized. * Use bookmarked links instead of links in e-mails to go to Web sites. * Double checking e-mail information or instructions with a reputable third party antivirus software vendor before implementing recommendations. * Never opening a suspicious e-mail attachment. * Determine the value for types of information, such as dial-in numbers, user names, passwords, network addresses, etc. |
