About this page.

This blog was originally just going to be my Security assignment for electronic logs, but it has now evolved just a bit. In this blog will will find my notes and anything else we do in these classes.

Thursday, January 26, 2012

Chapter 2 Cont.

Chapter 2 Cont- Social Engineering Attacks
  • Directly gathering information from individuals
    • Relies on trusting nature of individuals
  • Psychological approaches
    • Goal:  persuade the victim to provide information or take action
    • Flattery or flirtation
    • Conformity
    • Friendliness
  • Attacker will ask for only small amounts of information
    • Often from several different victims
  • Request needs to be believable
  • Attacker "pushes the envelope" to get information:
    • Before victim suspects anything
  • Attacker may smile and ask for help
More after the break



  • True example of social engineering attack
    • One attacker called human resources office
      • Asked for and got names of key employees
    • Small group of attackers approached door to building
      • Pretended to have lost key code
      • Let in by friendly employee
      • Entered another secured area in the same way
    • Group had learned CFO was out of town
      • Thanks to his VM greeting!
      • Group entered CFO's office
      • Gathered information rom unprotected computers
      • Dug through trash to retrieve useful documents
      • One member called help desk from CFO's office
        • Pretended to be CFO
        • Asked for password urgently
        • Help desk gave password
      • Group let building with complete network access
  • Impersonation
    • Attacker pretends to be someone else
      • Help desk support technician
      • Repairperson
      • Trusted third party
      • Individuals in roles of authority
  • Phishing
    • Sending an email claiming to be from legitimate source
      • May contain legitimate logos and wording
    • Tried to trick user into giving private information
  • Variations of phishing
    • Pharming
      • Automatically redirects user to fraudulent Web site
    • Spear phishing
      • Email messages target specific users
    • Whaling
      • Going after the "big fish"
      • Targeting wealthy individuals
    • Vishing (Voice phishing)
      • Attacker calls victim with recorded "bank" message with callback number
      • Victim calls attacker's number and enters private information
  • Ways to recognize phishing messages
    • Deceptive web links
      • @sign in the middle of address
    • Variations of legitimate addresses
    • Presence of vendor logos that look legitimate
    • Fake sender's address
    • Urgent request
  • SPAM
    • Unsolicited email
    • Primary vehicles for distribution of malware
    • Sending spam is a lucrative business
  • Spim: targets IM users
  • Image spam
    • Uses graphical images of text
    • Circumvents text-based filters
    • Often contains nonsense text
  • Spammer techniques
    • GIF layering
      • Image spam divided into multiple images
      • Layers make up one complete legible message
    • Word splitting
      • Horizontally separating words
      • Can still be read by human eye
    • Geometric variance
      • Uses speckling and different colors so no two emails appear to be the same
  • Hoaxes
    • False warning or claim
    • May be first step in an attack
  • Physical procedures
    • Dumpster diving
      • Digging through trash to find useful information
    • Tailgating
      • Following behind an authorized individual through access door 
  • Methods of tailgating
    • Tailgater calls "please hold the door"
    • Waits outside door and enters when authorized employee leaves
    • Employee conspires with unauthorized person to walk together through open door
    • Shoulder surfing
      • Casually observing user enter keypad code
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)