If you’re planning to take the SY0-501 version of the Security+ exam, you should understand social engineering. This includes several techniques attackers use to trick users.
For example, can you answer this question?
Q. While cleaning out his desk, Bart threw several papers containing PII into the recycle bin. Which type of attack can exploit this action?
A. Vishing
B. Dumpster diving
C. Shoulder surfing
D. Tailgating
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Social engineering uses social tactics to trick users into giving up information or performing actions they wouldn’t normally take. Social engineering attacks can occur in person, over the phone, while surfing the Internet, and via email.
Impersonation
Some social engineers often attempt to impersonate others. The goal is to convince an authorized user to provide some information, or help the attacker defeat a security control.
As an example, an attacker can impersonate a repair technician to gain access to a server room or telecommunications closet. After gaining access, the attacker can install hardware such as a rogue access point to capture data and send it wirelessly to an outside collection point. Similarly, attackers impersonate legitimate organizations over the phone and try to gain information. Identity verification methods are useful to prevent the success of impersonation attacks.
Shoulder Surfing
Shoulder surfing is simply looking over the shoulder of someone to gain information. The goal is to gain unauthorized information by casual observation, and it’s likely to occur within an office environment. This can be to learn credentials, such as a username and password, or a PIN used for a smart card or debit card. Recently, attackers have been using cameras to monitor locations where users enter PINs, such as at automatic teller machines (ATMs).
A simple way to prevent shoulder surfing is to position monitors and other types of screens so that unauthorized personnel cannot see them. This includes ensuring people can’t view them by looking through a window or from reception areas.
Another method used to reduce shoulder surfing is to use a screen filter placed over the monitor. This restricts the visibility of the screen for anyone who isn’t looking directly at the monitor.
Tricking Users with Hoaxes
A hoax is a message, often circulated through email, that tells of impending doom from a virus or other security threat that simply doesn’t exist. Users may be encouraged to delete files or change their system configuration.
An older example is the teddy bear virus (jdbgmgr.exe), which was not a virus at all. Victims received an email saying this virus lies in a sleeping state for 14 days and then it will destroy the user’s system. It then told users that they can protect their system by deleting the file (which has an icon of a little bear), and provided instructions on how to do so. Users who deleted the file lost some system capability.
More serious virus hoaxes have the potential to be as damaging as a real virus. If users are convinced to delete important files, they may make their systems unusable. Additionally, they waste help-desk personnel’s time due to needless calls about the hoax or support calls if users damaged their systems in response to the hoax.
Tailgating and Mantraps
Tailgating is the practice of one person following closely behind another without showing credentials. For example, if Homer uses a badge to gain access to a secure building and Francesca follows closely behind Homer without using a badge, Francesca is tailgating.
Employees often do this as a matter of convenience and courtesy. Instead of shutting the door on the person following closely behind, they often hold the door open for the person. However, this bypasses the access control, and if employees tailgate, it’s very easy for a nonemployee to slip in behind someone else. Often, all it takes is a friendly smile from someone like Francesca to encourage Homer to keep the door open for her.
A simple mantrap can be a turnstile like those used in subways or bus stations. Imagine two men trying to go through a turnstile like this together. It’s just not likely. Security guards can check the credentials of each person, and they won’t be fooled by a smile as easily as Homer.
Dumpster Diving
Dumpster diving is the practice of searching through trash or recycling containers to gain information from discarded documents. Many organizations either shred or burn paper instead of throwing it away.
For example, old copies of company directories can be valuable to attackers. They may identify the names, phone numbers, and titles of key people within the organization. Attackers may be able to use this information in a whaling attack against executives or social engineering attacks against anyone in the organization. An attacker can exploit any document that contains detailed employee or customer information, and can often find value in seemingly useless printouts and notes.
On a personal basis, preapproved credit applications or blank checks issued by credit card companies can be quite valuable to someone attempting to gain money or steal identities. Documentation with any type of Personally Identifiable Information (PII) or Protected Health Information (PHI) should be shredded or burned.
Watering Hole Attacks
A watering hole attack attempts to discover which web sites a group of people are likely to visit and then infects those web sites with malware that can infect the visitors. The attacker’s goal is to infect a web site that users trust already, making them more likely to download infected files.
As an example, an attack discovered in late 2016 initially targeted Polish banks. The attack was discovered by a single Polish bank that discovered previously unknown malware on internal computers. Symantec reported the source of the attack was servers at the Polish Financial Supervision Authority. This is a well-trusted institution by Polish bank employees, and they are likely to visit the organization’s web sites often.
This isn’t an isolated incident though. Symantec reported over 100 similar attacks located in over 30 countries.
Q. While cleaning out his desk, Bart threw several papers containing PII into the recycle bin. Which type of attack can exploit this action?
A. Vishing
B. Dumpster diving
C. Shoulder surfing
D. Tailgating
Answer is B. Dumpster divers look through trash or recycling containers for valuable paperwork, such as documents that include Personally Identifiable Information (PII). Instead, paperwork should be shredded or incinerated.
Vishing is a form of phishing that uses the phone.
Shoulder surfers attempt to view monitors or screens, not papers thrown into the trash or recycling containers.
Tailgating is the practice of following closely behind someone else, without using proper credentials.
See Chapter 6 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on social engineering.