Social engineers typically use one or more principles, which increase the effectiveness of their attacks. If you’re planning to take the Security+ exam, you should have a good understanding of these underlying principles of the different social engineering tactics.
For example, can you answer this question?
Q. Lisa is a database administrator and received a phone call from someone identifying himself as a technician working with a known hardware vendor. The technician said he’s aware of a problem with database servers they’ve sold, but it only affects certain operating system versions. He asks Lisa what operating system the company is running on its database servers. Which of the following choices is the BEST response from Lisa?
A. Let the caller know what operating system and versions are running on the database servers to determine if any further action is needed.
B. Thank the caller and end the call, report the call to her supervisor, and independently check the vendor for issues.
C. Ask the caller for his phone number so that she can call him back after checking the servers.
D. Contact law enforcement personnel.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Familiarity/Liking
If you like someone, you are more likely to do what the person asks. This is why so many big companies hire well-liked celebrities. And, it’s also why they fire them when those celebrities become embroiled in a scandal that affects their credibility.
Some social engineers attempt to build rapport with the victim to build a relationship before launching the attack. This principle is most effective with shoulder surfing and tailgating attacks:
- Shoulder surfing. People are more likely to accept someone looking over their shoulder when they are familiar with the other person, or they like them. In contrast, if people don’t know or don’t like someone, they are more likely to recognize a shoulder surfing attack and stop it immediately.
- Tailgating. People are much more likely to allow someone to tailgate behind them if they know the person or like the person. Some social engineers use a simple, disarming smile to get the other person to like them.
Trust
In addition to familiarity/liking, some social engineers attempt to build a trusting relationship between them and the victim. This often takes a little time, but the reward for the criminal can be worth it. Vishing attacks often use this method.
As an example, someone identifying himself as a security expert once called me. He said he was working for some company with “Secure” in its name, and they noticed that my computer was sending out errors. He stressed a couple of times that they deploy and support Windows systems. The company name and their experience was an attempt to start building trust.
He then guided me through the process of opening Event Viewer and viewing some errors on my system. He asked me to describe what I saw and eventually said, “Oh my God!” with the voice of a well-seasoned actor. He explained that this indicated my computer was seriously infected. In reality, the errors were trivial.
After seriously explaining how much trouble I was in with my computer, he then added a smile to his voice and said, “But this is your lucky day. I’m going to help you.” He offered to guide me through the process of fixing my computer before the malware damaged it permanently.
All of this was to build trust. At this point, he went in for the kill. He had me open up the Run window and type in a web site address and asked me to click OK. This is where I stopped. I didn’t click OK. I tried to get him to answer some questions but he was evasive. Eventually, I heard a click. My “lucky day” experience with this social engineering criminal was over.
The link probably would have taken me to a malicious web site ready with a drive-by download. Possibly the attacker was going to guide me through the process of installing rogueware on my system. If my system objected with an error, I’m betting he would have been ready with a soothing voice saying, “That’s normal. Just click OK. Trust me.” He spent a lot of time with me. I suspect that they’ve been quite successful with this ruse with many other people.
The 601 Version of the Study Guide
The CompTIA Security+: Get Certified Get Ahead: SY0-601 Study GuideEach of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action.
You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details. Additionally, each chapter includes a comprehensive review section to help you focus on what’s important.
Over 300 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. The book includes:
- A 75 question pre-test
- A 75 question post-test
- Practice test questions at the end of every chapter.
Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question. You’ll be ready to take and pass the exam the first time you take it.
If you plan to pursue any of the advanced security certifications, this guide will also help you lay a solid foundation of security knowledge. Learn this material, and you’ll be a step ahead for other exams. This SY0-601 study guide is for any IT or security professional interested in advancing in their field, and a must-read for anyone striving to master the basics of IT security.
Consensus/Social Proof
People are often more willing to like something that other people like. Some attackers take advantage of this by creating web sites with fake testimonials that promote a product. For example, criminals have set up some web sites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware). If users search the Internet before downloading the rogueware, they will come across these web sites, and might believe that other real people are vouching for the product.
Using consensus/social proof is most effective with Trojans and hoaxes. Victims are more likely to install a Trojan if everyone seems to indicate it’s safe. Similarly, if a person suspects a virus notice is a just a hoax, but everyone seems to be saying it’s real, the victim is more likely to be tricked.
Q. Lisa is a database administrator and received a phone call from someone identifying himself as a technician working with a known hardware vendor. The technician said he’s aware of a problem with database servers they’ve sold, but it only affects certain operating system versions. He asks Lisa what operating system the company is running on its database servers. Which of the following choices is the BEST response from Lisa?
A. Let the caller know what operating system and versions are running on the database servers to determine if any further action is needed.
B. Thank the caller and end the call, report the call to her supervisor, and independently check the vendor for issues.
C. Ask the caller for his phone number so that she can call him back after checking the servers.
D. Contact law enforcement personnel.
Answer is B. This sounds like a social engineering attack where the caller is attempting to get information on the servers, so it’s appropriate to end the call, report the call to a supervisor, and independently check the vendor for potential issues.
It is not appropriate to give external personnel information on internal systems from a single phone call.
The caller has not committed a crime by asking questions, so it is not appropriate to contact law enforcement personnel.
