SECURITY PLUS EXAM NOTES
1.0 Threats, Attacks, And Vulnerabilities
Compare and contrast different types of social engineering techniques.
the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.
• Spam over instant messaging (SPIM)
to send spam to by means of instant messaging.
• Spear phishing
the fraudulent practice of sending emails ostensibly (apparently or purportedly, but perhaps not actually) from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
• Dumpster diving
A dumpster diving attack is a type of cyber attack made possible by searching through the victim’s trash for useful sensitive information.
• Shoulder surfing
the practice of spying on the user of an ATM, computer, or other electronic device in order to obtain their personal access information.
Tailgating or piggybacking is a physical Social Engineering attack where a person seeks to enter a restricted area where they are otherwise not allowed to be.
• Eliciting information
to call forth or draw out (something, such as information or a response)
a phishing attempt by someone posing as a company's attorney, CEO, vendor, or other authorized entity in order to scam a payroll department, corporate executive …
when an attacker prepends, or attaches, a trustworthy value like “RE:” or “MAILSAFE: PASSED” to a message in order to make the message appear more trustworthy.
• Identity fraud
Fraudsters who use social engineering techniques will use emails to directly collect data – that could have malicious links and attachments, or send the reader to their own website that looks legitimate, and even social media messages to steal personal information to commit identity theft.
• Invoice scams
This is when the attacker has done the work to figure out who pays the invoices in your organization, and they send an invoice directly to that person with a bill that needs to be paid.
• Credential harvesting
Threat actors carry out credential harvesting attacks to stockpile databases of usernames and passwords.
There are two main phases of a social engineering (SE) attack. The first phase is the reconnaissance phase where the SE will gather intelligence on their target. This helps them instill confidence in their target that the SE is who they claim to be and the target will trust the SE. The second phase is the attack phase where the SE will call the target up and start the attack.
to trick into believing or accepting as genuine something false and often preposterous
an act of pretending to be another person for the purpose of entertainment or fraud
• Watering hole attack
a cyberattack targeting a particular organization, in which malware is installed on a website or websites regularly visited by the organization's members in order to infect computers used within the organization itself.
Typosquatting, also known as URL hijacking, is a form of cybersquatting (sitting on sites under someone else's brand or copyright) that targets Internet users who incorrectly type a website address into their web browser (e.g., “Gooogle.com” instead of “Google.com”).
A pretexting attack is a form of social engineering that involves fabricating a scenario to manipulate unsuspecting individuals into revealing sensitive information
• Influence campaigns - Hybrid warfare - Social media
Influence campaigns are large-scale campaigns that seek to shift public opinion. Such campaigns are usually carried out in bad faith and often seek to push a false narrative.
• Principles (reasons for effectiveness)
Social engineering principles are the common methods that social engineers use to increase the effectiveness of their attacks.
The Security+ exam specifically asks about these so it’s important to understand them.
Using authority is most effective with impersonation, whaling, and vishing attacks:
Some social engineers impersonate others to get people to do something. For example, many have called users on the phone claiming they work for Microsoft. The Police Virus attempts to impersonate a law enforcement agency. Some social engineers attempt to impersonate a person of authority, such as an executive within a company, or a technician.
Intimidation might be through bullying tactics, and it is often combined with impersonating someone else. Using intimidation is most effective with impersonation and vishing attacks.
For example, a social engineer might call an executive’s receptionist with this request:
“Mr. Simpson is about to give a huge presentation to potential customers, but his files are corrupt. He told me to call you and get you to send the files to me immediately so that I can get him set up for his talk.”
Consensus/Social Proof are Social Engineering Principles
People are often more willing to like something that other people like.
Some attackers take advantage of this by creating web sites with fake testimonials that promote a product. For example, criminals have set up some web sites with dozens of testimonials listing all the benefits of their fake antivirus software (rogueware). If users search the Internet before downloading the rogueware, they will come across these web sites, and might believe that other real people are vouching for the product.
People are often encouraged to take action when they think there is a limited quantity.
As an example of scarcity, think of Apple iPhones. When Apple first releases the new version, they typically sell out quickly.
A phishing email can take advantage of this and encourage users to click a link for exclusive access to a new product. If the users click, they’ll end up at a malicious web site.
Scarcity is often effective with phishing and Trojan attacks. People make quick decisions without thinking them through.
If you like someone, you are more likely to do what the person asks. This is why so many big companies hire well-liked celebrities. And, it’s also why they fire them when those celebrities become embroiled in a scandal that affects their credibility.
Some social engineers attempt to build rapport with the victim to build a relationship before launching the attack.
In addition to familiarity/liking, some social engineers attempt to build a trusting relationship between them and the victim. This often takes a little time, but the reward for the criminal can be worth it.
Vishing attacks often use this method.
As an example, someone identifying himself as a security expert once called me.
Some attacks use urgency as a technique to encourage people to take action now.
As an example, the CryptoLocker ransomware virus uses the scarcity principle with a countdown timer. Victims have 72 hours before they’ll lose all their data, and each time they look at their computer, they’ll see the timer counting down.