Try   HackMD

Social Engineering

Definition:

Social engineering (SE) is any act that influences a person to take an action that may or may not be in their best interests; it takes advantage of the fact that gender bias, racial, age, and status bias (as well as combinations of those biases) exist.

Why learn about SE

Most people take social engineering as someone wanting to gain small favours or obviously manipulation.
However, there is more to that from a security standpoint:
1. Identifying loopeholes - this is the process of identifying vulnerabilities within the chain; lets say in an organization by conducting simulated phishing and even physical intrusion campaings.
It helps the organization update their risk register and matrix as far as physical and information security is concerned.
2. Training to defend - after the loophole has been identified, it needs to be patched. This has to involve training of the relevant stakeholders because as Kevin Mitnick put it "There is no patch to human stupidity"

Categories of Social Engineering

There are many forms of SE but we'll just highlight a few which are most common:

  1. Smishing - the fraudulent practice of sending text messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
  2. Vishing - the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information.
  3. Phishing - the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information.
  4. Impersonation - an act of pretending to be another person for the purpose of entertainment or fraud by mimicing their voice, and mannerism.

Social Engineering Pyramid

We'll now have a look at a generalized attack matrix for social engineering in order to be successful in your assignment.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Phase 1: OSINT(Open Source Intelligence)

This is the information gathering stage and can be further divided to

  • Non-Technical - It majorly involves observation, listening and paying attention to body language of the persons you want get information from.
  • Technical - Social media as well as search engines play a big part in this. One can acquire much information available online; wheather on their LinkedIn, Twitter, Facebook accounts etc.

Phase 2: Pretext Development

Based on the information gathered the attacker can now see what changes, additions or adjustments need to be made. These can be tools, props or persons to be present while carrying out the attack.

Phase 3: Attack Plan

This phase is very crusual as it will determine wheather the whole process is a success or not. An attacker will need to have the 3 W's right.

  • What is the plan - they will need to clearly understand what is it that they are going for and possibly the information they hope to exfiltrate if they are successful.
  • When is the best time - the attacker will also need to consider when the target is most vulnerable and will comply to their demands.
  • Who needs to be available - an extra person may be helpful to cause any distractions, empathy or cause a scene to help in their plan.

Phase 4: Attack Launch

At this point the attacker has all pieces in place and can go full stream ahead with the attack. The plan being executed has to be well written, clear and dynamic incase of any unxpected happening.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Phase 5: Reporting

After a successful attack (assuming it was successful), the social engineer has to prepare a report for the person(s) who gave him/her the task. Here, they will have to state in details the vulnerabilities exploited, information gained and recommendation on how the weaknesses can be rectified.

At this point lets look and ways we can prevent social engineering attacks. However we'll narrow down to phishing which maily deals with email security.

When you understand how decisions are made, you can start to understand how a malicious attacker can use emotional triggers, psychological principles, and application of the art and science of social engineering to get you to “take an action that is not in your best interests.

By David Kariuki

Last changed by 
David08
0
87

Read more

Email Security

Having looked at the general attack vector of social engineering, lets look at how we can prevent or detect social engineering that comes via email (phishing);

Apr 18, 2022
**Network Security**

In the current digital world, almost everyone has access to the internet via their mobile phones, use of smart devices, and the need for having control of our assets and devices from the comfort of our smartphones. All of this is made possible by networking and it therefore important to ensure that all this integration is safe. Def- It is the protection of hardware, software, information and all underlying architecture in a given network. Network security is not a technical problem; it is a business and people's problems. Technology is the easy part. The difficult part is developing a security plan that fits the organization's business operation and getting people to comply with the plan. To be able to make people adopt the plan in place for network security, it is key that each person knows the assets, map it to its value, prioritize and develop a cost benefit analysis. The aspect of Risk Assessment comes into play which is crucial in developing proportionate defenses and need to understand possible threats and vulnerabilities. The basic steps for Risk Assessment are as follows: Identifying and prioritizing assets Identifying vulnerabilities, threats and their probabilities Identifying countermeasures

Oct 4, 2021
Read more from David08
Published on HackMD