Module 9 (social engineering)

Ethical Hacking and Countermeasures Exam 312-50 Certified Ethical Hacker
Social Engineering
Module IX Page 1 of 21 Ethical Hacking and Countermeasures Copyright © by EC-Council
All rights reserved. Reproduction is strictly prohibited
Ethical Hacking
Module IX
Social Engineering
Ethical Hacking (EH)
Module IX: Social Engineering
Exam 312-50 Ethical Hacking and Countermeasures

Social Engineering
EC-Council
Module Objective
What is Social Engineering?
Common Types of Attacks
Social Engineering by Phone
Dumpster Diving
Online Social Engineering
Reverse Social Engineering
Policies and Procedures
Employee Education
Module Objectives
If you have seen the movie ‘War Games’, then you have already seen social engineering in action.
Arguably one the best ‘social engineers’ around, Kevin Mitnick’s story captured on the celluloid,
shows the art of deception.
In this module, you will get an overview of:
• What Social Engineering is,
• The Common Types of Attack,
• Social Engineering by Phone,
• Dumpster Diving,
• Online Social Engineering,
• Reverse Social Engineering,
• Policies and Procedures and
• Educating Employees.
It must be pointed out that the information contained in this chapter is for the purpose of
overview alone. While it points out fallacies and advocates effective countermeasures, the
possible ways to extract information from another human being is only restricted by the
ingenuity of the cracker’s mind. While this aspect makes it an ‘art’ and the psychological nature
of some of these techniques make it a ‘science’, the bottom line is that there is no one defense
against social engineering and only constant vigil can circumvent some of these overtures.

Social Engineering
EC-Council
What is Social Engineering?
Social Engineering is the human side of
breaking into a corporate network.
Companies with authentication processes,
firewalls, virtual private networks and network
monitoring software are still wide open to
attacks
An employee may unwittingly give away key
information in an email or by answering
questions over the phone with someone they
don't know or even by talking about a project
with co workers at a local pub after hours.
It is said that security is only as strong as the weakest link. Social engineering is the human side of
breaking into a corporate network. It need not be restricted to corporate networks alone – though
it is where the impact is felt more strongly. It does not matter if enterprises have invested in high
end infrastructure and security solutions such as complex authentication processes, firewalls,
VPNs and network monitoring software, if an employee unwittingly gives away key information in
an email, by answering questions over the phone with a stranger or new acquaintance or even
brag about a project with coworkers at a local pub after hours.
Most often, people are not even aware of the security lapse made by them albeit inadvertently.
Crackers take special interest in developing social engineering skills and can be so proficient that
their victims would not even realize that they have been scammed. Despite having security
policies in place within the organization, organizations are compromised because this aspect of
attack preys on the human impulse to be kind and helpful.
People have been conditioned not to be overtly suspicious that they associate certain behavior and
appearance to known entities. For instance, on seeing a man dressed in brown and stacking a
whole bunch of boxes in a cart, people will hold the door open because they think it is the delivery
man. Attackers are always looking for new ways to get information. They will ensure that they
know the perimeter and the people on the perimeter - security guards, receptionists and help desk
workers - to exploit human oversight
Some companies list employees by title and give their phone number and email address on the
corporate Web site. Alternatively, a corporation may put advertisements in the paper for high-
tech workers who trained on Oracle databases or UNIX servers. These little bits of information
help crackers know what kind of system they're tackling.

Social Engineering
EC-Council
Art of Manipulation.
Social Engineering is the acquisition of sensitive
information or inappropriate access privileges
by an outsider, based upon building of
inappropriate trust relationships with
outsiders.
The goal of a social engineer is to trick someone
into providing valuable information or access to
that information.
It preys on qualities of human nature, such as
the desire to be helpful, the tendency to trust
people and the fear of getting in trouble.
Social engineering is the art and science of getting people to comply with a cracker’s wishes. It is
not a way of mind control, and it does not allow the cracker to get people to perform tasks wildly
outside of their normal behavior. Above all, it is not foolproof. Yet, this is one way most crackers
get a foot into the corporation. There are two terms that are of interest here.
• Social engineering is hacker jargon for getting needed information from a person rather
than breaking into a system.
• Psychological subversion is the term for using social engineering over an extended period
of time to maintain a continuing stream of information and help from unsuspecting
users.
Let us look at a sample scenario.
Cracker: "Good morning Ma’am, I am Bob, I am would like to speak with Ms. Alice"
Alice: "Hello, I am Alice"
Cracker: "Good morning Ma’am, I am calling from the data center, I am sorry I am calling you so
early..."
Alice:" Uh, data center office, well, I was having breakfast, but it doesn't matter"
Cracker: "I was able to call you because of the personal data form you filled when creating your
account." (with eye-blinking tone)

Social Engineering
Alice: "My pers.. oh, yes"
Cracker: "I have to inform you that we had a mail server crash tonight, and we are trying to
restore all corporate users’ mail. Since you are a remote user, we are clearing your problems first."
Alice: "A crash? Is my mail lost?"
Cracker: "Oh no, Ma’am, we can restore it. But, since we are datacenter employees, and we are not
allowed to mess with the corporate office user's mail, we need your password; otherwise we
cannot take any action"(first try, probably unsuccessful)
Alice: "Er, my password? Well..."
Cracker: "Yes, I know, you have read on the license agreement that we will never ask for it, but it
was written by the legal department, you know, all law stuff for compliance. (effort to gain
victim's trust)
Cracker: Your username is AliceDxb, isn't it? Corporate sys dept gave us your username and
telephone, but, as smart as they are, not the password. See, without your password nobody can
access your mail, even we at the datacenter. But we have to restore your mail, and we need access.
You can be sure we will not use your password for anything else, well, we will forget it." (smiling)
Alice: "Well, it's not so secret (also smiling! It’s amazing...), my pass is xxxxxx"
Cracker: "Thank you very much, Ma’am. We will restore your mail in a few minutes"
Alice: "But no mail is lost, isn't it?"
Cracker: "Absolutely, Ma’am. You should not experience any problems, but do not hesitate to
contact us just in case. You will find contact numbers on the Intranet"
Alice: "Thanks, you are very efficient, goodbye"
Cracker: "Goodbye"

Social Engineering
EC-Council
Human Weakness
People are usually the
weakest link in the security
chain.
A successful defense depends
on having good policies in
place and educating
employees to follow the
policies.
Social Engineering is the
hardest form of attack to
defend against because it
cannot be defended with
hardware or software alone.
Social engineering concentrates on the weakest link of the computer security chain. It is
often said that the only secure computer is an unplugged one. The fact that you could persuade
someone to plug it in and switch it on means that even powered down computers is vulnerable.
Anyone with access to any part of the system, physically or electronically is a potential security
risk. Any information that can be gained may be used for social engineering further information.
This means even people not considered as part of a security policy can be used to cause a security
breach. Security professionals are constantly being told that security through obscurity is very
weak security. In the case of social engineering it is no security at all. It is impossible to obscure
the fact that humans use the system or that they can influence it.
Attempting to steer an individual towards completing desired task can use several methods. The
first and most obvious is simply a direct request, where an individual is asked to complete the task
directly. Although least likely to succeed, this is the easiest method and the most straightforward.
The individual knows exactly what is wanted of them. The second is by creating a contrived
situation which the individual is simply a part of. With more factors than just the request to
consider, the individual concerned is far more likely to be persuaded, because the cracker can
create reasons for compliance other than simply personal ones. This involves far more work for
the person making the attempt at persuasion, and almost certainly involves gaining extensive
knowledge of the 'target'. This does not mean that situations do not have to be based in fact. The
less untruths the better.
One of the essential tools used for social engineering is a good memory for gathered facts. This is
something that hackers and sysadmins tend to excel in, especially when it comes to facts relating
to their field.

Social Engineering
EC-Council
Common Types of Social Engineering
Social Engineering can be
broken into two types:
human based and computer
based
1. Human-based Social
Engineering refers to
person to person
interaction to retrieve the
desired information.
2. Computer based Social
Engineering refers to
having computer software
that attempts to retrieve the
Social Engineering can be broadly divided into two types: human based and computer based.
Human based social engineering involves human interaction in one manner or the other.
Computer based engineering depend on software to carry out the task at hand.
Gartner notes six human behaviors for positive response for social engineering. Corroborate this
with the traits discussed in module one of the course.
Reciprocation Someone is given a "token" and
feels compelled to take action.
You buy the wheel of cheese when
given a free sample.
Consistency Certain behavior patterns are
consistent from person to
person.
If you ask a question and wait, people
will be compelled to fill the pause.
Social Validation Someone is compelled to do
what everyone else is doing.
Stop in the middle of a busy street and
look up; people will eventually stop and
do the same.
Liking People tend to say yes to those
they like, and also to attractive
people.
Attractive models are used in
advertising.
Authority People tend to listen and heed
the advice of those in a position
of authority.
"Four out of five doctors
recommend...."
Scarcity If someone is in low supply, it
becomes more "precious" and,
therefore, more appealing.
Furbees or Sony Playstation 2.
Source: Gartner Research

Social Engineering
The social engineering cycle can be seen as four distinct phases.
Information
Gathering
Development
of
Relationship
Exploitation
of
Relationship
Execution
to Achieve
Objective

Social Engineering
EC-Council
Human based - Impersonation
Human based social
engineering techniques can
be broadly categorized into:
Impersonation
Posing as Important User
Third-person Approach
Technical Support
In Person
• Dumpster Diving
• Shoulder Surfing
Impersonation – This is a popular social engineering technique often seen depicting the
cracker as impersonating an employee resorting to an out of the normal method to gain access to
privileges. It is not the only portrayal though. Other examples such as a ‘friend’ of an employee
accosting a colleague to retrieve information needed by the employee in sick bed, and using it for
further social engineering etc. There is a well-recognized rule in social interactions that a favor
begets a favor even if it were offered without any request from the obtainer. This truth is known as
reciprocation. Reciprocation is seen constantly in the corporate environment. An employee will
help out another with the expectation that, eventually, the favor will be returned. Social engineers
try to take advantage of this social trait in impersonation. The possibilities are endless and only
limited by imagination. Few employees question a personal visit from a repairman, IS support
person, a contractor, or a cleaning person. These ruses have been used in the past also as a
disguise to gain physical access. A great deal of information can be gleaned from the tops of desks,
the trash or even phone directories and nameplates.
Important User – Impersonation is taken to a higher degree by assuming the identity of an
important employee in order to add an element of intimidation. The reciprocation factor also
plays a role in that a lower level employee would go out of the way to help a higher order
employee so that his favor gets him the attention needed to help him out in the corporate
environment. Another behavioral trigger that aids a social engineer is the implicit nature not to
question authority. People will do an out-of-the-turn routine for someone who they perceive is in
authority. A cracker posing as an important user (such as vice president, director) can manipulate
an employee who has not been prepared very easily. This trigger is assumes greater significance
by the reality that it is considered a challenge to even verify the legitimacy of the authority. This
lack of perspective by employees makes it easy for anyone willing to misrepresent him or herself
as an authority figure. For example, a help desk employee is less likely to turn down the request of

Social Engineering
a Vice President who says he has very little time to get some important information he needs for a
meeting and needs to access resources. The social engineer use authority to intimidate or may
even threaten to report the employee to their supervisor if they do not provide the information
required.
Third-party Authorization – Another popular social engineering technique is for the cracker
to present self to a resource claiming that he has the approval of the designated authority. For
instance, on knowing who is responsible to grant access to desired information, the cracker might
keep tabs on him and use his absence as leverage to access resources. He might approach the help
desk or other personnel claiming he has approval to access information. This can be particularly
effective if the person is on vacation or out of town – where verification is not instantly possible.
People have a tendency to follow through with commitments in the workplace – even if they are
suspicious that the request may not have been legitimate. This tendency is so strong that people
will fulfill the commitments that they believe were made by their fellow employees. People have a
tendency to believe that others are expressing their true attitudes when they make a statement.
Unless there is strong evidence to the contrary, people will believe that the person with whom
they are talking is telling the truth about what they feel or need.
Passing off as technical support – an often used tactic - especially when the victim is not
proficient on technical areas. The cracker may pose as a hardware vendor or technician or a
computer related supplier and approach the victim. One demonstration at a hacker meet had the
speaker calling up Starbucks and asking the employee if his broadband connection was working
fine. The perplexed employee replies that it is the modem which was giving them trouble. The
hacker went on to make him read out the credit card number of the last transaction – without
giving any credentials. In the corporate scenario, the cracker may ask employees to part with their
login information including password to sort out a non-existent problem.
In Person – The cracker might actually try to visit the target site and physically survey for
information. He may disguise himself as courier delivery person, janitor, mailman or even hang
out as a visitor in the lobby. He can pose as a businessman, client or technician. Once inside, he
can look for passwords stuck on terminals, find important data lying on desks or overhear
confidential conversations. There are two other techniques known for their use by crackers. These
are:
• Dumpster Diving – This refers to looking through an organization’s trash for valuable
information.
• Shoulder Surfing – Looking over someone’s shoulder to try to see what they are typing as
they enter their password.
Once inside, the intruder has a whole menu of tactics to choose from, including wandering the
halls of the building looking for the Holy Grail--vacant offices with employees' login names and

Social Engineering
passwords attached to their PCs; going to the mail room to insert forged memos (on forms or
letterhead recovered from the trash or during an earlier foray) in to the corporate mail system;
attempting to gain physical access to a server or telephone room to get more information on the
systems in use; finding dial-in equipment and noting the telephone numbers (which are probably
written on the jacks); placing a protocol analyzer in a wiring closet to capture data, user names,
and passwords (remember that when telnet is used with Unix-based systems on the other end,
login names and passwords are not encrypted) or simply stealing targeted information.

Social Engineering
EC-Council
Example
In 1998, crackers discovered a security lapse in America Online that has yielded access to
subscriber and AOL staff accounts in at least some instances, giving them free rein to alter or
deface company pages or subscriber profiles.
It is said that more than one person--equipped with user information such as screen name, real
name, and address--has been able to call support lines and persuade some customer service
representatives to reset an unsuspecting user's password. The attacker then armed with a new
password, gained exclusive access to the account.
The hacker, who went by the screen name "PhatEndo," convinced an AOL representative that he
was the remote staff member who had publishing privileges in the ACLU's AOL site. He got
ACLU’s account by calling AOL, pretending to be the account owner, and had the password reset.
What was alarming was that he didn't even give the account owner's name.
The help desk employees should be trained on attending calls from "employees" coming in on
outside lines. This can be identified by most PBX systems. Help-desk personnel must be made
aware of these indicators and trained to be suspicious of such calls, limiting information given
until the caller is properly identified.
Help-desk staffers should verify the identity of all employees before addressing their problems or
questions. One way to do this is to check a company phone book and call the employee back
before working with him or her. Another is to assign each employee a personal identification
number (PIN) that must be given before support is offered. Calls regarding password changes are
a security mine field.

Social Engineering
EC-Council
Example
In June 2000, Larry Ellison, the Oracle chairman, admitted that Oracle had resorted to dumpster
diving in an attempt to unearth information about Microsoft in the federal antitrust case. Named
‘larrygate’, this was not something new in corporate espionage. In 1993, Microsoft had done the
same to produce evidence against a company that made pirate copies of its software. While two
wrongs don’t make a right; on the cracking scene, crackers love to go "trashing" to find documents
that help them piece together the structure of the company, provide clues about what kinds of
computer systems used, and most important, obtain the names, titles, and telephone numbers of
employees.
Let us look at some of the interesting things a dumpster can yield:
• Company phone books - Knowing who to call and whom to impersonate are the first steps
to gaining access to sensitive data. It helps to have the right names and titles to sound as a
legitimate employee. Finding dial-in access numbers is an easy task when a cracker can
ascertain the telephone exchange of the company from the phone book.
• Organizational charts; memos; company policy manuals; calendars of meetings, events,
and vacations; system manuals; printouts of sensitive data or login names and
passwords; printouts of source code; disks and tapes; company letterhead and memo
forms; outdated hard drives.
These items provide a wealth of information to crackers. There are some countermeasures against
dumpster diving resulting in useful material.

Social Engineering
Use a paper shredder to prevent a cracker from gaining any printed information. Make sure all
magnetic media discarded is bulk erased--data can be retrieved from formatted disks and hard
drives. Dumpsters should be kept in secured areas.
In a real life scenario, a private detective agency was able to obtain a classified report from a
corporation by resorting to dumpster diving that unearthed a company phone book. With a few
phone calls, the team was able to identify the concerned person authorized and also to request the
report they wanted from the person whose job was to help users get reports.
Company memo forms, also taken from the trash, were used to prepare a properly formatted
request (with the help of the unwitting staffer). These were dropped into the company mail during
a quick venture into the building by the infiltrator disguised as a courier. Finally, the crackers
called the concerned department to let the staff know that the report would be picked up by a
courier--who then walked out the door with the multi-thousand-page report. It's important to
note that the crackers did not even have to physically access the company's computer systems.
You can prevent this type of activity with some of the following countermeasures:
• Require that all visitors are to be escorted at all times;
• Instruct employees to report any repair people that show up without being called, and to
not grant access to equipment until the workers' identities are established;
• Keep wire closets, server rooms, phone closets, and other locations containing sensitive
equipment locked at all times;
• Keep an inventory of the equipment that is supposed to be in each server room, wire
closet, and so on. Periodically check for extra or missing equipment.

Social Engineering
EC-Council
Computer Based Social Engineering
These can be divided into
the following broad
categories:
Mail / IM attachments
Pop-up Windows
Websites / Sweepstakes
Spam Mail
At a large e-business enterprise, during an after hours Internet chat session, an employee was
asked for a picture of himself. Although he didn't have one available, he obligingly asked for a
photo from the other party. After a bit of additional encouragement, the other party agreed,
sending an attachment that, in all respects, resembled a JPEG file. Upon accessing the attachment
the hard drive started spinning, and of course, there was no photo.
Fortunately, the employee was sophisticated enough to understand the danger of a Trojan horse
being enclosed, and immediately alerted the IT department, who terminated the Internet
connection. Later investigations revealed that the computer was infected with SubSeven, the most
powerful backdoor at that time. Eventually, the company reinstalled the computer, rolled back to
the day before with a backup tape (losing a full day of online orders), and stayed offline for three
full days overall.
Computer-based social engineering use software to retrieve information.
Popup Windows – A window will appear on the screen telling the user that he has lost his network
connection and needs to reenter their user name and password. A program previously installed by
the intruder will then email the information back to a remote site.
Mail Attachments – The use of a topical subject to trigger an emotion which leads to unwitting
participation from the target. There are two common forms that may be used. The first involves
malicious code, such as that used to create a virus. This code is usually hidden within a file
attached to an email. The intention is that an unsuspecting user will click/open the file; for
example, 'IloveYou' virus, 'Anna Kournikova' worm (It also is an example of how Social Engineers
try to hide the file extension by giving the attachment a long file name. In this case, the
attachment is named AnnaKournikova.jpg.vbs. If the name is truncated it will look like a jpg file

Social Engineering
and the user will not notice the .vbs extension) or more recently the 'Vote-A' email were worm.
The second equally effective approach involves chain mail and Virus hoaxes. These have been
designed to clog mail system by reporting a non existent virus or competition and requesting the
recipient to forward a copy on to all their friends and co-workers. As history has shown, this can
create a significant snowball effect once started.
Websites – A ruse used to get an unwitting user to disclose potentially sensitive data, such as the
password they use at work. For example, a website may promote a fictitious competition or
promotion, which requires a user to enter in a contact email address and password. The password
entered may very well be similar to the password used by the individual at work. A common trick
is to offer something free or a chance to win a sweepstakes on a website. Many employees will
enter the same password that they use at work, so the Social Engineer now has a valid user name
and password to enter an organization’s network.

Social Engineering
EC-Council
Reverse Social Engineering
More advanced method of gaining illicit
information is known as "reverse social
engineering"
This is when the hacker creates a persona that
appears to be in a position of authority so that
employees will ask him for information, rather
than the other way around.
The three parts of reverse social engineering
attacks are sabotage, advertising and assisting.
Generally, reverse social engineering is the most difficult to carry out. This is primarily because it
takes a lot of preparation and skill to execute.
The social engineer will assume the role of a person of authority, and have the employees
asking him for information. The hacker usually manipulates the types of questions asked so he
can draw out the information required. Preliminarily the social engineer will cause some incident
creating a problem, then presents himself as the solver of the problem and through general
conversation; he encourages employees to ask questions as well. As an example, an employee
may ask about how this problem has affected particular files, or servers or equipment. This
provides pertinent information to the social engineer. A lot of different skills and experiences are
required to carry this tactic off well.
Sabotage - After gaining simple access, the attacker either corrupts the workstation or gives it an
appearance of being corrupted. The user of the system discovers the problem and tries to seek
help
Marketing - In order to ensure the user calls the attacker, the attacker must advertise. The
attacker can do this by either leaving their business cards around the target's office and/or by
placing their contact number on the error message itself
Support - Finally, the attacker would assist with the problem, ensuring that the user remains
unsuspicious while the attacker obtains the information they require.
The "My Party" e-mail worm is an example of a "reverse social engineering" virus. Reverse social
engineering viruses do not rely on sensational subject lines, such as AnnaKournikova or Naked
Wife, to tempt users. Instead, reverse social engineering viruses use innocuous sounding subject
lines and realistic attachment names.

Social Engineering
EC-Council
Policies and Procedures
Policy is the most critical component to any
information security program.
Good policies and procedures are not effective if
they are not taught and reinforced to the
employees.
They need to be taught to emphasize their
importance. After receiving training, the
employee should sign a statement
acknowledging that they understand the
policies.
No software or hardware security solutions can truly secure a corporate computing
environment unless there is a sound security policy. These should be clearly articulated to the
users such as acceptable use policy, Internet use policy and the like. The security policy sets the
standards and level of security a corporate network will have. It also gives the network a security
posture that can serve as a benchmark.
This is even more critical when the security policy is formulated keeping in mind the threat the
network faces from social engineering. The security policy can provide guidelines to users who
are in a quandary when confronted by a cracker’s con. The policy can point directions to users on
whether or not certain information can be given out. This should be well defined in advance by
people who have seriously contemplated about the value of such information.
Increasing employee confidence by laying out clear policies decreases the chance of the attacker
wielding undue influence on an employee. The security policy must address a number of areas in
order to be a foundation for social engineering resistance such as information access controls,
setting up accounts, access approval and password changes. It should also deal with locks, ID’s,
paper shredding, and escorting of visitors. The policy must have discipline built in and, above all,
it must be enforced. The policies have a balancing effect in that the user besotted will not go out of
his way and assume a different role when interacting with the cracker in person or on the phone.
The policy also sets responsibility for information or access that is given out so that there is no
question as to the employee’s own risk when giving away privileged information or access. The
users must be able to recognize what kind of information a social engineer can use and what kinds
of conversations should be considered suspicious. Users must be able to identify confidential
information and understand their responsibility towards protecting the same. They also need to
know when and how to refuse information from an inquirer with assurance of management
backing.

Social Engineering
EC-Council
Security Policies - Checklist
Account Setup
Password change policy
Help desk procedures
Access Privileges
Violations
Employee identification
Privacy Policy
Paper documents
Modems
Physical Access Restrictions
Virus control
• Account Setup: There should be an appropriate security policy that new employees can
familiarize themselves with regarding their responsibility and use of the computing
infrastructure.
• Password change policy: The password policy should explicitly state that employees are
required to use strong passwords and encouraged to change them frequently. They should
be made aware of the security implication in case their password is stolen or copied by
their mishandling of its storage.
• Help Desk procedures: There must be a standard procedure for employee verification
before the help desk is allowed to give out passwords. A caller id system on the phone is a
good start so the help desk can identify where the call originates. The procedure could
also require that the help desk call the employee back to verify his location. Another
method would be to maintain an item of information that the employee would be
required to know before the password was given out. Some organizations do not allow
any passwords to be given out over the phone. The help desk must also know who to
contact in case of security emergencies.
• Access Privileges: There should be a specific procedure in place for how access is granted
to various parts of the network. The procedure should state who is authorized to approve
access and who can approve any exceptions.
• Violations: There should be a procedure for employees to use to report any violations to
policy. They should be encouraged to report any suspicious activity and assured that they
will be supported for reporting violation.

Social Engineering
• Employee Identification: One way is to require employees to wear picture ID badges. Any
guest should be required to register and wear a temporary ID badge while in the building.
Employees should be encouraged to challenge anyone without a badge.
• Privacy Policy. Company information should be protected. A policy should be in place
stating that no one is to give out any more information than is necessary. A good policy
would be to refer all surveys to a designated person. The policy should also contain
procedures for escalating the request if someone is asking for more information than the
employee is authorized to provide.
• Paper Documents: All confidential documents should be shredded.
• Modems. Modems attached to individual computers are a major security risk because
they do not go through the firewall. Policy should not allow any modems attached to a
network computer.
• Physical Access Restriction: Sensitive areas should be physically protected with limited
access. Doors should be locked and access only granted to employees with a business
need.
• Virus Control: Established procedures should be in place to take action and prevent the
spread of any real viruses.

Social Engineering
EC-Council
Summary
Social Engineering is the human side of breaking into a
corporate network.
Social Engineering involves acquiring sensitive
information or inappropriate access privileges by an
outsider.
Human-based Social Engineering refers to person to
person interaction to retrieve the desired information.
Computer based Social Engineering refers to having
computer software that attempts to retrieve the desired
information
A successful defense depends on having good policies in
place and diligent implementation.
Summary
Recap
• Social Engineering is the human side of breaking into a corporate network.
• Social Engineering involves acquiring sensitive information or inappropriate access
privileges by an outsider.
• Human-based Social Engineering refers to person to person interaction to retrieve the
• Computer based Social Engineering refers to having computer software that attempts to
retrieve the desired information
• A successful defense depends on having good policies in place and diligent
implementation.

Module 9 (social engineering)

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Module 9 (social engineering)

Similar to Module 9 (social engineering) (20)

More from Wail Hassan

More from Wail Hassan (20)

Recently uploaded

Recently uploaded (20)

Module 9 (social engineering)