Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or internet to trick a person into revealing sensitive information or getting them to do something that is against typical policies.
2. WHAT IS SOCIAL ENGINEERING
Social engineering is the practice of obtaining confidential
information by manipulation of legitimate users. A social engineer
will commonly use the telephone or internet to trick a person into
revealing sensitive information or getting them to do something that
is against typical policies.
Social engineers exploit the natural tendency of a person to trust his
or her word, rather than exploiting computer security holes.
3. HOW DOES SOCIAL ENGINEERING
WORK
1. Information gathering
2. Developing relationship
3. Execution
4. Exploitation
4. INFORMATION GATHERING
There could be variety of techniques which is used by the attacker to
gather sensitive information about the target.
Once this information are gathered it can be used to build a
relationship either target or someone who is important to the success
of the attack.
Information that might be gathered includes, but is not only limited
to:
•Birth date
•Phone list
•Email address
5. DEVELOPING RELATIONSHIP
An attacker will first try to build up a good bonding with the target.
He makes sure that he gains the trust of the target by plying deep
routed impulses such has fear, desire, empathy.
The attacker hijacks your normal thought process to make you act on
there behalf
6. EXPLOITATION & EXECUTION
The target could then be manipulated by the trusted attackers to
reveal their sensitive information like password to carry out an action.
Once the target has finished the task requested by the attacker the
cycle is complete.
7. THERE ARE TWO TYPES OF SOCIAL
ENGINEERING ATTACKS
Technical attacks
Non-technical attacks
Technical attacks are those attacks that deceive the user into
believing that the application in use is truly providing them with
security which is not the fact always.
Non-technical attack are those that are purely perpetrate through the
art of deception peer to peer
8. TECHNICAL ATTACKS
Phishing
This is generally used for cybercrimes but sometimes it is also done
through the telephone/mobile phone. The information which is
obtained is then used to commit crimes such as logging into your
facebook account and posting vulgar data on your wall or taking over
full control of your bank account and them transfer money. In
phishing the attacker never come face to face.
The appearance and logos are almost same like the original one or
sometimes same as the original which request a user to verify the
information and if not followed, it will lead to serious consequences.
These kind of email emails appear to have come from a legitimate
business organization.
9. NON-TECHNICAL ATTACKS
Support staff
The attacker acts as a clean support crew to help users to fix any
problem. During the process they ask for their credentials and after
this procedure their account is compromised by the attacker.
Authoritative voice
The attacker can call up to the organization computer help desk and
pretend to have trouble accessing the system. He/she claims to be in
a hurry and needs his passwords reset right away and also demands
to know the passwords over the phone. If the attacker adds little
credibility to his a story with information that has been picked up
from other social engineering methods, the crew is more likely to
believe in the attackers fake story and do as requested.
10. COUNTER MEASURES TO PREVENT
SOCIAL ENGINEERING
How can you fully protect against social engineering attacks?
Is there a way?
The answer is almost no. for the simple reason that no matter
whatever controls are implemented, there will always be the
possibility of the human exploitation being influenced by a social,
political or sophisticated behaviour.
However, you an can protect yourself against social engineering by
not revealing information like passwords, system information,
sensitive data, credit card numbers.
11. SOCIAL ENGINEERING TOOL
Pipl.com
The world's most comprehensive and powerful people search engine.
Organizations can access over 3 billion identities to validate
transactions, investigate sources and enrich contacts.
The Pipl is a people search engine which compiles and produce data
from social media networking services, search engines and other
databases based on the user's search. Pipl search results include data
from every popular social networking service like Facebook, Twitter,
LinkedIn, or MySpace