1.4.9 Social Engineering
(Page 1 of 3)
(Also Refer to Sections 1.6 and 5.1.2)
In the introduction you learned that Social Engineering is the biggest challenge we face. Even the strongest cryptography in the world is useless if someone is fooled into giving away the keys to the city that allow an intruder to participate in an encrypted conversation, tunneling right through the firewall to an internal server. Lurking on the Internet, we have learned that the best 'black hats' rely on exploiting human nature more than any technical exploit 83.
For example, they can exploit users willingness to give up information they can use to gain unauthorized system access, either by impersonating legitimate users or making themselves sound legitimate (for instance, claiming to be a tech support engineer working for a vendor).
Kinds of information that can be gained via social engineering include:
Crackers can also exploit their knowledge of how naïve users think, such as:
The best way to protect against social-engineering attacks is to educate your users on the importance of security, and the types of information that should not be given out to anyone without proper authorization (ideally in person or in writing, since someone could claim, Joe, our network admin, asked me to call you and get your password, when you, Joe, had nothing to do with the request).
Think youre clued-in enough to be immune to such attempts yourself? Dont bet on it. Weve seen tech-savvy senior admins fall for attempts made by would-be intruders thinking outside the box. The attacker doesnt have to be able to out-think the admin every time to be successful just once will often do. As with other types of attacks, your goal is to reduce the level of risk not to completely eliminate it.
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.