Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks

Previous Topic/Section
1.4.8  Mathematical
Previous Page
Pages in Current Topic/Section
1
23
Next Page
1.4.10  Birthday
Next Topic/Section

1.4.9  Social Engineering
(Page 1 of 3)

(Also Refer to Sections 1.6 and 5.1.2)

In the introduction you learned that Social Engineering is the biggest challenge we face. Even the strongest cryptography in the world is useless if someone is fooled into giving away the keys to the city that allow an intruder to participate in an encrypted conversation, tunneling right through the firewall to an internal server. Lurking on the Internet, we have learned that the best 'black hats' rely on exploiting human nature more than any technical exploit 83.

For example, they can exploit users’ willingness to give up information they can use to gain unauthorized system access, either by impersonating legitimate users or making themselves sound legitimate (for instance, claiming to be a tech support engineer working for a vendor).

Kinds of information that can be gained via social engineering include:

  • modem telephone numbers

  • user ID’s and passwords

  • types of software running on important servers

  • information about when certain processes take place on the computer (etc.)

Crackers can also exploit their knowledge of how naïve users think, such as:

  • using weak passwords like “password”

  • putting no password on the Administrator (god) account

  • being willing to share passwords with others

  • not carefully controlling network file shares

The best way to protect against social-engineering attacks is to educate your users on the importance of security, and the types of information that should not be given out to anyone without proper authorization (ideally in person or in writing, since someone could claim, “Joe, our network admin, asked me to call you and get your password,” when you, Joe, had nothing to do with the request).

Think you’re clued-in enough to be immune to such attempts yourself? Don’t bet on it. We’ve seen tech-savvy senior admins fall for attempts made by would-be intruders thinking “outside the box”. The attacker doesn’t have to be able to out-think the admin every time to be successful… just once will often do. As with other types of attacks, your goal is to reduce the level of risk – not to completely eliminate it.


 __________________

83. http://www.nwfusion.com/research/2004/0301hackers.html

Previous Topic/Section
1.4.8  Mathematical
Previous Page
Pages in Current Topic/Section
1
23
Next Page
1.4.10  Birthday
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.