Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

Previous Topic/Section
1.5.4  Worms
Previous Page
Pages in Current Topic/Section
1
Next Page
Pop Quiz 1.2
Next Topic/Section

1.6  Social Engineering

The Security+ Domain 1, as covered in this chapter, is definitional in nature. Given this, you need to know the definition of what social engineering is. Assuming you have been reading this work in a linear fashion, we won't bore you here! If you are skipping around, please read the introduction section (Chapter 0000) which covers this topic nicely.

We cannot stress the importance of fully understanding the challenges of social engineering attacks enough. For example, suppose your firm spends huge piles of money on fingerprint scanners. Tsutomu Matsumoto revealed two different methods for faking fingerprint scanners with 80% accuracy112. However if you are willing to settle for a first time accuracy rate of just over 50%, the article at puttyworld reveals a much simpler and low-cost method113.

Social engineering is a favored attack because the attacker is getting an authorized user to effectively defeat the security that has been put in place. This is the fastest and least expensive approach. Further this approach creates the least risk of detection for the intruder. A computer cannot detect a social engineering attack, because no code is there to be detected. People can give away passwords and other valuable data, and even think they were doing the right thing (for example, thinking they were helping an authorized vendor service engineer)… and you, the network administrator, might not ever know.

Social Engineering

Social engineering involves defeating established security mechanisms by enlisting the assistance of (usually unwitting) users to accomplish malicious things or acquire data that the attacker is not authorized to have.

It is a particularly insidious technique because:

· No software tools are needed to acquire information like passwords and specific network addresses of file servers containing certain data (the attacker just convinces the user to tell them the information they want).

· Unlike most attacks, an attack based on social engineering activities is not detectable via an automated system like an IDS or network monitor (it is carried out in simple conversation).


Success with both the Security+ test and the real world requires thinking outside the technical box to include physical security and people114.

How Easy It Is!

Want to see how vulnerable your network user community is, to social engineering attacks? First, outline this activity to your boss and get his or her OK, because your colleague could end up receiving sensitive information. Also get agreement that the users will not be sanctioned for anything they do or say – this is an informational exercise, not one designed to place blame. Then, enlist an authorized co-conspirator, like a not-very-well-known network administration assistant, pick a couple target users at random, and see how much information your co-conspirator can acquire about your network via social engineering alone. Formulate an appropriate education plan in response to the users’ behavior.



 __________________

112. http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf

113. http://www.puttyworld.com/thinputdeffi.html

114. http://www.bayarea.com/mld/mercurynews/news/local/5209779.htm

Previous Topic/Section
1.5.4  Worms
Previous Page
Pages in Current Topic/Section
1
Next Page
Pop Quiz 1.2
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.