CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

1.5.4  Worms 1 Pop Quiz 1.2

The Security+ Domain 1, as covered in this chapter, is definitional in nature. Given this, you need to know the definition of what social engineering is. Assuming you have been reading this work in a linear fashion, we won't bore you here! If you are skipping around, please read the introduction section (Chapter 0000) which covers this topic nicely.

We cannot stress the importance of fully understanding the challenges of social engineering attacks enough. For example, suppose your firm spends huge piles of money on fingerprint scanners. Tsutomu Matsumoto revealed two different methods for faking fingerprint scanners with 80% accuracy¹¹². However if you are willing to settle for a first time accuracy rate of just over 50%, the article at puttyworld reveals a much simpler and low-cost method¹¹³.

Social engineering is a favored attack because the attacker is getting an authorized user to effectively defeat the security that has been put in place. This is the fastest and least expensive approach. Further this approach creates the least risk of detection for the intruder. A computer cannot detect a social engineering attack, because no code is there to be detected. People can give away passwords and other valuable data, and even think they were doing the right thing (for example, thinking they were helping an authorized vendor service engineer)… and you, the network administrator, might not ever know.

Success with both the Security+ test and the real world requires thinking outside the technical box to include physical security and people¹¹⁴.

1.5.4  Worms 1 Pop Quiz 1.2