Description
Social engineering is an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.
A social engineer runs what used to be called a “con game.” Techniques such as appeal to vanity, appeal to authority and appeal to greed are often used in social engineering attacks. Many social engineering exploits simply rely on people’s willingness to be helpful. For example, the attacker might pretend to be a co-worker who has some kind of urgent problem that requires access to additional network resources.
While traditional technology based security solutions gets more sophisticated and harder to penetrate, adaptation occurs towards social engineering. After all, the weakness is not in the technology, but in the person.
Methodology
In a Social Engineering there are a lot of different techniques used to gain information about and/or access to sensitive information.
Pretexting
Pretexting is when one party lies to another to gain access to privileged data. For example, a pretexting scam could involce an attacker who pretends to need personal or financial data in order to confirm the identity of the recipient.
Phishing
Phishing is when a malicious party sends a fraudulent email disguised as a legitimate email, ofteh purporting to be from a trusted source. The message is meant to trick the recipient into sharing personal or financial information or clicking on a link that installes malware.
Spear Phishing
Spear phishing is like phishing, but tailored for a specific individual or organization.
Baiting
Baiting is when an attacker leaves a malware-infected physical device, such as a USB flash drive in a place it is sure to be found. The finder then picks up the device and loads it onto his or her computer, unintentionally installing the malware.
Tailgating
Tailgating involves getting into a physical facility by coercing or fooling staff there, or just walking in. Usually the focus of these tests is to demonstrate that the pen tester can bypass physical security.
Dumpster Diving
Dumpster diving is when someone sift through your paper trash, looking for clues to unlock your IT treasures or financial life. Typical documents of interest are; Manuals from where you can gain knowledge of how your infrastructure is built, Financial statements or other HR based information where the perpetrator can find information on who and how to con someone. All information that can help an attacker to gain knowledge and map you as a target are of interest.
Shoulder Surfing
Shoulder Surfing is when someone is watching you typing sensitive information. The techique indicates someone watching over your shoulder, but can also describe someone using binoculars, or even a survailance camera.