Social Engineering
Lucas Carpio
Jumil Ortiz
Social Engineering
Refers to psychological manipulation of people for the purpose of information gathering, fraud or system access.
Techniques
- Pretexting
- Diversion theft
- Phishing
- IVR or phone phishing
- Baiting
- Quid pro quo
- Tailgating
Pretexting
Involves some prior research or setup and the use of this information for impersonation to establish legitimacy in the mind of the target.
Diversion theft
The objective of this technique is to persuade the person responsible for a legitimate delivery that the consignment is requested elsewhere.
Phishing
Is a technique of fradulently obtaining private information.
IVR or phone phishing
Uses a rogue IVR(Interactive Voice Response) system to recreate a legitimate-sounding copy of a bank or other institution's IVR system.
Baiting
The attacker leaves a malware infected USB in a location sure to be found, gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to use the device.
Quid pro quo
An attacker calls random numbers at a company, claiming to be calling from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them.
Tailgating
Seeking entry to a restricted area secured by unattended, electronic access control.
Countermeasures
Organizations reduce their security risks by:
-
Establishing frameworks of trust
-
Identifying which information is sensitive
-
Establishing security protocols, policies, and procedures for handling sensitive information.
-
Training employees
-
Performing unannounced, periodic tests of the security framework.
-
Using a secure waste management service
