Thursday, October 2, 2008

Social Engineering

Social engineering is another form of intrusion that attacks human weakness without the use of any technical skills that we need to break into a network. Social engineering is one of the most difficult to defense security as it is attacking our human nature (being helpful, fear and trust). Social engineering can be dividing into two types: Computer- based and Human-based.

Types of social engineering attacks:

Computer-based
• Phishing
• Spam mail
• Email attachment
• Pop up windows

Human-based
• Dumpster diving
• Shoulder surfing
• Eavesdropping
• Pretend to be a “legitimate “employee.

Phishing is an attack where the attacker will send out an email that linked to a website that looks similar with the real website to gather information. Usually asking for username and passwords, once the information is keyed in, it will send to the intruders.

Do note that banks usually won’t ask you to change your password without you requesting.

Dumpster diving involves digging through the trash for information such as telephone contacts, list of passwords , telephone bill, employee’s information, job scope and job title. This information is sufficient to launch an attack to the target company.

Example of Social engineering:

An intruder calls a user to pretend to be from the IT department “HI, this is Michael from the IT department. We are doing a disc clean up at our file server as it is running out of space. We need to verify your account so that files safe under your user account will remind undelete. Files in account that doesn’t validate in 5 minutes will be deleted. Can you provide me your username and password so that I can help you to do the validation? “In a panic, scare that the file will be deleted soon, user then provides the intruders the Username and password letting him to have clear access to the corporate network.

No comments: