Security at a Glance
the following lists and charts provide a quick reference version of social engineering methods discussed in Chapters 2 to 14, and verification procedures detailed in Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.
IDENTIFYING A SECURITY ATTACK
These tables and checklists will assist you in spotting a social engineering attack.
The Social Engineering Cycle
May include open source information such as SEC filings and annual reports, marketing brochures, patent applications, press clippings, industry magazines, Web site content. Also Dumpster diving.
Developing rapport and trust
Use of insider information, misrepresenting identity, citing those known to victim, need for help, or authority.
Asking for information or an action on the part of the victim. In reverse sting, manipulate victim to ask attacker for help.
If the information obtained is only a step to final goal, attacker returns to earlier steps in cycle till goal is reached.
Common Social Engineering Methods
Posing as a fellow employee
Posing as an employee of a vendor, partner company, or law enforcement
Posing as someone in authority
Posing as a new employee requesting help
Posing as a vendor or systems manufacturer calling to offer a system patch or update
Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to ...