Security at a Glance
the following lists and charts provide a quick reference version of social engineering methods discussed in Chapters 2 to 14, and verification procedures detailed in Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.
IDENTIFYING A SECURITY ATTACK
These tables and checklists will assist you in spotting a social engineering attack.
The Social Engineering Cycle
ACTION | DESCRIPTION |
|---|---|
Research | May include open source information such as SEC filings and annual reports, marketing brochures, patent applications, press clippings, industry magazines, Web site content. Also Dumpster diving. |
Developing rapport and trust | Use of insider information, misrepresenting identity, citing those known to victim, need for help, or authority. |
Exploiting trust | Asking for information or an action on the part of the victim. In reverse sting, manipulate victim to ask attacker for help. |
Utilize information | If the information obtained is only a step to final goal, attacker returns to earlier steps in cycle till goal is reached. |
Common Social Engineering Methods
Posing as a fellow employee
Posing as an employee of a vendor, partner company, or law enforcement
Posing as someone in authority
Posing as a new employee requesting help
Posing as a vendor or systems manufacturer calling to offer a system patch or update
Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to ...
Get The Art of Deception: Controlling the Human Element of Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
