Security at a Glance

the following lists and charts provide a quick reference version of social engineering methods discussed in Chapters 2 to 14, and verification procedures detailed in Chapter 16. Modify this information for your organization, and make it available for employees to refer to when an information security question arises.

IDENTIFYING A SECURITY ATTACK

These tables and checklists will assist you in spotting a social engineering attack.

The Social Engineering Cycle

ACTION

DESCRIPTION

Research

May include open source information such as SEC filings and annual reports, marketing brochures, patent applications, press clippings, industry magazines, Web site content. Also Dumpster diving.

Developing rapport and trust

Use of insider information, misrepresenting identity, citing those known to victim, need for help, or authority.

Exploiting trust

Asking for information or an action on the part of the victim. In reverse sting, manipulate victim to ask attacker for help.

Utilize information

If the information obtained is only a step to final goal, attacker returns to earlier steps in cycle till goal is reached.

Common Social Engineering Methods

  • Posing as a fellow employee

  • Posing as an employee of a vendor, partner company, or law enforcement

  • Posing as someone in authority

  • Posing as a new employee requesting help

  • Posing as a vendor or systems manufacturer calling to offer a system patch or update

  • Offering help if a problem occurs, then making the problem occur, thereby manipulating the victim to ...

Get The Art of Deception: Controlling the Human Element of Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.