adam's notes

Social Engineering

A human vector is part of the attack surface represented by people.

  • In information security, people are referred to as the “weak link” of security programs
  • often use social engineering to get information to get them to perform an action

Social engineering is an activity where the goal is to use deception and trickery to convince unsuspecting users to provide sensitive data or to violate security policies.

  • aka hacking the human
  • uses persuasion, manipulation, deception, trickery, or intimidation
  • aim to exploit the natural human tendency to trust

Elements of Social Engineering

  • Authority
    • people defer to authority
  • Intimidation
  • Consensus
    • aka social proof
    • leverages herd mentality
  • Scarcity
  • Urgency
  • Familiarity

Types

  • passive social engineering
    • takes advantage of the unintentional actions of others to gather information or gain access to a secure facility
  • active social engineering
    • involves direct interaction with users, asking them to disclose information or take actions
  • impersonation
    • basic social engineering technique
    • classic version is:
      • threat actor phones into a department pretending to be calling from IT support
      • claim they have to adjust something on user’s system remotely
      • get user to reveal their password
    • must be persuasive and establish trust
  • may use intimidation or hoaxes to elicit information

Social Engineering Attacks

Info

  • a threat actor might stage attacks over a long period
    • initial attack may compromise low-level information and user accounts
    • then used to attack more sensitive information and accounts

Gathering Information for Social Engineering Attacks

2 primary sources of information:

More on Social Engineering

Graph View

Backlinks