Practice Exams  
  - A+ Core -  
  - A+ OS -  
  - Network+ -  
  - Security+ -  
  - Linux+ -  
  Search the Web  
  Watch free videos online  
  Subnet Calculator  
  Online Degrees  
  Exam Vouchers  
  Free Magazines  

Security+ TechNotes - Social Engineering Attacks

Social Engineering Attacks

Before an attacker attempts to gain access to a secured system, he must first know certain things about the target system. The process of gathering information about a target system, usually to find a way in, is known as foot printing. Although an attacker often uses technology, he may simply try to ask for the information. If the right person asks, he or she will often get it all too easily.

A social engineering attack usually involves an attacker impersonating a seemingly harmless person to deceive company personnel to obtain information. Obtaining that information may be the actual goal itself, or it may be used to aid the attacker in penetrating a secured system. The information can be a user ID, password, access code and other type of sensitive information, but can also be information that seems harmless to share. A company phoned by a student conducting a survey about which operating systems and software they use may actually be giving valuable information to a malicious attacker. The motives of a social engineer are identical to technology-based attacks; examples are money, politics, curiosity, and terrorism. Malevolent competitors and ex-employees who want to settle a score, sabotage a business, or steal a company secret often use social engineering techniques to reach their malicious goals.

A simple example of a social engineering attack is an attacker calling the help desk of a company pretending to be an employee who forgot his password. Social engineering attacks are often more complicated cons that require careful preparation, and acting and persuasion skills. A social engineer collects bits and pieces of information that will lead him to his goal, typically using its most valuable tool, a phone. Calling a company and bluntly ask for the information may alarm the employee on the other side of the phone and ruin the entire attack before it really got started. So before the attacker can persuade a victim to simply hand out information, he needs to crawl into the skin of someone the victim will gladly give the information to, someone who works in the same company for example. To do that he needs to know the company’s lingo, department structure, internal phone numbers, and anything else that will make him an “insider”. Once the attacker talks the talk, knows who to impersonate and who to ask what, it is just a matter of asking the right questions without raising any suspicion to get everything he wants.

Another method an attacker uses to gather such information, and possibly even more sensitive information, is dumpster diving. This term refers to going through trash bins to search for papers with employee and department names, administration codes, specifics about the companies network environment, and other useful information. Information that may seem worthless to most people, but may just be what a social engineer needs to make himself seem trustworthy.

Social engineering is also a threat to physical security in which case an attacker tries to gain physical access to for example a building or office. An example frequently used in movies is the so-called 10-attack; an attractive individual distracts security personnel while an accomplice sneaks in. An attacker may also try to mislead security personnel and other employees by pretending to be a maintenance repairperson or a bug exterminator for example.

Social engineers have found a relatively new way to attempt to obtain sensitive information from naïve people, without having to pay them a visit or call them by phone: email. The attacker sends malicious e-mail messages that seem to be legit and even have a valid sender address. The message may contain a link that takes the victim to a website that looks exactly like a site where he or she frequently buys online products with a credit card number. Or the message may seem to have been sent by the IT department, and includes an attachment that is supposedly the latest anti-virus update that must be installed immediately. In reality, the attachment could be a Trojan horse creating a backdoor for the attacker or logging keystrokes that are sent to the attacker by e-mail. The best defense against social engineering attacks by e-mail is using certificates for encrypting and signing e-mail messages, allowing a recipient to positively identify the sender.

Many companies acknowledged the necessity of technology such as firewalls, intrusion detection systems, and advanced authentication systems to secure their information. However, this technology does not make them less vulnerable to a savvy social engineer. It may actually lead to a false sense of security, which may make them an even easier target. To prevent successful social engineering attacks security policies must be implemented and enforced. All employees must be informed and trained to recognize and appropriately respond to a potential social engineering attack.

One of the most important policies that should be implemented is verification of requests. Not only the identity of the requestor should be verified, but also the request he or she is making. A simple method to verify the caller’s ID is to call the person back at the phone number listed in the company’s phone directory. If someone outside the company asks for inside information, he or she should be forwarded to a manager or the Information Security department. When a copier maintenance person enters a building, the receptionist should verify the appointment and ask for an ID.

By following some basic rules and using common sense, most social engineering attacks can be prevented. It is essential to educate employees about these types of attacks and the methods of a social engineer, because in any security system people are really the weakest link.


Current related exam topics for the Security+ exam:

DOMAIN 1.0: General Security Concepts

1.4 Recognize the following attacks and specify the appropriate actions to take to mitigate vulnerability and risk.
- Social Engineering

1.6 Understand the concept of and know how reduce the risks of social engineering.

DOMAIN 5.0: Operational/Organizational Security

5.1 Understand the application of the following concepts of physical security.
- Social Engineering

Click here for the complete list of exam objectives.

Rate this paper at SecurityDocs.com:
Discuss this TechNote here Author: Johan Hiemstra


Featured Sponsors

TrainSignal - “Hands On” computer training for IT professionals. Network+ Training, MCSE, Cisco & more! Visit Train Signal’s free training site to get loads of Free Computer Training, videos, articles and practice exams.


All images and text are copyright protected, violations of these rights will be prosecuted to the full extent of the law.
2002-2011 TechExams.Net | Advertise | Disclaimer

TechExams.Net is not sponsored by, endorsed by or affiliated with CompTIA. CompTIA A+, Network+, Security+, Linux+, Server+, CTT+. , the CompTIA logo and trademarks or registered trademarks of CompTIA in the United States and certain other countries. All other trademarks, including those of Microsoft, Cisco, and CWNP are trademarks of their respective owners.