Social Engineering

Contents
  1. Social Engineering

1. Social Engineering

A computer and network could have every possible protection but the most difficult vulnerability to fix is us (humans). Social Engineering is convincing a user to compromise the security of a computer or network For example: Tricking a user to use a USB Flash drive which has a virus or calling someone up to trick them into giving them remote access to a computer. There are four types of Social Engineering: Phishing, Pre-texting, Baiting and Quid Pro Quo

Phishing

Phishing is an example of Social Engineering where the attacker sends out e-mails pretending to be a trustworthy company or person. The e-mail will try to convince the user to click a link and this may lead to a page with a virus download or a website which attempts to trick the user into giving up personal information.

Pre-texting

With Pre-texting, an attacker will manipulate a victim by telling them a story as to why they need to divulge information. The story is used to help the attacker gain the victims trust. Examples:

  • Receiving a call from someone at “Microsoft” and requesting login details to fix an account.
  • Receiving a text from someone claiming to be a family member with a new telephone number.

Baiting

Baiting is where a hacker will use a false promise to entice a user into giving up information or into installing malware. For example: Leaving USB drives outside buildings in the hope that one will be taken inside and plugged into a computer

Quid Pro Quo

An attacker will offer an exchange often information in exchange for money. Usually the attacker will not pay the victim - remember if an offer seems too good to be true it probably is!

Prevention

The best way to defend against Social Engineering within an organisation is through the use of an Acceptable Use Policy (AUP). The AUP is a document which contains a set of common rules and procedures. Typically within an organisation everyone using IT equipment have to agree to and abide by the AUP.