By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective 2.4: Explain common social-engineering attacks, threats, and vulnerabilities.
Botnets have made hacking so easy that any network can be tested by hackers thousands of times per day. Updated antivirus/anti-malware software and other software does the heavy lifting in protecting networks and devices. Another constant threat to a computer network is users being manipulated or tricked into doing hackers’ work for them. This hacking technique is known as social engineering. The following sections describe social engineering and other threats and vulnerabilities to networks. Social Engineering Eight common social engineering techniques that all employees in an organization should know about are phishing, vishing, shoulder surfing, whaling, tailgating, impersonation, dumpster diving, and evil twin. The following sections describe each of these techniques. The key to mitigating these social engineering threats is a combination of ensuring employee awareness, implementing policies and protocols for handling sensitive internal information, and, whenever possible, using cybersecurity tools. Phishing Phishing involves creating bogus websites or sending fraudulent emails that trick users into providing personal, bank, or credit card information. A variation, phone phishing, uses an interactive voice response (IVR) system that the user is tricked into calling, to dupe the user into revealing information. Phishing is a constant threat that administrators can address with awareness warnings that give examples of the latest threats and educate employees on identifying suspicious messages.
Figure illustrates a typical phishing email. A Message That Purports to Address an Overdue Payment but Shows Classic Signs of a Phishing Attack Vishing Vishing involves leaving deceptive voice messages that appear to come from an internal source or other authority. These messages request confidential information, such as payroll or tax information. The attacks typically target a specific person, organization, or business. The best protection against vishing is to implement security practices that educate users on how to handle sensitive information within the organization. Whaling Whaling is a specific type of phishing attack that goes after high-level employees (the big fish, or whale) in an organization, especially the CEO. The attacks tend to be more sophisticated and customized, appearing to come from a high-level executive at another company. Links inside the mail or website infect the computer belonging to leadership, granting access to more sensitive information and possible authorization for fund transfers. Impersonation Impersonation is a type of social engineering similar to phishing, in which a hacker sends an email pretending to be someone the victim trusts. It can take time and research for the impersonator to figure out how to gain the target’s trust. Impersonation, also known as business email compromise (BEC), is not restricted to email, but can happen on the phone or in person. Common sense and strict policies on how to communicate sensitive information can help prevent impersonation attacks. Shoulder Surfing Shoulder surfing is the attempt to view physical documents on a user’s desk or electronic documents displayed on a monitor by looking over the user’s shoulder. Shoulder surfers sometimes watch the keyboard to see passwords being entered. They act covertly, looking around corners and using mirrors or binoculars. They might also introduce themselves to users and make conversation, in the hopes that the users will let down their guard. A common protection against shoulder surfing is using a special privacy screen that limits the viewing range of a display. Employees should be trained to be aware of others who are able to see their screens and to leave screens locked when they are away from their workstations. Tailgating Tailgating occurs when an unauthorized person attempts to accompany an authorized person into a secure area by following that person closely and grabbing the door before it shuts. This is usually done without the authorized person’s consent; sometimes the authorized person is tricked into believing that the thief is authorized. If the authorized person is knowingly involved, the act is known as piggybacking. Mantraps, mentioned earlier, are designed to thwart tailgating. Dumpster Diving Going through the trash seeking information about a network—or a person with access to the network—is called dumpster diving. This type of activity does not have to involve an actual dumpster, of course—just someone searching for any information that will help him or her socially engineer a way into a network. To limit the prospects of a dumpster diver, paper shredders or shredding services should be employed to keep data out of reach. Evil Twin An evil twin attack involves setting up a fraudulent wireless access point on a network that imitates the legitimate AP for local users. The evil twin AP sometimes attacks the legitimate AP, so users are fooled into logging onto the evil twin. The twin can then sniff usernames and passwords and listen for other valuable information. Sometimes an evil twin can set up a fake portal that mimics the company site, to collect even more data on anyone who logs on. Threats Any viable plan to protect a network and data must be based on a clear understanding of the threats that all IT networks face. This section describes common threats and methods that outsiders use to compromise networks. DDoS A distributed denial of service (DDoS) attack occurs when several (up to thousands) of computers have been compromised with special malware that turns them into bots. The bots then get directions from their new master to attack a network site with thousands of requests. The traffic is so overwhelming that the site is unreachable by normal traffic and is effectively shut down. DoS A denial of service (DoS) attack involves one computer attacking a specific target with an overwhelming number of service requests. This is very similar to a DDoS attack, but without the bots. The messages coming from one source can still take down a network, at great cost to a business. Zero-Day When legitimate software is sold and distributed, it might have unknown security vulnerabilities. When the flaws are discovered, the users put out alerts and the software company creates a patch. Sometimes hackers watch for those alerts and exploit the vulnerabilities before the patch is installed, hence the term zero-day attack. Spoofing Spoofing is a general term for malware attacks that purport to come from a trustworthy source. Phishing, spear phishing, and rogue antivirus programs are three examples of spoofing. On-Path Attack An on-path attack (formerly known as a man-in-the-middle [MiTM] attack) involves an attacker intercepting a connection while fooling the endpoints into thinking that they are communicating directly with each other. Essentially, the attacker becomes an unauthorized and undetected proxy or relay point; the attacker uses this position to capture confidential data or transmit altered information to one or both ends of the original connection. Brute Force A brute-force attack involves cracking passwords by calculating and using every possible combination of characters until the correct password is discovered. The longer the password used, and the greater the number of possible characters in a password, the longer brute-forcing takes. One way an administrator can block brute forcing is to set authentication systems to lock after a specified number of incorrect passwords. Longer passwords also aid in the fight against brute-force attacks. Dictionary Attacks Dictionary attacks involve attempting to crack passwords by trying all the words in a list, such as a dictionary. A simple list might include commonly used passwords such as 12345678 and password. Dictionary attacks can be blocked by locking systems after a specified number of incorrect passwords. Requiring more sophisticated passwords that do not include identifiable information such as birthdays or family names is also a strategy. Insider Threat Many security procedures are designed to prevent people outside an organization from penetrating a network and making off with valuable data. However, a very real threat comes from insider threat, in the form of dishonest or unhappy employees or a trusted vendor or contractor who has access to the network or the network infrastructure. Many incidents of corporate or government espionage and intellectual property theft have been performed by insiders with high levels of access. In fact, an insider can do much more harm than an outsider. Preventing insider threats is difficult, but many of the monitoring and anti-phishing practices also protect against insider fraud. It is a common corporate practice that when employees with access to the network are terminated or quit, their credentials are immediately rescinded and they have no further access to the buildings or the network. Structured Query Language (SQL) Injection Structured Query Language (SQL) is a standard language for communication among databases. This language can be used to attack a database to steal important information such as credit card numbers, social security numbers, and other private data. It can also be used to simply attack a company or government and destroy or heavily damage databases so that they become useless. Database administrators must carefully design their databases to mitigate the threat of dangerous queries. In a Structured Query Language (SQL) injection attack, malicious code is inserted into strings that are later passed to a database server. Cross-Site Scripting (XSS) Cross-site scripting (XSS) is a code-injection technique that uses client-side scripts. It involves tricking a user, often with a link in an email or through some other ruse. When an unsuspecting user clicks on the link, the attacker can inject malicious code into a web-based app. This code is then “trusted” in the user environment, but it can steal information stored in cookies or other valuable information. The best defense against XSS is to have specific firewall settings on data types entering the systems and encrypting data leaving the system. This way, if information is stolen, the thief cannot read it. Vulnerabilities A vulnerability is a weakness in an organization’s security plan that can allow the previously mentioned threats to become real problems. Many of the vulnerabilities listed here should sound familiar by now, but they are briefly reviewed in the following sections. Noncompliant Systems Noncompliant systems are systems that are tagged by a configuration manager application (for example, Microsoft’s Endpoint Configuration Manager) as not having the most up-to-date security patches installed. Systems that do not have the most updated security patches are especially vulnerable to attacks. An example of this is a user attempting to log onto a corporate network with a personal computer that has not been updated to network standards that comply with the corporation’s specifications. Unpatched Systems Similar to noncompliant systems, an unpatched system will not protect against recently discovered and newly fixed zero-day vulnerabilities. When hackers know about these vulnerabilities, the attacks increase. Unpatched systems will be vulnerable to the attacks. Systems should be patched within one week of the release of a patch. Unprotected Systems Similar to an unpatched system, an unprotected system that is missing firewalls and antivirus software (or outdated security software) is vulnerable to the latest known virus information. EOL OSs End-of-life (EOL) operating systems (OS) are dangerous to keep on a network. When software or hardware reaches EOL status, updates and patches are usually no longer available. Keeping equipment and operating systems up-to-date is part of a strong security plan. Bring Your Own Device (BYOD) Bring your own device (BYOD) use on a restricted network can have some great productivity and cost benefits, but with them come serious risks. Any malware or vulnerabilities on personal devices can become a serious vulnerability when the device is granted access to the corporate network. Network administrators need to be sure that any device allowed on the network is both updated and compliant with security practices. Many networks that allow BYOD activity require an online security check before they are granted access to the network. Personal device use should be restricted on a secure network.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.