By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Key topics: - Physical Security and Social Engineering - Pretexting and Impersonation - Methods of Influence - Social Engineering and Physical Attacks - Phishing Attacks - Other Web Attacks - Social Engineering Tools - Dumpster Diving - USB Dropping - Shoulder Surfing - Tailgating - Badges - Basic Physpen Tools - Countermeasures - Social engineering methods of influence, pretexting, and impersonation - The basics of social engineering attacks using various media types and tools - Gaining an understanding of basic physical security attacks Testing physical security measures is important, as physical controls are designed to protect personnel and property from harm. Secure services, firewalls, and network intrusion detection systems cannot provide protection when an attacker gains physical control of a device. Organizations may choose to use multiple layers of protection to reduce the risk of physical attacks like theft, sabotage, fraud, and vandalism, and accidents such as a natural disaster (e.g., earthquake). Physical access into a facility may be protected by limiting physical access points and establishing entry detection mechanisms, deterrents, or access controls around those points. Access may be limited through the use of devices, such as barriers, locks, security guards, turnstiles, or entry vestibules, among others. Detection mechanisms may include measures such as human or technological surveillance, or alarms and sensors. Policies and procedures might add another layer of protection by establishing guest sign-in and sign-out processes, or consequences for authorized personnel who allow others unauthorized entry. Physical pentests are designed to test these controls. That said, never underestimate the power of persuasion. Humans are often the weakest link in organizations with the strongest technical barriers and sophisticated security systems.
A substantial amount of knowledge can be gained using open-source intelligence gathering techniques. Social engineering feeds off this information and is the belief that the human mind can be manipulated when you push the right buttons. In this guide, we’ll discuss social engineering methods and attacks, including physical attacks that use social engineering. Physical Security and Social Engineering An organization can implement multiple layers of physical security, including the following: - Monitoring Surveillance, guards - Detecting Closed-circuit television (CCTV) cameras, security alarms, sensors - Preventing Physical barriers, lighting, mechanical or electronic locking mechanisms
Barbed wire, electricity, and signs can help accessorize a fence’s security posture and help mitigate external breaches. Note: : A perimeter barrier and an access control point are two other physical security protections to help delay an attack or reduce damage to the facility if the attacker is successful with penetration. More details on perimeter security can be found in “Perimeter Security Design,” from the Federal Emergency Management Agency (FEMA) (https://www.fema.gov) publication called FEMA 430, Site and Urban Design for Security: Guidance against Potential Terrorist Attacks (2007).
The National Institute for Standards and Technology (NIST) provides a set of standards that organizations can apply to their physical security needs. Some of these controls can be satisfied by reviewing the organization’s policy documentation to ensure it satisfies the requirements of the control. Other controls may require an actual technical assessment of the control to ensure the implementation is effective. This is where physical penetration testing can be beneficial during an engagement. NIST Special Publication 800-53 (Rev. 4) (https://nvd.nist.gov/800-53/Rev4) provides a list of information security controls that are relevant to federal information systems, as well as organizations in the private sector. The Physical and Environmental Protection (PE) control family identifies 20 unique controls relevant to physical security and the requirement(s) for how a control can be satisfied. For example, PE-3 Physical Access Control states that the organization needs to enforce physical access authorizations, that is, how will the organization meet the requirement to control access to internal and external entry points? An obvious answer could be a lock. The impact level for a control and how the organization would be affected should a breach occur will determine the complexity of the locking mechanism an organization puts on the door.
The table below provides a list of PE controls and supplemental guidance taken from NIST Special Publication 800-53 (Rev.4). Table: Physical and Environmental Protection Control Family Note: : The Federal Information Processing Standard (FIPS) 199 (https://csrc.nist.gov/publications/fips) is a NIST publication that provides the standards for categorizing information and information systems based on impact levels. There are three impact levels: Low, Moderate, and High. Each level determines the loss of confidentiality, integrity, and availability to an organization should the control fail. Disabling alarms or cameras, picking locks, jumping fences, and punching through a raised ceiling to circumvent a wall are all perfectly good examples of what you might do during a pentest, but we’re going to focus on the social engineering aspects of physical pentesting for the exam. We will focus on methods a pentester will use on human targets to achieve pentest objectives. This may involve convincing a person to allow access through certain points, stealing access devices in order to gain entry, or taking advantage of other physical artifacts to gain intelligence about a target. Pretexting and Impersonation Social engineering is the process of convincing someone to do something for you that they might not ordinarily do or want to do. This may be as simple as getting someone to pay attention to an e-mail that they might otherwise dismiss as irrelevant or as complex as getting someone to bend (or break) a rule they know they should follow. Generally, people are less willing to pay attention or bend the rules when they have no reason to trust the request. Trust might come from who the requester is, why they have made the request, or even the value of what they have requested. Consider, when your spouse asks you for money, you might be more willing to depart with it than if a stranger had made the request on the street. If a stranger makes the request, you might be less willing until you learn the reason for needing the money (“My daughter just threw up her lunch and my wife left me in line to pick up the order while she takes care of it, and I just realized she still has my wallet, and I’m a little short.”). Similarly, you might care more if the request is for a thousand dollars than if it is only for some pocket change. So, how would you convince a target they should do what you are asking them to do? What story would you need to convince them to trust you and abandon their inhibitions against taking the action? Who would you tell them you are and why should they take action? Answering these questions is part of how we establish a pretext. Pretexting is a technique used to create a situation that may make a target more willing to comply with the needs of the social engineer. An example might be attempting to convince a security guard to allow you past an access point under the pretext that you are physically ill and need to use the private restroom urgently. The nature of your alleged predicament may drive sympathy (or even horror) in the guard, enough that they may be willing to bend the rule against allowing you through. We’ll talk more about the methods of influence that social engineers use in the next section, but remember that the pretext is the situation or story that a social engineer uses to make a request plausible and build trust with a target in order to convince them. Another technique designed to build trust is impersonation. Claiming to be a figure of authority or a famous person might give the target a reason to obey a request. More subtly, social engineers might attempt to get a target to open an e-mail from an address the target has never seen before by making it seem similar to an address they have seen. Perhaps a natural disaster has recently occurred and multiple aid organizations are seeking financial assistance for their efforts to help those affected. A target might not recognize a fictional aid organization, but the fact that they appear to be an aid organization might be enough to grab the target’s attention. It’s worth noting, this must be used carefully, however. Impersonating certain individuals or organizations can be a criminal offense. For example, pretending to be a member of the law enforcement community or a federal agency is often illegal. Using the logo of a legitimate company in a phishing e-mail while claiming to be a representative of that company may break copyright laws. Of course, what constitutes criminal impersonation is governed by regional laws and may vary by location. In some cases, who or what is being impersonated is less important than the intent behind doing so. Assuming a false identity with the intent to defraud another, pretending to be another person or organization, or even opening bank and credit accounts under someone else’s identity (otherwise known as identity theft) may all be illegal depending on the context and locale. Therefore, it is important to ensure that any type of social engineering attack used within a pentest is covered in the statement of work (SOW) and approved in the rules of engagement (RoE) prior to execution. Methods of Influence There are a number of ways to influence someone to get them to do what you want them to do. CompTIA has identified motivational techniques that can be used to exploit a target’s trust.
The Social Engineering Framework (https://www.social-engineer.org) provides definitions and examples for each type of influential tactic: - Authority This can be performed in a legal (impersonating an officer of the law), organizational (impersonating a business leadership official), or social (dominant figure in a group of one’s peers) leadership role to gain access to property or controlled information. - Scarcity This can make something more desirable to a target. When time is made scarce, it can create a feeling of urgency to influence one’s decision-making logic. False statements can be used to persuade someone to do something because it sounds important and there is little time to act, such as “This sale ends today. Act now before it’s too late!” - Social proof This describes a specific social phenomenon regarding outsiders seeking conformity based on group behavior. Think about a situation you’ve been in when you had absolutely no idea what was appropriate. You might have looked around to see what other people were doing. You assume they know what’s going on, so you do what they do in order to conform and make it seem as though you weren’t clueless. This is social proof. - Likeness This approach takes advantage of the psychological concept that people are often more willing to help someone they like. This can be someone who is beautiful or familiar, or someone who provides plenty of flattery to the target. In essence, this is establishing rapport. - Fear This approach attempts to strike fear into the target. An example would be using malware (scareware) to influence someone’s decision to purchase or download fake antivirus programs or other software with malicious intent. Social Engineering and Physical Attacks Suppose for a moment that you are onsite and need access to a target network. You can’t see the WLAN from anywhere outside the building. Read up again about the range of wireless networks and the role of proximity in attacking them. In this scenario, do you attempt to enter the building in order to get closer to the network? Do you attempt to convince someone to carry into the building a wireless attack device that can call back via a cellular connection? What if you are not onsite? How would you convince someone inside to run a payload using their access instead? Social engineering attacks typically involve bypassing security controls by leveraging humans to aid with the attack. This may mean bypassing firewalls by convincing someone with insider access to execute a malicious payload, or it may mean bypassing physical controls by convincing a human to allow unauthorized ingress either for a person or a device. In this section, we’ll talk about social engineering attacks that are covered within the CompTIA PenTest+ exam objectives, including phishing attacks, phone-based attacks, web attacks, and physical attacks such as dumpster diving, baiting, shoulder surfing, tailgating, and badge cloning. Phishing Attacks One of the most popular methods used for social engineering is phishing. This is a fraud technique delivered through e-mail, phone, or text message used to obtain sensitive information from the target. Pentesters can be hired to engage in phishing attack vectors to evaluate technical defense measures over the network, like spam filters for e-mail, web content filters, firewalls, and other types of access control devices. They can also help validate employee behavior patterns to report and respond to the threat, as well as a controlled compromise method to gain an initial foothold into an organization’s network. During a phishing assessment, the number of successful interactions with a payload, the number of people who open an e-mail, or other information about goal attainment resulting from the attack may be tracked for reporting. E-mail Attacks The three main characteristics of an e-mail phishing attack are targeting, pretext, and payload. Targeting refers to who receives the phishing e-mail. The pretext is the situation created by the e-mail, including the relationship between the attacker and the intended target. The payload is the method an attacker will use to accomplish attack objectives. In the wild, attackers tend to perform opportunistic or tailored attacks against their targets. An opportunistic attack involves crafting the broadest possible pretext and sending it indiscriminately to as many targets as possible in the hope that one or more will take action based on the mail. These target lists may be randomly generated based on common names and known domains (such as Gmail). Pretexts vary from an assumed personal relationship to impersonating a company soliciting business, but do not typically include information that is tailored to the individual targets. Payloads are often generic without consideration for the target’s specific operating system or security controls. Modern security controls are somewhat adept at detecting these opportunistic attacks, meaning that pentesters tend to get better results with tailored approaches. In a tailored approach, target lists are derived from intelligence gathering or may be provided by the customer in the case of a pentest. Pretexts include information from research into the targets. This may include names, job titles, or even personal interests that are relevant to targeted individuals. Payloads may consider the security controls or software the target uses based on reconnaissance activities. Before we dig deeper into tailored attacks, understand that phishing via e-mail typically has one of three objectives: establishing rapport, gathering information, or delivering malicious content for execution.
Establishing rapport with the target by using an exchange of multiple conversational e-mails may set up the target to take subsequent actions on behalf of the attacker. One example is convincing the target to make a financial transaction to the attacker. This is popularized by the common 419 scam.
In pentesting, red teams might use this method to bypass spam filtering mechanisms by starting an e-mail conversation and including no attachments, links, or other active content that would arouse the suspicion of automated security controls. Impersonating a potential customer or a job seeker in order to get more information about the company would be a valid pretext and objective for this sort of attack. Information gathering can be done with this same sort of back-and-forth exchange, or it can be done programmatically using payloads. Payloads may attempt to gather credentials by using document or web forms, for example, or they may allow an attacker to collect system or network information. If a user clicks on a payload that includes a link to a web page controlled by the pentester, the pentester may be able to learn more about the proxies the organization is using, the browser type, and even the habits of the users who are targeted based on when they click on the message. Other malicious payloads may attempt to establish a foothold in the environment by executing exploits once a user opens a message or otherwise interacts with the content of that message.
There are generally two types of tailored attacks: spear phishing and whaling. Spear phishing uses information about the organization or the individual to attempt to bypass security controls and establish a pretext that is likely to convince the user. The target user may be anyone within the company. Whaling, on the other hand, targets members of the organization who have elevated authority, such as executives or executive assistants. Successful compromise of these targets can allow attackers to abuse chains of trust, which can cascade into much broader impacts throughout the organization. If your boss’s boss’s boss sends you an e-mail and tells you to do something, would you? In order to perform these kinds of attacks as a pentester, you will want to know as much as possible about the target organization’s security controls. If your payload never reaches its intended target, you won’t achieve your objectives. Whether you get this information from your client during pentest planning discussions or whether you gather it during reconnaissance, you’ll want to know enough about security controls to adjust your payloads and e-mail delivery mechanisms to reach your targeted individuals.
E-mail attacks typically follow this path: - Gather intelligence, including targets, security controls, and information for pretexting. - Create a payload based on the gathered intelligence, considering controls and pretext especially. - Craft an e-mail containing a valid pretext for delivery of the payload. - Set up an e-mail infrastructure to send the mail, including mail servers, domains, and other hosting if necessary. - Set up a call-back infrastructure, such as web servers, C2s, or others. Note: : This blog goes into some of the details about security control considerations and setup for your mail services if you choose to use your own domain and server for phishing: https://www.ired.team/offensive-security/red-team-infrastructure/smtp Phone-Based Attacks A pentester calls a phone number on the agreed-upon target list and reaches an employee in the sales department. The pentester introduces themselves as “Sam, from the help desk” and says the company is running a new pilot program for a remote virtual private network (VPN) solution and the employee has been chosen for the pilot. In order to make sure all goes well on the day the pilot starts, the help desk needs the employee to make sure they can access the pilot VPN portal with their login credentials. The employee types into a browser the web address that the pentester provides over the phone and gets a web page that looks like the company-branded web pages, it says something about VPN, and it has a login screen. The employee enters their username and password, and the pentester collects it from the web server they control. This technique of social engineering over the phone is sometimes called vishing.
Like other social engineering schemes, the goal may be to gather additional information or execute payloads designed to grant access to the attacker. Examples of target information might include unpublished phone numbers, business partner names, or details of pending business deals. Either way, the initial vector of attack can be via phone, SMS messaging, or voicemail. In the case of SMS (sometimes called SMiShing) or voicemail, the attack may be designed to set up further communication by getting the target individual to call back the attacker or to encourage the target to visit a website. In order to perform these attacks as a pentester, it is helpful to have an understanding of the target individual’s knowledge, a grasp of normal business terminology, and maybe caller ID spoofing technology.
Caution: Caller ID spoofing may be illegal in some places and under some circumstances. In the United States, caller ID spoofing is legal unless it is used to defraud, harm, or wrongly obtain anything of value, according to the Truth in Caller ID Act. Be certain the terms of your use for caller ID spoofing are defined in your pentest contracts and authorized accordingly. You can read more about caller ID spoofing in the United States at the Federal Communications Commission (FCC) website: https://www.fcc.gov/spoofing#:~:text=When%20is%20spoofing%20illegal%3F,to%20%2410%2C000%20for%20each%20violation
Knowing a little about the individual will be helpful if you are targeting specific kinds of information beyond user credentials that everyone may have. Asking someone from manufacturing about accounting details may be less successful than asking someone in accounting. Additionally, you may be able to build rapport using shared interests. If you know about a person’s hobbies and you can work them into the conversation, you might be able to get the person to warm up to you enough that they ignore some of their inhibitions or don’t realize when the topic changes.
Generally, you can tune your questions and interactions according to your target.
Speaking of tuning your interactions according to your target, every company has its own brand of internal jargon. The bigger the company, the more likely the language will be specific to that organization. Knowing and using those terms in the pretext may build the necessary trust to compel a target to cooperate. On the other hand, an organization that trains employees to confirm any form of phone contact from an authority by using an internal instant messaging system will likely be harder to crack with a pretext based on impersonating an internal authority. In many corporate environments, business phones show the name and extension of the person calling on the phone itself. The same is true for cell phones. Using caller ID spoofing services to make a call from the same area code or to present a name associated with your impersonated identity may add credence to your pretext.
Numerous commercial services will allow you to do this, including smart phone applications that allow you to use temporary phone numbers (burners) and IDs for phone and text messages. Many of these rely on Voice over IP (VoIP) technology.
A protocol that some of these use is called Session Initiation Protocol (SIP). It is possible to take advantage of phone systems that are configured to allow anonymous SIP INVITE requests and use tools like Metasploit and Viproy (http://www.viproy.com/) to create a spoofed caller ID, even from a number that doesn’t exist. Note: : Rapid7 has a blog series that walks you through manual configuration of a caller ID spoofing system if you don’t choose to use an existing service: https://www.rapid7.com/blog/post/2018/05/24/how-to-build-your-own-caller-id-spoofer-part-1/ Other Web Attacks There are other web-based attacks CompTIA places in the category of social engineering for the PenTest+ exam.
A watering hole attack capitalizes on a target’s trust relationship with websites they commonly visit. In this attack, an attacker observes the websites a target frequents and infects one of the sites with malware. This is an advantageous way of targeting, since the attacker already knows the targets will visit the website, so it’s just a matter of time before successful exploitation. If you use this tactic during a pentest, you should be very careful to observe appropriate guardrails to avoid infecting visitors to the site outside of your targeted organization.
Guardrails might use system characteristics, such as the origin IP address or an organization-specific registry key, to prevent accidentally targeting a system that is outside of the pentest scope. Social Engineering Tools The Social-Engineer Toolkit (SET) (https://www.trustedsec.com/social-engineer-toolkit-set/) is an open-source, Python-based framework for social engineering. It is available by default in Kali Linux. As we discussed earlier in this guide, a social engineering attack may include the use of a web page to collect credentials or execute payloads when visited by a target. SET helps with that by providing the technology components to spoof e-mails, receive web requests, and serve payloads in the context of a social engineering attack. The Browser Exploitation Framework, or BeEF (http://beefproject.com/) is another tool that may be useful for web-based attacks using social engineering. BeEF focuses on client-side attacks against web browsers. Using SET and BeEF together offers a comprehensive testing framework for carrying out phishing-based attacks. Follow along as we explore a basic technique for using SET and BeEF together to hook a target’s web browser, where additional attacks can be launched within the browser, using BeEF command modules.
The following basic items are recommended for the exercise: - Updated version of Kali Linux for the attack system - A test Google account for receiving e-mail - A web browser on a target system - Internet access for both the attack and target systems
1.: The first step is to identify your targets from the RoE and build a target list. In this example, we will be targeting one e-mail address. Open up SET and at the set> menu prompt, select option 1, Social-Engineering Attacks.
set>
2.: At the next set> menu prompt, select option 5, Mass Mailer Attack.
3.: At the set:mailer> prompt, select option 1 to send an e-mail to a single e-mail address.
set:mailer>
4.: In this example, we will be sending the e-mail to an account that we own. The next step is to build out your phishing e-mail template. To do so, you set up where the e-mail will originate from (Gmail), the TO line, the FROM NAME, and the body of the message. In the following illustration, you will see the message is trying to intrigue the target into checking out the new sales page from “customerservice.” Once you type END and press RETURN at your final set:phishing>, you will launch the campaign and the message will be e-mailed to your target.
END
set:phishing>
5.: In order for the attack to work, we need to create a web page for the user to browse to after clicking on the link. The page will have an embedded JavaScript tag that will load the BeEF JavaScript code (hook.js) to hook the browser into the framework. Launch BeEF, open up a terminal window, change the directory to /tmp, and edit the index.html. Shown next is a basic HTML page we can use to serve the target when landing on the page.
/tmp
6.: Then save and exit the vi editor and use Python with the SimpleHTTPServer module to host the web page from the /tmp directory on port 80.
7.: Now open the e-mail from “customerservice” to see what kind of a sale you might be missing out on.
8.: When clicking on the link inside the e-mail, you should be redirected to the web page we created in step 5.
9.: If you look in the terminal window where you launched the SimpleHTTPServer in step 6, you will see the HTTP GET request from the target IP, and if successful, the hook.js will be executed and you will see the IP address of the target show up in the Hooked Browser section of BeEF.
10.: When the browser is online, you can execute BeEF command modules to attack the target’s computer through the web browser. Dumpster Diving Dumpster diving is a physical attack used in social engineering. It involves digging through an organization’s dumpster or trash in order to retrieve sensitive information. Some organizations don’t do as much to protect their trash as other elements of their business, so pentesters may find information that may or may not have been destroyed, such as by shredding. Once something is placed in the trash and put out for collection, it’s often legally fair game. Although organizations might use a secure data destruction service or implement additional controls, such as locks or fences, to protect waste from unauthorized access. Therefore, you may need to circumvent some physical control to get access to this information. With success, you might find usernames, policies, passwords, software, account information, financial statements, or meeting notes. Knowing about business partners or what technology the organization uses can help with the pretexting process or identify other avenues of attack. USB Dropping Baiting is a procedure used to lure a target into doing something using a tangible reward. An example would be dropping a USB device or CD labeled “company financial data.” The idea is to spark the curiosity of the target in order to persuade him or her to introduce the device into the inside of the environment for you. They might insert the device and automatically launch a keylogger or malware that grants you access. If you gain physical access to one or more computing assets within the facility, you could also personally introduce a USB keylogger. In this case, it would be a transparent device positioned in-line with a computer keyboard and the USB port of a computer or even installed inside the keyboard itself. You may similarly insert it into the computer and rely on autorun to run any number of malicious things on a system, including installing a keylogger. A keylogger will record the user’s keystrokes and record the data to a text file, which can either be physically retrieved or exfiltrated electronically. Some USB keyloggers have Wi-Fi capability and act as a hotspot. This offers a more convenient method for data retrieval, as the keylogged data can be downloaded remotely. Keelog (https://www.keelog.com) manufactures all types of USB and serial-based (for serial consoles) keylogging products to help support your testing needs Shoulder Surfing Shoulder surfing is a physical attack using an observation technique where an attacker pretends to do something else while instead observing what a target is doing, such as typing in a password. This attack requires close proximity to the human target with the objective of stealing sensitive information while remaining unobserved. This attack need not necessarily be combined with other attacks to gain proximity, as it could be conducted against targets operating in a public place. Tailgating Tailgating is a type of physical attack that can be combined with a social engineering technique to bypass physical access controls in order to gain unauthorized access to a restricted area. This is accomplished by an unauthorized person walking in through the door behind an authorized employee with legitimate access. This may be with their consent or without it. In the case where the target notices, a pentester might attempt to generate consent by saying something like, “Sorry about that, I am new here and left my badge at my desk. I really appreciate your help.” As referenced in Table 8-1, NIST PE-3 is a testable control wherein during an engagement, the pentest team may be able to social-engineer the security guard at the front desk into letting them into the facility by bribing the guard or using diversion techniques. Depending on the outcome of testing, a mitigation may need to be applied for corrective action, such as training or finding a new guard who is less likely to fall victim to social engineering techniques. Badges PE-2 would also be a testable control. If the pentest team were able to compromise a radio frequency identification (RFID) key from a legitimate employee, then clone the key and use it to impersonate the employee, the pentest team would be able to exploit the employee’s accesses throughout the facility.
RFID devices can be cloned by reading their data and writing the same data to another compatible card. When RFID cards are used as access devices, physical attacks will often center around gaining the proximity necessary to perform the capture of the RFID information. Remember, these devices may have a range as low as a few centimeters or as high as a couple of feet. Social engineering physical attacks might involve engaging the target in conversation in order to maintain proximity during the cloning process or applying tactics to gain access using a cloned card. For example, a normal card may have a company logo or photo of the employee. If you look nothing like the employee whose badge you cloned, will that cause a problem if the security guard notices? What if something about the cloning process doesn’t work and you find yourself rejected at the door? These are all cases where other social engineering techniques may come into use. Basic Physpen Tools During a physical pentest, you will want to make sure you have the tools necessary to evaluate the implementation weaknesses within your customer’s physical security protections. This may include USB drives, badge cloning devices, and devices to bypass door lock mechanisms.
A basic lock kit provides some essential tools necessary to defeat the security mechanisms in most standard locks, including a tension wrench, a lock pick, and possibly even a bump key.
The figure below shows a basic lock-picking kit that you can purchase for under $20 USD, with the exception of the bump keys, which are typically made using a key cutting machine. But the most important tool you should have is your written authorization for testing. Figure: A basic lock-picking kit
Caution: Lock bumping can not only damage a lock but is considered illegal in some parts of the United States (and parts of the world, for that matter). It is illegal in some states to even possess lockpick kits. In others, it is only legal to possess them if you are a licensed locksmith.
The Open Organization of Lockpickers (TOOOL) is a resource available to those who want to advance their knowledge about locks and lockpicking. Their website provides a good starting point to find out if lock picking is legal or illegal in your state (https://toool.us/laws.html). Countermeasures There are a number of mitigations organizations can use to thwart risks associated with social engineering attacks, including: - Security training and validation of trust (trust but verify) - Fine-tuning technological controls - Active defense (intrusion detection and prevention systems) and security monitoring (cameras for dumpster diving) - Shredders for sensitive information (i.e., papers and CDs, etc.) - Organizational policy for handling sensitive information
Annual testing is another effective countermeasure that can help prepare organizations for various types of phishing attacks. GoPhish (https://getgophish.com) is a phishing framework used to test an organization’s exposure to phishing. You can create phishing templates, target lists, and track results in an online dashboard. Pentesters can use this type of framework to test and evaluate phishing methods in a controlled environment.
The figure below shows an example of how to track e-mails sent and opened, links clicked, and submitted data when using web forms for web pages. Figure: GoPhish – Phishing success overview Review - Physical security plays an important role in the organization’s overall security program. But people are one of the biggest threats to security. - Social engineering can be an effective means to bypass security guards or piggyback through a doorway. - Organizations with a requirement for a defense-in-depth physical security system should include multiple layers of protection. - Exterior fencing, barriers, locks, and even early warning detection and surveillance systems can help keep even the honest person honest. - Social engineering is an effective method of testing an organization’s initial lines of defense. - Many motivational techniques can be used to influence a target’s decision-making skills and entice them to do something you want them to do. - Phishing is a popular method of social engineering that can be delivered through voice, SMS messages, or e-mail. - A number of countermeasures can help protect and prepare organizations for social engineering attacks. - Annual training and testing is a way to help evaluate how susceptible an organization is to social engineering and provides the ability to track results and apply additional training in areas that need improvement. References: 1. : https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/nigerian-letter-or-419-fraud.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.