social engineering attack, Assignments of Network security

what is social engineering attack and how to mitigate them

Typology: Assignments

2020/2021

Uploaded on 07/05/2021

farhan-ahmad
farhan-ahmad 🇵🇰

6 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
- [Instructor] Digital threats aren't the only issue facing information security
professionals seeking to protect their organizations. Some of the most dangerous
risks come from the human side of social engineering. These are also some of the
hardest threats to protect against. Social engineering attacks use psychological
tricks to manipulate people into performing an action or divulging sensitive
information that undermines the organization's security. For example, an attacker
posing as a help desk technician might use social engineering to trick a user into
revealing his or her password over the telephone. Essentially, social engineering
attacks are the online version of running a con. There are six main reasons that
social engineering attacks are successful. These include authority and trust,
intimidation, consensus and social proof, scarcity, urgency, and familiarity and
liking. Let's dig into each of these a little bit more. Countless psychological
experiments have shown that people will listen and defer to someone who is
conveying an air of authority. Displaying outward signs of authority, such as
dressing in a suit, or simply having a look of distinguished age, creates a trust
among those without such symbols. One of the earliest experiments in authority
was conducted by Stanley Milgram, a Yale University Psychologist. He set up a
situation where students believed they were participating in an experiment about
learning, and put them in the role of teacher. When the fake students gave an
incorrect answer, the teacher was instructed to administer one of a series of
increasingly high voltage electric shocks. When the fake teachers objected to
shocking the learner, the experimenter told them that they must do so. Almost 2/3
of students were willing to administer the highest voltage shock. Of course, the
shocks were fake, but the participants believed they were real, and complied due to
the perceived authority of the experimenter. Well-known hacker, Kevin Mitnick, also
describes an example of authority and trust in his book, The Art of Intrusion. He tells
of a social engineer who simply walked right into a casino security center and
started issuing orders. Because he did so with an air of authority, the staff complied
with the commands. The second reason that social engineering works is
intimidation. It's simply brow-beating people into doing what you want by scaring
them and threatening that something bad will happen to the individual and or the
organization. A social engineer might call a help desk posing as an administrative
assistant demanding that they reset the password on an executive's account. When
the help desk asks to speak to the executive, the assistant might just start
yelling, "Do you know how busy he is? "He is going to be very angry "if you don't
just do this for me." That's intimidation. The third social engineering tactic is
consensus and social proof. When we don't know how to react in a situation, we
look to the behavior of others and follow their example. It's the herd mentality. This
is what happens when someone is attacked in the street, and nobody calls 911. It's
also how riots occur. Most normal people would never think of burning a car or
looting a store, but once the crowd gets going, and they see this behavior around
them, many people join in. The fourth tactic is scarcity. Making people believe that
if they don't act quickly, they will miss out. You see this each time a major
consumer electronics company releases a new product. Why will people wait in line
overnight just to get a new phone? Because they want to get one before they run
out. A social engineer might use scarcity to trick someone into allowing them to
install equipment in an office. Perhaps they show up with a wifi router, and say that
pf2

Partial preview of the text

Download social engineering attack and more Assignments Network security in PDF only on Docsity!

  • [Instructor] Digital threats aren't the only issue facing information security professionals seeking to protect their organizations. Some of the most dangerous risks come from the human side of social engineering. These are also some of the hardest threats to protect against. Social engineering attacks use psychological tricks to manipulate people into performing an action or divulging sensitive information that undermines the organization's security. For example, an attacker posing as a help desk technician might use social engineering to trick a user into revealing his or her password over the telephone. Essentially, social engineering attacks are the online version of running a con. There are six main reasons that social engineering attacks are successful. These include authority and trust, intimidation, consensus and social proof, scarcity, urgency, and familiarity and liking. Let's dig into each of these a little bit more. Countless psychological experiments have shown that people will listen and defer to someone who is conveying an air of authority. Displaying outward signs of authority, such as dressing in a suit, or simply having a look of distinguished age, creates a trust among those without such symbols. One of the earliest experiments in authority was conducted by Stanley Milgram, a Yale University Psychologist. He set up a situation where students believed they were participating in an experiment about learning, and put them in the role of teacher. When the fake students gave an incorrect answer, the teacher was instructed to administer one of a series of increasingly high voltage electric shocks. When the fake teachers objected to shocking the learner, the experimenter told them that they must do so. Almost 2/ of students were willing to administer the highest voltage shock. Of course, the shocks were fake, but the participants believed they were real, and complied due to the perceived authority of the experimenter. Well-known hacker, Kevin Mitnick, also describes an example of authority and trust in his book, The Art of Intrusion. He tells of a social engineer who simply walked right into a casino security center and started issuing orders. Because he did so with an air of authority, the staff complied with the commands. The second reason that social engineering works is intimidation. It's simply brow-beating people into doing what you want by scaring them and threatening that something bad will happen to the individual and or the organization. A social engineer might call a help desk posing as an administrative assistant demanding that they reset the password on an executive's account. When the help desk asks to speak to the executive, the assistant might just start yelling, "Do you know how busy he is? "He is going to be very angry "if you don't just do this for me." That's intimidation. The third social engineering tactic is consensus and social proof. When we don't know how to react in a situation, we look to the behavior of others and follow their example. It's the herd mentality. This is what happens when someone is attacked in the street, and nobody calls 911. It's also how riots occur. Most normal people would never think of burning a car or looting a store, but once the crowd gets going, and they see this behavior around them, many people join in. The fourth tactic is scarcity. Making people believe that if they don't act quickly, they will miss out. You see this each time a major consumer electronics company releases a new product. Why will people wait in line overnight just to get a new phone? Because they want to get one before they run out. A social engineer might use scarcity to trick someone into allowing them to install equipment in an office. Perhaps they show up with a wifi router, and say that

they are upgrading the wifi in adjacent offices with a brand new technology, and had one leftover router. If the office staff would like, he can install it here. If they agree, they think they're getting early access to new technology while the hacker is actually establishing a foothold on the network. Urgency is the fifth tactic of social engineers. With this tactic, the hacker creates a situation where people feel pressured to act quickly because time is running out. For example, a hacker might show up at an office and say he is a network technician there to perform a critical repair. He needs access to a sensitive networking closet. When staff refuse to grant access, he can say that he has another appointment and can't waste time there. If they open the door now, he'll perform the repair. Otherwise, the network will probably go down, and they'll be out of luck. The final social engineering tactic is simple, familiarity or liking. People will want to say yes to someone they like. Social engineers will use flattery, false compliments, and fake relationships to get on a target's good side, and influence their activities. The best way to protect your organization against social engineering attacks is user education. Everyone in the organization must understand that social engineers use these tactics to gain sensitive information, and be watchful for outsiders trying to use the tactics of authority and trust, intimidation, consensus and social proof, scarcity, urgency, and familiarity and liking against them and others in the organization. In this case, wariness is a virtue.