CEH 9-Social Engineering

By

What is Social Engineering?

  • Social engineering is an art of exploiting humans to gain sensitive information. 
  • This technique involves tricking people into breaking security standard. 
  • It is a most significant threat in any organization. 
  • Common targets of social engineering include help desk personnel, technical support executives, system administrators, etc.
 
Disclaimer: The articles provided on HackWithV is purely for informational and educational purpose only, and for those who are willing and curious to know & learn about Ethical Hacking, Security and Penetration Testing. Anytime the word "Hacking" that is used on this site shall be regarded as Ethical Hacking.

Types of Social Engineering:

  • Social engineering is classified based on the techniques used to attack or commit fraud on the victim to steal the sensitive information. 
  • Types of social engineering attacks are:
    1. Human-based
    2. Computer-based
    3. Mobile-based

1. Human-Based

  • In human-based social engineering attacks, the social engineer interacts directly with the target to get sensitive information by performing the various techniques.
  • Some of the technique are listed as follow:
  1. Shoulder surfing
  2. Dumpster diving
  3. Tailgating
  4. Piggybacking

2. Computer Based

  • Computer-based social engineering attacks are carried out with the help
    of computer software to gain access to the desired information. 
  • Some of these attack types are listed as follows:
  1. Phishing
  2. Spam mail
  3. Popup windows

3. Mobile Based

  • In mobile-based social engineering attacks, attackers take advantage of
    malicious mobile applications to gain access to the desired information. 
  • Some of the attack types are listed as follows:
  1. SMishing 
  2. Publish malicious apps 
  3. Repacking legitimate apps

Exploiting Human using Social Engineering

  • Social engineering and the human element are common ways to gain access to a network, database, or building. 
  • Major cyber incidents happen as the result of an attacker gaining initial access using social engineering technique, usually by convincing an insider to unwittingly download or install a piece of malware that opens up the target network to the attacker.
  • Attackers employ many tricks to try to get a human target to provide them with information or access. 
  • They appeal to ego, financial need, curiosity, humanity, or job duties all with the goal of getting the target to either click on a link that redirects the target to a malicious website or opens an attachment that contains malware. 
  • Humans continue to be the weak link. 
  • No matter how secure a network, device, system, or organization is from a technical point of view, humans can often be exploited.
  1. Individuals should be vigilant regarding emails. 
  2. Unsolicited phone calls that attempt to get people to reveal sensitive information. 
  3. Companies should regularly provide security awareness training to employees.
  4. Lack of the security policies. 
  5. Unregulated access to information.

Some types of Social Engineering Attacks 

1. Eavesdropping

  • Eavesdropping is a technique used by attackers, to intercept unauthorized and private communication, such as a phone call, instant message, video conference or fax transmission. 
  • This is done by directly listening to digital or analog voice communication or by intercepting or sniffing data relating to any form of communication.

2. Dumpster diving

  • Dumpster diving is looking for treasure in someone else's trash. (A dumpster is a large trash container). 
  • In Information Technology, dumpster diving refers to a technique used to retrieve information that could be used to perform attacks on a computer network. 
  • Dumpster diving is not limited to searching through the trash for information like access codes or passwords written down on sticky notes.

3. Shoulder Surfing

  • Shoulder surfing is noting but direct observation, such as looking over someone's shoulder, to grab sensitive details. 
  • It is commonly used while someone enters passwords, PIN numbers, security codes at ATMs or on their personal computers. 

4. Tailgating and Piggybacking

  • A person tags himself with another person who is authorized to gain access into a restricted area, or pass a specific checkpoint is known as Tailgating/Piggybacking. 
  • Tailgating implies without consent, while piggybacking means approval of the authorized person.

5. Phishing

  • Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, financial information), often for malicious reasons, by masquerading as a trustworthy entity in electronic communication.

6. Spear phishing 

  • Spear phishing is a variation on phishing in which hackers send emails to groups of people with specific common characteristics or other identifiers. 
  • Spear phishing emails appear to come from a trusted source but are designed to help hackers obtain trade secrets or other classified information.

Mitigations

  • Employees in an organization should be aware of security policies and procedures. 
  • Secure or shred all the documents containing private information. 
  • Protect your personal information from being published. 
  • Never store personal/banking information on the mobile device.

Be Aware, Be Secure.

Thank You 🙏

I'm a Cyber Security professional with expertise in Network, Application, Endpoint, Cloud Security, DevOps, and IT Ops. I have experience in various industries and am well-versed in relevant regulations and standards. My goal is to provide exceptional security solutions that protect organizations from evolving threats, while also streamlining workflows and improving collaboration between development, operations, and security teams through DevOps and IT Ops practices.

Comments

Post a Comment