Social Engineering: Vulnerabilities & Impact

Questions and Answers

Dans le contexte de l'ingénierie sociale, quel élément principal rend les gens vulnérables à la divulgation d'informations confidentielles?

• La sophistication des techniques de piratage informatique.
• L'ignorance de la valeur de leurs informations et le manque de souci de leur protection. (correct)
• La complexité des systèmes de sécurité.
• Le manque de logiciels spécifiques pour se défendre contre les attaques.

Quels sont les impacts possibles d'une attaque d'ingénierie sociale réussie sur une organisation?

• Seulement des procès et arbitrages.
• Uniquement la fermeture temporaire de l'entreprise.
• Pertes économiques, atteinte à la vie privée, procès, dommages à la réputation, fermeture et risques de terrorisme. (correct)
• Seulement des pertes économiques directes.

Pourquoi la nature de la confiance humaine est-elle un facteur clé de succès dans les attaques d'ingénierie sociale?

• Parce que les gens sont naturellement méfiants et posent des questions.
• Parce que les gens sont plus susceptibles de suivre les instructions d'un supérieur hiérarchique.
• Parce que les gens sont naturellement enclins à aider et à croire les autres, ce qui peut être exploité. (correct)
• Parce que les organisation ne font jamais confiance à leurs employés.

Parmi les facteurs suivants, lequel contribue à rendre une entreprise particulièrement vulnérable aux attaques d'ingénierie sociale?

Une formation de sécurité insuffisante des employés. (D)

Dans le contexte des phases d'une attaque d'ingénierie sociale, quelle est l'importance de la phase de "recherche sur la société cible"?

Elle permet d'identifier les vulnérabilités et les points faibles de l'organisation. (C)

Comment un attaquant pourrait-il exploiter le service d'assistance d'une entreprise dans un scénario d'usurpation d'identité?

En se faisant passer pour un employé ayant oublié son mot de passe et en insistant sur l'urgence de la situation. (A)

Qu'est-ce que le 'spear phishing' et en quoi diffère-t-il du phishing traditionnel?

Le spear phishing est une attaque ciblée vers des informations sensibles auprès d'individus ou de petits groupes spécifiques au sein d'une organisation. (D)

Comment les attaquants exploitent-ils les applications mobiles dans le cadre de l'ingénierie sociale basée sur mobile?

En créant des applications malveillantes qui imitent des applications populaires pour voler des informations. (C)

Quels sont les risques spécifiques associés à l'utilisation des sites de réseaux sociaux pour les réseaux d'entreprise en matière de sécurité?

La vulnérabilité du réseau et la fuite de données involontaire. (A)

Parmi les mesures suivantes, laquelle est la plus efficace pour prévenir les menaces internes dans une entreprise?

La séparation et la rotation des tâches. (B)

Flashcards

Ingénierie Sociale

L'art de convaincre les gens à révéler des informations confidentielles.

Comportements vulnérables aux attaques

La confiance humaine exploitée comme une vulnérabilité principale.

Recherche sur la société cible

La phase initiale de collecte d'informations sur une cible.

Choisir une victime

Identifier les employés frustrés ou négligés au sein d'une organisation.

Développer une relation

Établir une relation de confiance.

Exploiter la relation

Recueillir des informations sensibles.

Usurpation d'identité

Une méthode où un attaquant prétend être quelqu'un d'autre pour obtenir des informations.

Ingénierie sociale inverse

Une situation où un attaquant se présente comme une figure d'autorité.

Piggybacking (Ferroutage)

Une personne autorisée permet à une personne non autorisée d'entrer dans une zone sécurisée.

Phishing ou hameçonnage

Un e-mail frauduleux qui tente d'obtenir des informations personnelles.

Study Notes

Social Engineering Concepts

• Social Engineering is convincing people to reveal confidential information.
• Social Engineering targets help desk staff, tech support, system admins, etc.
• Social Engineers depend on peoples ignorance of their valuable information and a lack of concern for protecting it.

Impact of Attacks On Organisation

• Economic losses
• Loss of Privacy
• Lawsuits and arbitrations
• Damage to goodwill
• Temporary or permanent closure
• Terrorist threats

Vulnerable behaviors to attacks

• Trust is the foundation of social engineering and its effects on labor make the organization an easy target.
• There is fear of severe losses if the social engineer's request isn't followed
• Social Engineers promise something for nothing, to entice victims to disclose information (greed).
• Victims are requested to help and comply with a moral obligation

Factors That Make Businesses Vulnerable To Attacks

• Under trained security
• Unrestricted access to sensitive info
• Multiple organizational units
• Lack of security policies

Why Is Social Engineering Effective?

• Security policies are as strong as their weakest link, and humans are the most sensitive factor
• Attempts at social engineering are difficult to detect
• No method exists to ensure 100% security against social engineering attacks
• There is no specific software or hardware to defend against social engineering tactics

Phases Of A Social Engineering Attack

• Research the target company through dumpsters, websites, employees, travel agencies.
• Choose a victim or frustrated employee within the target company
• Develop a relationship with the selected employees.
• Exploit the relationship by gathering sensitive information about accounts, finances, and current technologies.

Human-Based Social Engineering

• Involves gathering sensitive information through interaction by pretending to be someone legitimate or authorized.
• Attackers impersonate legitimate or authorized people in person and via phone, email, etc.
• Impersonation helps attackers trick a target into revealing sensitive information.

Impersonation Examples

• Posing as a legitimate user by giving your identity and asking for sensitive information
• Posing as an important user or VIP from a target company or a valuable customer
• Posing as tech support while on a call while asking for IDs and passwords to recover data

Impersonation Scenario Examples

• Help desks are vulnerable to social engineering because they are designed to help.
• An attacker calls a company's support team impersonating someone in authority or relevance in an attempt to extract sensitive information.
• An attacker saying they forgot their password and adding if they miss the deadline for a big project, their boss might fire them. The technician feels sorry and resets password.

Identity Impersonation Scenarios : Authorization Of A Third party

• An attacker may aquire the name of an authorized employee of the targeted org who has access to information.
• The attacker calls the targeted org where the information resides and claims the employee in question requested the information supplied to the attacker.

Identity Impersonation Scenarios : Tech Support

• An attacker pretends to be tech support for software vendors/subcontractors of the target organization. He/she can then claim user ID and password to resolve the issue.

Identity Impersonation Scenarios : Repairman

• The attacker pretends to be a telephone or computer repairman to enter the target company.
• Someone could then plant an espionage device or steal concealed passwords during related activities.

Identity Impersonation Scenarios : Trust Authority

• Someone may inspect disaster recovery procedures. After a web site crashes, the service has 10 minutes to show how it may be recovered
• A sales representative may visit with a group of potential clients attempting to outsource their security consulting needs in a car and a quick tour of facilities would suffice to wow them.
• One may visit as an Aircon Express Services to fix an overheating data room to verify system HVAC (heating, ventilation, and air conditioning). Credibility may add to the disguise of an intruder for permission to access a targeted secure resource.

Human-Based Social Engineering: Reverse Social Engineering, Piggybacking and Tailgating

• Reverse attacks require sabotage, marketing, and tech support

Reverse Social Engineering

• An attacker poses as an authority and is sought for advice by the target by providing needed information.

Piggybacking

• An authorized person (intentionally or unintentionally) allowing an unauthorized person to pass through a secure door

Tailgating

• An unauthorized person wearing a fake ID badge enters a secure area closely following an authorized person through a key access door.

Computer-Based Social Engineering

• Uses phishing techniques

Phishing

• A fraudulent email that appears to be from a legitimate site that tries to obtain personal or account information from a user.
• Phishing emails or pop-ups redirect users to fake web pages that mimic reputable sites, requesting personal information.

Spear Phishing

• Spear phishing is a direct and targeted phishing attack aimed at specific individuals within an organization
• Attackers use specialized social engineering content delivered to a specific person or small group of people. This generates a higher response rate than a normal phishing attack where hackers send hundreds of generic messages to random addresses.

Mobile-Based Social Engineering

• Achieved by using mobile applications.
• Attackers create malicious apps with attractive features with names very similar to existing applications and publish on app stores.
• Users download these apps and are infected with malware that send credentials to attackers.

Supplement: Disgruntled Employee

• An employee may become a disgruntled employee if she / she lacks respect, is frustrated by work, has conflict with the steering not satisfied with social compensation, it issued a notice of termination of employment, has been transferred, demoted, etc.
• Disgruntled employees are more likely to transfer trade secrets and intellectual property to competitors for financial gain.

Identity Usurpation on Social Networking Sites

• This can occur through organizational details, professional details, contacts, and connections.

Organization Details

• Malicious users gather confidential information from social networking sites to create accounts in the names of others.

Professional Details

• Attackers use other people's profiles to create large networks to extract data using social engineering.

Contacts and Connections

• Attackers try to join the target organization's employee groups by sharing personal and business info

Personal Details

• Attackers use harvested information to conduct other forms of social engineering such as by creating a fake Facebook group for an org and inviting employees where data such as birthdays , education are shared.

Risks of Social Networking for Enterprise Networks

• Refers to Data theft, data leakage, targeted attacks, network vulnerability, and identity theft.

Data theft

• A social networking site is a repository of information accessible by many users, increasing the risk of exploiting information.

Involuntary Data Leakage

• Employees may unknowingly post sensitive company data on social networking sites if there is no solid policy.

Targeted Attacks

• Attackers can use information available on social networking sites to perpetrate targeted attacks

Network Vulnerability

• All social networking sites are subject to flaws that could cause security holes in the organization's network.

Identity Theft

• Refers to someone stealing one's personally identifiable data for fraudulent purposes.
• Can be used to impersonate target organization employees.

Preventing Insider Threats

• Refer to task separation and rotation, the least amount of privilege, controlled access, journaling and auditing, legal policies, and critical data archiving.

Common Social Engineering Goals and Defense Strategies

• It is important to consider assistance services, perimeter security, office safety, phones, mailroom safety, machine room/ telephone closet security.
• Techniques of attack include listening, shoulder surfing, impersonation, persuasion and intimidation, fake identity badge or piggybacking.
• Defense strategies include employee security training on passwords and phone information as well as badges and equipment tracking.