Chapter 2 - 05 - Understand Social Engineering Attacks - 01_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EC-Council
Tags
Related
- Chapter 2 - 05 - Understand Social Engineering Attacks - 02_ocred.pdf
- Chapter 2 - 05 - Understand Social Engineering Attacks - 03_ocred.pdf
- Chapter 2 - 05 - Understand Social Engineering Attacks - 04_ocred.pdf
- Chapter 2 - 05 - Understand Social Engineering Attacks_fax_ocred.pdf
- Chapter 2 - 05 - Understand Social Engineering Attacks - 02_ocred_fax_ocred.pdf
- Chapter 2 - 05 - Understand Social Engineering Attacks - 03_ocred_fax_ocred.pdf
Full Transcript
Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Module Flow Understand Information Understand Social Engineering Security Attacks Attacks Describe Hacking Methodologies and Frameworks Understand Network-level Attacks Understand Wireless Networkspecific Attacks...
Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Module Flow Understand Information Understand Social Engineering Security Attacks Attacks Describe Hacking Methodologies and Frameworks Understand Network-level Attacks Understand Wireless Networkspecific Attacks 3 Understand Applicationlevel and OS-level Attacks Understand IoT, OT, and Cloud Attacks Understand Cryptographic Attacks Copyright © by EC-CounciL All Rights Reserved. Reproduction is Strictly Prohibited. Understand Social Engineering Attacks Attackers implement various social engineering techniques to gather sensitive information from people or organizations that might help them to commit fraud or participate in other criminal activities. This section discusses various social engineering techniques used by attackers and includes examples for a better understanding. Module 02 Page 287 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 What is Social Engineering? - A 4TS ‘. QO Social engineering is the art of convincing people to reveal confidential information | ' | ' m E """" * 0O Social engineers depend on the fact that people are unaware of the valuable information to which they have access and are careless about protecting it What is Social Engineering? Before performing a social engineering attack, the attacker gathers target organization from various sources such as: information about the = The organization’s official websites, where employees’ IDs, names, and email addresses are shared = Advertisements of the target organization cast through media reveal information such as products and offers. = Blogs, forums, and other online spaces where employees share basic personal and organizational information. After gathering information, an attacker executes social engineering attacks using various approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and other methods. Social engineering is the art of manipulating people to divulge sensitive information to use it to perform some malicious action. Despite security policies, attackers can compromise an organization’s sensitive information by using social engineering, which targets the weakness of people. Most often, employees are not even aware of a security lapse on their part and inadvertently reveal the organization’s critical information. For instance, unwittingly answering strangers’ questions or replying to spam email. To succeed, attackers take a special interest so proficient that the victims might not even ways to access information. They also ensure the people on its perimeter, such as security Module 02 Page 288 in developing social engineering skills and can be notice the fraud. Attackers always look for new that they know the organization’s perimeter and guards, receptionists, and help-desk workers, to Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 exploit human oversight. People have conditioned themselves to not be overly suspicious, and they associate specific behaviors and appearances with known entities. For instance, a man in a uniform carrying a pile of packages for delivery will be perceived as a delivery person. With the help of social engineering tricks, attackers succeed in obtaining confidential information, authorization, and access details from people by deceiving and manipulating human vulnerability. Module 02 Page 289 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Information Security Attacks Exam 212-82 Common Targets of Social Engineering Receptionists and Help-Desk Personnel Technical Support Executives System Administrators Users and Clients Vendors of the Target Organization :. Senior Executives Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Common Targets of Social Engineering A social engineer uses the vulnerability of human nature as their most effective tool. Usually, people believe and trust others and derive fulfillment from helping the needy. Discussed below are the most common targets of social engineering in an organization: Receptionists and Help-Desk Personnel: Social engineers generally target service-desk or help-desk personnel by tricking them into divulging confidential information about the organization. To extract information, such as a phone number or password, the attacker first wins the trust of the individual with the information. On winning their trust, the attacker manipulates them to get valuable information. Receptionists and help-desk staff may readily share information if they feel they are doing so to help a customer. Technical Support Executives: Another target of social engineers is technical support executives. The social engineers may take the approach of contacting technical support executives to obtain sensitive information by pretending to be senior management, customers, vendors, or other figures. System Administrators: A system administrator in an organization is responsible for maintaining the systems. Thus, they may have critical information such as the type and version of OS and admin passwords, that could be helpful for an attacker in planning an attack. Users and Clients: Attackers could approach users and clients of the target organization, pretending to be a tech support person to extract sensitive information. Vendors of the Target Organization: Attackers may also target the vendors organization to gain critical information that could help in executing attacks. Module 02 Page 290 of the Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Cybersecurity Technician Technician Information Security Attacks = Exam 212-82 Senior Executives: Attackers could also approach senior executives from various departments such as Finance, HR, and CxOs to obtain critical information about the organization. Module 02 Page Page 291 Module Certified Cybersecurity Certified Cybersecurity Technician Technician Copyright Copyright ©© by EG-Gouncil EC-Gouneil All Rights All Rights Reserved. Reproduction isis Strictly Prohibited. Prohibited.
