Social engineering , in the context of information security, refers to the psychological manipulation of people in taking action or leaking confidential information. This type of trust trick for information collection, deception, or system access purposes, is different from traditional "con" as it is often one of the many steps in a more complex fraud scheme.
The term "social engineering" as an act of human psychological manipulation, is also related to social science, but its use has been captured among computer security and information professionals.
Video Social engineering (security)
Information security culture
Employee behavior can have a major impact on information security in the organization. Cultural concepts can help different segments of the organization work effectively or work against the effectiveness of information security within an organization. "Exploring the Relationship between Cultural Organization and Information Security Culture" provides the following definition of information security culture: "ISC is the totality of behavior patterns within organizations that contribute to the protection of information of all kinds."
Andersson and Reimers (2014) found that employees often do not see themselves as part of an organization's "information security efforts" and often take actions that ignore the best organizational information security interests. Research shows the culture of information security needs to be improved continuously. In the "Information Security Culture from Analysis to Change", the authors commented, "This is a never-ending process, evaluation cycle and change or maintenance." To manage an information security culture, five steps must be taken: Pre-evaluation, strategic planning, operations planning, implementation, and post evaluation.
- Pre-Evaluation: to identify awareness of information security in employees and to analyze current security policies.
- Strategic Planning: To create a better awareness program, we need to set clear targets. Grouping people helps to achieve them.
- Operative Planning: we can establish a good security culture based on internal communications, in-buy-in management, and security awareness and training programs.
- Implementation: four stages should be used to implement an information security culture. They are management commitment, communication with members of the organization, courses for all members of the organization, and employee commitment.
Maps Social engineering (security)
Techniques and terms
All social engineering techniques are based on the specific attributes of human decision making known as cognitive bias. This bias, sometimes called "bugs in human hardware", is exploited in various combinations to create attack techniques, some of which are listed below. The attacks used in social engineering can be used to steal employee confidential information. The most common type of social engineering happens over the phone. Another example of a social engineering attack is a criminal disguised as an exterminator, firefighters and technicians to be unknown as they steal company secrets.
One example of social engineering is someone who enters the building and sends an official-looking announcement to a company bulletin saying the number for the help desk has changed. So when an employee asks for help, the individual asks for their password and ID, thus gaining the ability to access personal information of the company. Another example of social engineering is that the hacker contacts the target on social networking sites and starts a targeted conversation. Gradually, the hacker gains the trust of the target and then uses that trust to gain access to sensitive information such as passwords or bank account details.
Social engineering relies heavily on the six principles of influence established by Robert Cialdini. Cialdini's theory of influence is based on six main principles: reciprocity, commitment and consistency, social proof, authority, likes, scarcity.
Six main principles
- Reciprocity - People tend to return the favor, thereby widening the free sample in marketing. In his conferences, he often used the Ethiopian example which provided thousands of dollars in humanitarian aid to Mexico right after the 1985 earthquake, although Ethiopia suffered a crippling famine and civil war at the time. Ethiopia has been a reciprocal for the diplomatic support Mexico provided when Italy invaded Ethiopia in 1935. A good cop/bad cop strategy is also based on this principle.
- Commitment and consistency - If people commit, verbally or in writing, to ideas or goals, they are more likely to honor that commitment because it sets the idea or goal as congruent with their self-image. Even if the original incentives or motivations are removed after they have agreed, they will continue to honor the agreement. Cialdini notes Chinese brainwashing of American prisoners of war to rewrite their self-image and gain automatic compliance without coercion. Another example is children who are made to repeat the Pledge of Allegiance every morning and why marketers get you to close a popup by saying "I'll sign up later" or "No thanks, I'd rather not make money."
- Social evidence - People will do the things they see others do. For example, in one experiment, one or more confederations will look to the sky; observers will then look to the sky to see what they see. At one point this experiment was canceled, because so many people saw that they stopped traffic. View conformity, and Asch adjustment experiments.
- Authority - People will tend to obey authority figures, even if they are asked to perform inappropriate actions. Cialdini cites incidents such as the Milgram experiment in the early 1960s and the My Lai massacre.
- Liking - People are easily persuaded by others they like. Cialdini cites Tupperware's marketing in what is now called viral marketing. People are more likely to buy if they like the people who sell them to them. Some of the many biases that support more interesting people are discussed. See physical attraction stereotypes.
- Scarcity - A perceived scarcity will result in demand. For example, say the offer is only available for "limited time" that drives sales.
His 1984 book, Influence: The Psychology of Persuasion, is based on three years of "undercover" who apply and train at used car dealers, fundraising organizations, and telemarketing companies to observe the real-life situations of persuasion. It has been mentioned in 50 Classical Psychology .
Override
Pretexting (adj. pretextual ), also known in the UK as blagging or bohoing , is the act of creating and using scenarios created (excuses) to engage the targeted victim in a way that increases the likelihood that the victim will leak information or perform actions that are unlikely to occur under normal circumstances. A complicated lie, most often involving some previous research or arrangement and the use of this information for impersonation ( for example , date of birth, Social Security number, final bill count) to establish legitimacy in the target mind.
This technique can be used to fool the business in disclosing customer information as well as by private investigators to obtain telephone records, utility records, banking records and other information directly from company service representatives. That information can then be used to establish greater legitimacy under difficult questions with a manager, for example. , to make account changes, get a certain balance, etc.
Pretex can also be used to impersonate colleagues, police, banks, tax authorities, priests, insurance investigators - or any other individual who can have the authority or right to know in the mind of the targeted victim. The pretexter should only prepare answers to questions the victim might ask. In some cases, all that is needed is a sound that sounds authoritative, sincere tone, and the ability to think with one's feet to create a pretextual scenario.
Theft due to redirection
Theft, also known as "Corner Game" or "Round Corner Game", comes from the East End of London.
Theft of diversity is a "fraud" committed by professional thieves, usually against freight companies or couriers. The goal is to persuade those responsible for legitimate delivery that delivery is requested elsewhere - hence, "around the corner".
Phishing
Phishing is a scam technique in obtaining personal information. Usually, phishers send e-mails that appear to come from legitimate businesses - banks, or credit card companies - request "verification" of information and warnings of dire consequences if not provided. E-mails usually contain links to seemingly legitimate fake web pages - with logos and company content - and have a form requesting everything from home address to ATM card PIN or credit card number. For example, in 2003, there was a phishing scam in which a user received an e-mail that allegedly came from eBay claiming that the user's account would be suspended unless the provided link was clicked to update the credit card (information that the original eBay already has). Because it is relatively easy to make a website resemble a legitimate organization's website by mimicking HTML code and fraudulent logos are counted on people who are duped into thinking they are contacted by eBay and then, go to the eBay site to update their account information. By sending spam to large groups of people, "phisher" counts on emails read by a percentage of people who already have a list of credit card numbers with eBay legally, who may be responding.
IVR or phishing phone
Phone phishing (or "vishing") uses an interactive voice response (IVR) ronal system to create valid copies of banks or other institutional IVR systems. The victim is requested (usually via phishing e-mail) to call to "bank" through the number (ideally toll free) provided to "verify" the information. A typical "vishing" system will refuse logging in continuously, ensuring the victim inserts a PIN or password multiple times, often revealing different passwords. A more advanced system transfers the victim to an attacker/fraudster, who acts as a customer service agent or security expert for further questions about the victim.
Phishing spear
Though similar to "phishing", spear phishing is a technique that fraudulently obtains personal information by sending highly customized emails to multiple end users. This is the main difference between phishing attacks because phishing campaigns focus on sending high-volume public emails in the hope that only a few people will respond. On the other hand, spear phishing emails require attackers to conduct additional research on their targets to "trick" end users into doing the requested activity. The success rate of spear-phishing attacks is much higher than phishing attacks with people opening about 3% of phishing emails when compared to about 70% of potential effort. Additionally, when a user actually opens an email phishing email it has a relatively simple 5% success rate to have a link or attachment clicked when compared to a 50% success rate of a phishing-spear attack.
The success of Phishing Spear depends heavily on the amount and quality of OSINT (Open Source Intelligence) that can be gained by attackers. Social media account activity is one example of OSINT source.
Air holing
Water sprinkling is a targeted social engineering strategy that leverages user-owned trust on websites they visit frequently. Victims feel safe to do things they would not do in different situations. A vigilant person may, for example, intentionally avoid clicking links in unsolicited emails, but the same person will not hesitate to follow links on websites he or she visits frequently. Thus, the attacker prepares a trap for unwary prey in a preferred aqueous hole. This strategy has been successfully used to gain access to some very secure systems.
Attackers can leave by identifying groups or individuals to target. Preparation involves gathering information about frequently visited websites of targets from a secure system. Information gathering confirms that the target of visiting the website and that the system enables the visit. The attacker then tests this website for vulnerabilities injecting code that can infect the visitor system with malware. The traps of injected code and malware can be tailored to the specific target group and the specific system they use. In time, one or more members of the target group will be infected and the attacker can gain access to the secure system.
Feed
Fishing is like a real-world trojan horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave floppy disks infected with malware, CD-ROMs or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), Give them legitimate and weird labels, and waiting for the victim.
For example, an attacker can create a disc that displays the company logo, available from the target website, and names it "Summary of Executive Summary Q2 2012". The assailant then leaves the disk on the elevator floor or somewhere in the lobby of the target company. The uninitiated employee can find it and put the disk into the computer to satisfy the curiosity, or the good Samaritan can find it and return it to the company. In any case, just insert the disk into the computer installs the malware, giving the attacker access to the victim's PC and, possibly, the company's internal network computer target.
Unless the computer controls the blocking of infections, insertion damages the computer's "run PC". Hostile devices can also be used. For example, "lucky winners" send free digital audio players at the expense of whatever computers are plugged in. A "street apple" (the daily term for horse shit, indicating unwanted properties of the device) is any removable media with malicious software remaining in an opportunistic or conspicuous place. This may be a CD, DVD, or USB flash drive, among other media. Curious people pick it up and put it on a computer, infecting any host and network installed. Hackers can give them interesting labels, like "Employee Salary" or "Secret".
One study conducted in 2016 led researchers to lower 297 USB drives around the University of Illinois campus. Drive contains files associated with the researcher's web page. Researchers can see how many drives that have files in them open, but not how many are inserted into the computer without opening the file. Of the 297 drives dropped, 290 (98%) of them were picked up and 135 (45%) of them were "called home".
Quid pro quo
Quid pro quo means something for something :
- An attacker calls a random number in a company, claiming to call back from technical support. In the end this guy will hit someone with a legitimate problem, grateful that someone called back to help them. Attackers will "help" solve the problem and, in the process, have user type commands that give attackers access or launch malware.
- In the 2003 information security survey, 90% of office workers gave researchers what they claimed to be their passwords to answer survey questions in exchange for cheap pens. Similar surveys in subsequent years obtained similar results using chocolate and other low-cost bait, although they did not attempt to validate passwords.
Tailgating
Attacker, searching for entry to restricted areas guaranteed by unattended electronic access controls, e.g. with an RFID card, simply runs behind people who have legitimate access. Following common courtesy, a legitimate person will usually open the door to an attacker or the attacker can personally ask the employee to open it for them. A legitimate person may fail to request identification for one of several reasons, or may accept a statement that the attacker has forgotten or lost the appropriate identity tokens. Attackers can also forge identifiable identity tokens.
Vishing
Vishing, otherwise known as "phishing sound", is a criminal practice of using social engineering over a telephone system to gain access to personal and personal information from the public for financial rewards purposes. It is also used by attackers for reconnaissance purposes to gather more detailed intelligence about the target organization.
Other types
Fraudsters or fraudulent beliefs can also be considered as "social engineers" in a broader sense, because they deliberately deceive and manipulate people, exploit human weaknesses to gain personal gain. They may, for example, use social engineering techniques as part of IT scams.
New types of social engineering techniques include spoofing or hacking IDs of people who have popular e-mail IDs like Yahoo !, Gmail, Hotmail, etc. Among the many motivations for fraud are:
- Phishing credit card account number and password.
- Hack personal email and chat history, and manipulate it using general editing techniques before using it to extort money and create mistrust among individuals.
- Hack a company or organization's website and destroy their reputation.
- Computer virus hoax
- Assure users to run malicious code in web browsers through their own XSS attacks to allow access to their web accounts
Countermeasures
Organizations reduce their security risks by:
The Standards Framework Establish a trust framework at the employee/personnel level (that is, determine and train personnel when/where/why/how sensitive information should be addressed)
Checker Information Identify which information is sensitive and evaluate its exposure to social engineering and damage in security systems (buildings, computer systems, etc.)
Security Protocols Establish security protocols, policies, and procedures for handling sensitive information.
Training to Employees Training of employees in security protocols relevant to their positions. (for example, in situations such as tailgating, if a person's identity can not be verified, employees should be trained to politely decline.)
Event Test Perform regular testing without notice from security framework.
Inoculation Prevent psychological manipulation and fraudulent tricks or other traps by inculcating resistance to persuasion efforts through exposure to similar or related attempts.
Review Review the above steps regularly: there is no solution to perfect information integrity.
Waste Management Uses waste management services that have bins with locks on them, with the key to them being limited to waste management companies and cleaning staff. Finding trash cans in the eyes of employees so trying to access them carries the risk of being seen or caught, or behind locked gates or fences where people have to enter without permission before they can try to access the trash.
Kevin Mitnick
Kevin Mitnick is an American computer security consultant, author and hacker, famous for his famous arrest in 1995 and then five years in punishment for various computer-related and communications crimes. He now runs security firm Mitnick Security Consulting, LLC which helps test the strengths of security, weaknesses, and security holes. He is also Chief Hacking Officer of the KnowBe4 awareness training company, as well as an active advisory board member at Zimperium, a company that develops cellular intrusion prevention systems.
Susan Headley
Susan Headley is an American hacker who was active during the late 1970s and early 1980s is widely respected for her expertise in social engineering, subterfuge, and psychological subversion. As a former prostitute, he is known for his expertise in breaking into military computer systems, often involved in sleeping with military personnel and checking their clothing for usernames and passwords while they sleep. He became heavily involved in phreaking with Kevin Mitnick and Lewis de Payne in Los Angeles, but later framed them for deleting file systems in the US Leasing after a fall, leading to Mitnick's first conviction. He retired to professional poker.
Christopher Hadnagy
Christopher Hadnagy is a security professional and is recognized for writing the first extensive framework that defines the physical and psychological principles of social engineering. He is best known for his books, podcasts and for being the creator of DEF CON Social Engineer, Capture the Flag and CTF Social Engineer for Kids.
Mike Ridpath
Mike Ridpath Security consultant, published author, and speaker. Emphasize techniques and tactics for cold call social engineering. Became famous after she talks where she will play call recording and explains her thought process about what she did to get her password via telephone and live demonstration. As a child Ridpath connects with Badir Brothers and is widely known in the phreaking and hacking community for his articles with popular underground ezines, such as, Phrack, B4B0 and 9x on Oki 900 modifications, blueboxing, satellite hacking and RCMAC.
Badir Brothers
Brother Ramy, Muzher, and Shadde Badir - all blind from birth - succeeded in setting up Israel's extensive telephone and computer fraud schemes in the 1990s using social engineering, sound imitation, and Braille screen computers.
David Pacios
Creator of applied social engineering concepts to distinguish between digital fraud and social hacking learning. Author of IngenierÃÆ'a Social Aplicada: Primera linea de defensa . Known for sharing his knowledge in public talks about human hacking and deep web shopping.
Legal
In common law, pretexting is a violation of appropriation privacy.
Reminder of phone
In December 2006, the United States Congress approved the Senate-sponsored bill to create a federal criminal record phone call with fines of up to $ 250,000 and ten years in jail for individuals (or fines up to $ 500,000 for companies). It was signed by President George W. Bush on January 12, 2007.
Federal law
1999 "GLBA" is a US Federal law that specifically handles the excuse of banking records as illegal acts punishable under federal law. When a business entity such as a private detective, a SIU insurance investigator, or adjuster carries out any kind of fraud, it is under the authority of the Federal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA countries, in part: "Whenever the Commission shall have reason to believe that such a person, partnership or company has or is using an unfair or unjust competition method or deceiving or practicing or affecting commerce, and if the Commission should disclose that the acts committed by it in respect of the public interest, it must issue and serve that person, partnership, or company that alleges his allegations in respect. "
The law provides that when a person obtains personal and non-public information from a financial institution or consumer, their actions are subject to the law. This relates to consumer relationships with financial institutions. For example, a pretexter using a fake pretense to either get a consumer's address from a consumer bank, or to get a consumer to reveal his bank name, will be covered. The decisive principle is that excuses only occur when information is obtained through false pretenses.
While mobile phone recording sales have gained significant media attention, and telecom records are the focus of two bills present before the United States Senate, many other types of personal records are bought and sold on the public market. In addition to many ads for phone records, wireline notes and notes associated with calling cards are advertised. When people switch to VoIP phones, it is safe to assume that the records will be offered for sale as well. Currently, legal to sell phone records, but illegal to get it.
Information Specialist 1 Source
US Reps Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over easy access to personal cell phone records on the Internet during House Energy & The Commerce Commission's hearing on " Telephone Records For Sale: Why Unsafe Telephone Records? " Illinois became the first state to sue online record brokers when Attorney General Lisa Madigan sued Information Specialist Source 1, Inc. A spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile phone records, according to the copy of the lawsuit. The Florida and Missouri attorney general quickly followed Madigan's lead, filing his own lawsuit against Source Information Specialist 1 and, in the case of Missouri, another brokerage note - First Data Solutions, Inc.
Some wireless service providers, including T-Mobile, Verizon, and Cingular filed previous lawsuits against record brokers, with Cingular winning an order against First Data Solutions and 1 Source Information Specialists. US Senator Charles Schumer (D-New York) introduced a law in February 2006 aimed at limiting the practice. The 2006 Consumer Protection Phone Protocol Act will create severe criminal penalties for stealing and selling recordings of subscribers of cell phones, landlines, and VoIP (Voice over Internet Protocol).
HP
Source of the article : Wikipedia