Friday, February 21, 2014

Part II-2: Social Engineers’ Attack Principles (1/2)

Research First

The first phase of attack begins with gathering information. Social engineers collect information about the victim and those around the victim. These information would be extremely useful in the next phase of attack.

Posing as Someone Else

Social engineers always posing as someone else to achieve what they need. They may pose as a writer or a movie maker to ask for such information. The excuse is to make the movie or the book more realistic. Another example is to pose as a store manager and try to get customers information.

Context and Innocuous information

  A lot of information seems insensitive. But, by getting more information, the attacker seems more like the insiders, and is likely to obtain more and more information. One information could be sensitive to outsiders but insensitive to insiders. By gaining more information, the attacker changes the context to which the question is asked. When the context changes, the sensitivity changes and the attacker is one step closer to what he or she needs. 

Lingo and procedures

Lingo, i.e., terminology and procedures are what people say and do in an organization. If you know about this, you can pretend to be an insider easily. Think about it. How many acronym your company have? Do you use it everyday? Your customers would probably not know about this. But your people would know about it. So, when someone talks to you with your organization’s lingo, would you assume that they are an insider? Well, I do. But, I usually don’t really trust them, even if they are an insider.

Start with Rapport

Do not start by asking for what you want. Start by placing friendly calls and establish trust and rapport. This is important especially when the required information is sensitive. For example, it could be more difficult to get credit card numbers from a retail store. A social engineer could pretend to be a manager from another branch. But, a careful social engineer would build up trust before asking for the card number. 

Space and Time

Use space and time to avoid the presence of a particular person. For example, a social engineer may make the first call to find out the name of the store manager.  When imposing as the store manager, the social engineer would call other branch or call the same branch later to avoid talking to the same person. 
Source: The Art of Deception: Controlling the Human Element of Security

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into You can keep downloading the over and over again.

    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.

No comments:

Post a Comment