Tuesday, February 25, 2014

Part II-3: Social Engineers’ Attack Principles (2/2)



Look for Weakest Link 

Your security is as good as your weakest link. Social engineers know this very well. It can be computer holes in software or it can be a trusting person. This is the place where social engineers aim for. 

Your Outsource

Your outsourcers might not be well trained in security. They may let a social engineer in without proper authentication. 

Do not Burn the Source

        Social engineers listen carefully for the tone of the other side. They do not push too hard to make the other side start to feel uncomfortable. They keep good relationship in case they might need to come back afterward. If they find someone who is willing to give out information easily, they will keep going back to the same person to get more information. If they find a security hole in the server, they will try to return to it later. What they don’t do is to brag about it. They don’t want the victim to know about it. They just don’t like to burn their own bridge.

Decoying Question

        Never start or end the conversation with what you’d like to find out. Fire a few questions to be natural. Then, right before asking for what you need. Ask personal questions, if the other side feels comfortable, you may proceed. After getting what you want, keep asking other questions or chatting for a while. If an investigation takes place, the other side would probably remember the last few questions, which, in this case, is not what you want to know. 

Setting Up Verification

One of a good strategy is to catch a social engineer is to check the name in the database, or call someone you know who can verify the identity of the social engineer. But, this measure is to be used with caution. An articulate social engineer may plant their name in the database ahead of time. When you place a call, you don’t hear what the verifier is saying. All you hear is what the suspect is saying. The suspect may be cook up some facts and speak out so that you can hear. This fact could be believable to you, but could make totally no sense to the verifier at all. After the conversation, the suspect would just hang up. The verification set up by the hacker is more dangerous than no verification at all, since people tend to believe those who pass verification procedures.

Caller ID

Caller ID is the number of the person who calls us. A lot of people use caller ID as identifying information. When a caller ID is known to us, we tend to trust the person on the other side. But, caller ID can be spoofed by a sophisticated PABX, if the operator does not verify it. Relying on caller ID can be quite dangerous, because we tend to trust people from known caller IDs more.

Use Google

Google is notorious for keeping all personal information almost indefinitely. This is where social engineers look for information. The victim could now be very careful. But, he or she might not in the past. The victim might participate in a group collaboration, and the conversation might not be encrypted. A social engineer can look for information like contact number, address, name of friends, relatives, colleagues, bosses, and so on. It is very hard to coax Google into throw away this information. It is better not to trust someone without proper authentication. 
Source: The Art of Deception: Controlling the Human Element of Security
---------------------------------------------------------------------------------------------------------

Book or Audiobooks?

          Personally, I prefer audiobooks. It's fun, and I can listen when I'm doing something else. It also makes other activities (e.g., jogging) a lot more fun. For more detail about audiobooks, please read [this post].   
          There is one more reason that may encourage you to go for the audiobook version. You can get it now for FREE. Audible offers you a free trial for 14 days. Even if you get the book and cancel the subscription right away (so that you don't have to pay), you can keep the book. And, don't worry if you lost the audiobook file. Just log into audible.com. You can keep downloading the over and over again.

    About the summary: It takes time to finish up a book. And, when you do, sometimes, you want to review what you learn from the book. If you do not make  notes as you read, you might have to go through the book once again. This can be time-consuming when you are dealing with a book. But you can still flip through the book and locate what you are looking for.

However, when the material is an audiobook, it is extremely hard to locate a specific part of content. Most likely you will have to listen to the entire audiobook once again.

This book summary will help solve the pain of having to go through the book all over again.

I am leaving out the details of the books. Most books have interesting examples and case studies, not included here. Reading the original book would be much more entertaining and enlightening. If you like the summary, you may want to get the original from the source below.


No comments:

Post a Comment