Techniques What techniques might be employed? The techniques that could be employed largely rely on the strength, skill and ability of the individual employing them. As illustrated in Figure 1, the first phase of an attack will probably involve gathering information about the target. Examples of information-gathering techniques that could be used include:
Techniques of Social Engeneering
- Shoulder surfing: looking over the shoulder of an individual as he types in his access code and password/PIN on a keypad for the purpose of committing this to memory so it can be reproduced.
- Checking the rubbish (commonly referred to as ‘Dumpster Diving’): searching through rubbish thrown away to obtain potentially useful information that should have Ã¥been disposed of more securely (e.g. shredding).
- Mail-outs: information is gathered about an individual/organization by enticing him/its staff to participate in a survey that offers enticements, such as prizes for completing the survey.
- Forensic analysis: obtaining old computer equipment such as hard-drives, memory sticks, DVD/CDs, floppy disks and attempting to extract information that might be of use about an individual/organization. Upon the completion of this phase -- which is most likely to be the longest of the attack from the aggressor's perspective –- an aggressor may use one of a number of techniques to achieve his end objective. Each technique used can be grouped into one of two categories. The first category is 'human-based' and relies on interpersonal relationships, while the second is 'computer-based' and relies on technology.
No matter which technique is used, an individual is likely to favor simplicity to ensure success. Common techniques that might be used include the following:
Direct approach: an aggressor may directly ask a target individual to complete a task (e.g. a phone call to a receptionist asking them for their username and password). While this is the easiest and the most straightforward approach, it will most likely be unsuccessful, since any security-conscious individual will be mindful of providing such information.
- Important user: by pretending to be a senior manager of an organization with an important deadline, the aggressor could pressure the Helpdesk operator into disclosing useful information, such as:
- the type of remote access software used;
- how to configure it;
- the telephone numbers to the remote access server to dial;
- the appropriate credentials to log in to the server.
- Upon obtaining this information, the aggressor could then set up remote access to the organization's network. The aggressor could then call back hours later to explain that he had forgotten his account password and request that it be reset.
- Helpless user: an aggressor may pretend to be a user who requires assistance to gain access to the organization's systems. This is a simple process for an aggressor to carry out, particularly if he has been unable to obtain/research enough information about the organization. For example, the aggressor would call a secretary within the organization pretending to be a new temp who is having trouble accessing the organization's system. By not wishing to offend the person or appear incompetent, the secretary may be inclined to help out by supplying the username and password of an active account.
- Technical support personnel: by pretending to belong to an organization's technical support team, an aggressor could extract useful information from an unsuspecting user. For example, the aggressor may pretend to be a system administrator who is trying to help with a system problem and requires the user's username and password to resolve the problem.
- Reverse Social Engineering (RSE): a legitimate user is enticed to ask the aggressor questions to obtain information. With this approach, the aggressor is perceived as being of higher seniority than the legitimate user who is actually the target.
- E-mail: the use of a topical subject to trigger an emotion that leads to unwitting participation from the target. There are two common forms. The first involves malicious code, such as that used to create a virus. This code is usually hidden within a file attached to an email. The intention is that an unsuspecting user will click/open the file; for example, 'ILoveYou' virus, 'Anna Kournikova' worm. The second equally effective approach involves scam, chain mail and virus hoaxes. These have been designed to clog mail systems by reporting a non existent virus or competition and requesting the recipient to forward a copy on to all his/her friends and co-workers. As history has shown, this can create a significant snowball effect once started.
- Website: a ruse used to get an unwitting user to disclose potentially sensitive data, such as the password he/she uses at work. For example, a website may promote a fictitious competition or promotion, which requires a user to enter in a contact email address and password. The password entered may very well be similar to the password used by the individual at work.
- Phishing: uses specially crafted emails to entice recipients to visit a counterfeit website. This website is likely to have been designed, using well-known and trusted brands, to convince the individual to provide financial and/or personal information. The information harvested is then used for fraudulent purposes. In some instances, while visiting a website, malicious code such as Trojan key logging software is installed on the unsuspecting user’s computer in an attempt to gain further sensitive information about/from the individual.
EmoticonEmoticon