Page 92 - StudyBook.pdf
P. 92

76     Chapter 2 • General Security Concepts: Attacks

             potential victim is the company’s Web site, which usually lists executive personnel,
             phone lists, and other information that can be used to trick a victim. Knowing a
             few important names, for example, can make the attacker seem more authentic and
             can allow him to pose as someone he is not, perhaps asking for classified informa-
             tion over the telephone.This information can be something as trivial as someone’s
             telephone number, or as confidential as someone’s server password and login ID.
                 Unfortunately, you can’t firewall employees, but you can make them aware of
             policies regarding disclosure of information, especially over the telephone or via e-
             mail.The human factor can often be the weakest link in the security of a network.
             However, the positive side is that most employees do not wish to harm the com-
             pany, and will follow disclosure procedures if they are made aware of the problem.
                 It’s very important to recognize the threat that social engineering poses.
             Employee education and creating a Password Protection Policy are the best ways to
             defend against social engineering.


              EXERCISE 2.03


              PERFORMING SOCIAL ENGINEERING ATTACKS
                  The best way to see the success that can be had with social engineering
                  is to try it. With permission from your employer, make phone calls to
                  random employees and do some information gathering. Have a list of
                  questions handy, and, if necessary, practice what you will say. The
                  smoother and more confident your delivery, the more successful you will
                  be.
                      Be careful to not ask sensitive questions without a proper introduc-
                  tion. Avoid asking questions such as “Hi, I’m from tech support; what is
                  your password, please?” Instead, try a different approach to first gain
                  trust. For example, get the number of a pay phone that accepts
                  incoming calls. Telephone your victim and prepare a story about
                  needing to verify passwords on the server, or something of that nature.
                  Now, inform the victim that “for security reasons” you’d like him or her
                  to call you back at the following number, and give the pay phone
                  number. When the victim calls back, be certain to answer the telephone
                  professionally, and have the victim give you his or her password or other
                  important information. It is important to establish some kind of trust or
                  authority before requesting the information.
                      Social engineering takes practice (and a certain amount of talent)
                  and every situation is different, so there isn’t really any right or wrong




          www.syngress.com
   87   88   89   90   91   92   93   94   95   96   97