CertiGuide to Security+ - 1.4.9 Social Engineering

WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Get this Security+ CertiGuide for your own computer.

Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!

Get It Here!

CertiGuide to Security+
9 Chapter 1: General Security Concepts (Domain 1.0; 30%)
9 1.4 Attacks

1.4.8 Mathematical

1.4.10 Birthday

1.4.9 Social Engineering
(Page 1 of 3)

(Also Refer to Sections 1.6 and 5.1.2)

In the introduction you learned that Social Engineering is the biggest challenge we face. Even the strongest cryptography in the world is useless if someone is fooled into giving away the keys to the city that allow an intruder to participate in an encrypted conversation, tunneling right through the firewall to an internal server. Lurking on the Internet, we have learned that the best 'black hats' rely on exploiting human nature more than any technical exploit ⁸³.

For example, they can exploit users’ willingness to give up information they can use to gain unauthorized system access, either by impersonating legitimate users or making themselves sound legitimate (for instance, claiming to be a tech support engineer working for a vendor).

Kinds of information that can be gained via social engineering include:

modem telephone numbers
user ID’s and passwords
types of software running on important servers
information about when certain processes take place on the computer (etc.)

Crackers can also exploit their knowledge of how naïve users think, such as:

using weak passwords like “password”
putting no password on the Administrator (god) account
being willing to share passwords with others
not carefully controlling network file shares

The best way to protect against social-engineering attacks is to educate your users on the importance of security, and the types of information that should not be given out to anyone without proper authorization (ideally in person or in writing, since someone could claim, “Joe, our network admin, asked me to call you and get your password,” when you, Joe, had nothing to do with the request).

Think you’re clued-in enough to be immune to such attempts yourself? Don’t bet on it. We’ve seen tech-savvy senior admins fall for attempts made by would-be intruders thinking “outside the box”. The attacker doesn’t have to be able to out-think the admin every time to be successful… just once will often do. As with other types of attacks, your goal is to reduce the level of risk – not to completely eliminate it.

__________________

83. http://www.nwfusion.com/research/2004/0301hackers.html

1.4.8 Mathematical

1.4.10 Birthday

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!

Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.