The majority of the successful breaches and sensitive data-stealing involves the social engineering attack, which is commonly known as people hacking. So, if you ask any IT Security person about physical security, he or she will probably start talking about key card locks, cameras, and personal document protection things. So, it is right to talk about these because physical security can be easily breached through social engineering. In this chapter, you will learn about the various social engineering techniques that can be used to violate security and the security mechanisms and ways to protect that.
What Is a Social Engineering Attack?
Social Engineering is one of the popular attacking techniques used physically and/or psychologically. It relies very much on human interaction. The attacker often manipulates the victim and ruptures the standard security mechanisms to access any sensitive data system, network, server, etc. Examples of different social engineering attacks are:
- Phishing.
- Spear Phishing.
- Dumpster diving.
- Vishing.
- Pretexting.
- Baiting.
- Shoulder surfing.
- Tailgating.
- Quid pro quo etc.
In this chapter, we will discuss some of the popular social engineering attack techniques and how to secure the user and their system from such threats.
Phishing
Phishing is the most popular form of social engineering attack that every security professional must stay aware of. The attacker recreates a dummy website or portal of any popular organization, institute, or company and sends the (illegitimate) link to targets using emails or social media. On the other end, the victim is a legitimate user who is unknown to the attack and gives his / her personal information. The attacker obtains the login credentials and other personal information of users and logging into the parent site.
As a security analyst, you must be aware of the employees and users to put filters (spam filters) in their email to protect them from getting involved through phishing emails. Also, note that phishing links usually contain HTTPS, and there will not be a genuine domain name. These are the possible ways you can protect your venture, employees, or organization from such attacks.
Dumpster Diving
Many cybercriminals keep scrounging the dustbins and other garbage areas, looking for information and other sensitive data about the users. People usually throw many papers such as receipts generated by ATM containing financial details about the user and names and phone numbers. It can be effectively used by cybercriminals to compromise users.
As a cybersecurity professional, you have to suggest setting up an area where essential files and DVDs, and other stuff can be dumped to prevent employee's data and sensitive information.
Shoulder Surfing
Shoulder Surfing can be defined as the act to acquire personal or private sensitive information through straight observation. This social engineering technique involves looking or peeping over a person's shoulder or body for gathering relevant information about the victim of the attack. It is done no only by humans but also by cameras that are fitted in the room.
So, while using your personal information or feeding your personal data and sensitive information in an online form in a cyber cafe, it is recommended to take a look if anyone or any camera is peeping at your personal data, passwords, or not.