• Choose a category
• All
• Classic-Fiction

By Root 368 0

the hiding or a fake URL in what appear to be a legitimate website address. For example, a website of 204.13.144.2/Citibank may appear to be a legitimate web address for Citibank but in fact is not. URL obfuscation is used in phishing attacks and some online scams to make the scam seem more legitimate. A website address may be seen as an actual financial institution name or logo, but the hyperlink leads to a fake website or IP address. When the user clicks the hyperlink, they're redirected to the hacker's site. Addresses can be obfuscated in malicious links by the use of hexadecimal or decimal notations. For example, the address 192.168.10.5 looks like 3232238085 as a decimal.

Explanation:

3232238085

The same address looks like COA80A05 in IP hex. This conversion requires that you divide 3232238085 by 16 multiple times. Each time the remainder reveals the address, starting from the least significant value.

Social-Engineering Countermeasures

Being able to identify how to combat social engineering is critical for any certified ethical hacker. There are a number of ways to do this.

Documented and enforced security policies and security-awareness programs are the most critical component in any information-security program. Good policies and procedures aren't effective if they aren't taught and reinforced to employees. The policies need to be communicated to employees to emphasize their importance and then enforced by management. After receiving security-awareness training, employees will be committed to supporting the security policies of the organization.

The corporate security policy should address how and when accounts are set-up and terminated, how often password are changes, who can access what information and how violations or the policy are to be handled. Also, the help desk procedures for the previous tasks as well as identifying employees for example using an employee number or other information to validate a password change. The destruction of paper documents and physical access restrictions are additional areas the security policy should address. Lastly, the policy should address technical areas such as use of modems and virus control.

One of the advantages of a strong security policy is that it removes the responsibility of employees to make judgment calls regarding a hacker's request. If the requested action is prohibited by the policy, the employee has guidelines for denying it.

The most important countermeasure for social engineering is employee education. All employees should be trained on how to keep confidential data safe. Management teams are involved in the creation and implementation of the security policy so that they fully understand it and support it throughout the organization. The company security-awareness policy should require all new employees to go through a security orientation. Annual classes should be required to provide refreshers and updated information for employees.

Another way to increase involvement is through a monthly newsletter with securityawareness articles.

Exam Essentials

Understand the difference between human-based and computer-based social-engineering attacks. Human-based social engineering uses nontechnical methods to initiate an attack whereas computer-based social engineering employs a computer.

Know the types of human-based social-engineering attacks. Impersonation, posing as important user, the third-person approach, posing as technical support, shoulder surfing, and dumpster diving are types of human-based social engineering.

Know the types of computer-based social engineering attacks. E-mail attachments, fake websites, pop-up windows, and reverse social engineering are all computer based social engineering methods.

Understand the importance of employee education. Educating employees on the signs of social engineering, and the company's security policy is key to preventing social-engineering attacks.

Know the components of social-engineering security policies. The security policies include policies on how to set up accounts, how often to change passwords,