CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [59]
With social engineering, the villain doesn’t always have to be seen or heard to conduct the attack. The use of e-mail was mentioned earlier, and in recent years, the frequency of attacks via instant messaging has also increased. Attackers can send infected files over Instant Messaging (IM) as easily as they can over e-mail. A recent virus on the scene accesses a user’s IM client and uses the infected user’s buddy list to send messages to other users and infect their machines as well.
Phishing is a form of social engineering in which you simply ask someone for a piece of information that you are missing by making it look as if it is a legitimate request. An e-mail might look as if it is from a bank and contain some basic information, such as the user’s name. In the e-mail, it will often state that there is a problem with the person’s account or access privileges. They will be told to click a link to correct the problem. After they click the link—which goes to a site other than the bank’s—they are asked for their username, password, account information, and so on. The person instigating the phishing can then use the values entered there to access the legitimate account.
One of the best counters to phishing is to simply mouse over the Click Here link and read the URL. Almost every time it is pointing to an adaptation of the legitimate URL as opposed to a link to the real thing.
The only preventive measure in dealing with social engineering attacks is to educate your users and staff to never give out passwords and user IDs over the phone or via e-mail, or to anyone who isn’t positively verified as being who they say they are. Social engineering is a recurring topic that will appear several times throughout this book as it relates to the subject being discussed.
Real World Scenario
A Security Analogy
In this chapter, a number of access methods were discussed. Sometimes it can be confusing to keep them all straight. To put the main ones somewhat in perspective think of it in terms of a stranger who wants to gain access to your house. There are any number of types of individuals who may want to get in your house without your knowing it:
■ A thief wanting to steal any valuables you may have
■ Teenagers wanting to do something destructive on a Saturday night
■ Homeless people looking to get in out of the cold and find some food
■ A neighbor who has been drinking and accidentally pulls in the wrong driveway and starts to come in, thinking it is their house
■ A professional hit man wanting to lie in wait for you to come home
There are many more, but these represent a good cross section of individuals, each of whom has different motives and motivational levels for trying to get in.
To keep the thief out, you could post security signs all around your house and install a home alarm. He might not know if you really have ABC Surveillance active monitoring—as the signs say—but he might not want to risk it and go away looking for an easier target to hit. In the world of computer security, encryption acts like your home alarm and monitoring software, alerting you (or your monitoring company) to potential problems when they arise.
The teenagers are just wanting to do damage anywhere, and your house is as good as the next one. Installing motion lights above the doors and around the side of the house is really all you need to make them drive farther down the road. In the world of computer security, good passwords—and policies that are enforced—will keep these would-be intruders out.
The homeless also have no particular affection for your home as opposed to the next. You can keep them out by using locks on your doors and windows and putting a fence around your yard. If they can’t get in the fence, they can’t approach the house, and if they do