Question

1. Describe what a social engineering attack is.

[Social engineering is the art of manipulating people so they give up confidential information. The attackers solicits information such as passwords or PIN numbers from victims.]

Provide 3 examples of social engineering attacks and describe how they could be used to undermine the security of your IT infrastructure.

[ your answer goes here ]

How can social engineering attacks be defended against? Provide 5 examples with descriptions.

[ your answer goes here ]

Answer 1

Social Engineering can be defined as the tricking users so that they give their sensitive or personal information which can be misused by attacker.

Social Engineering attacks are as follows-

1) Phishing- It is a type of social engineering which involves attacking the personal information of users such as names, addresses and social security numbers. It uses misleading links that redirect users to suspicious websites. It also tries to increase the urgency of user so that they tend to respond quickly.

2) Pretexting- In this, the attacker tries to create a good pretext such that they tell the users that they need certain piece of information so as to confirm their identity. But in real practice, they steal the data and use it to commit identity theft and stage secondary attacks.

3) Tailgating- In these types of attacks, someone without the proper authentication follows an authenticated employee into a restricted area. The attacker might impersonate a delivery driver and wait outside a building to get things started. When an employee gains security’s approval and opens the door, the attacker asks the employee to hold the door, thereby gaining access to the building.

4) Vishing – Also known as voice phishing, is the criminal practice of using the telephone system to convince a victim to provide access to personal or financial information

Social Engineering attacks can be defended in the following ways-

1) Raising awareness- Users should have knowledge about how a phishing mail looks like and how they can tackle it.

2) Skilled Employees- Employees should be trained against phishing attacks. So, employee must be trained against attacks and the attacks must be followed by test checks where a security department periodically imitates phishing attacks on employees’ emails. The employees who did not pass the test should be retrained.

3) Implementation of High level Security in organization- Implement a Security-aware culture. This requires that the highest levels of the organization push and enforce the need for individual security accountability.This can be done by-

- implementing reward system for maintaining security in the organization.

- adding measuring objectives to each employee's year book

4) Frequent Testing of systems- Systems should have frequent testing so that they cannot be attacked.

5) Testing of employees- Users need to be tested on whether they fall for phishing emails, texts, or phone calls.