Understanding Social Engineering
Social engineering is the practice of using primarily nontechnical means to get people to give up sensitive data or to perform actions they wouldn’t normally perform. A social engineer uses deception and fraud to trick or manipulate unsuspecting users.
EXAM TIP Although social engineering is a low-tech attack, it can still be a very effective method of gaining unauthorized access to an organization and the organization’s IT infrastructure.
At the core, social engineering uses different tactics to gain the confidence of people as part of a scam. As an example, an attacker may want to gain access to an organization that requires a badge or a key. He could wait until the entrance is very busy, such as the beginning of the day, and just slip in behind someone else. Often just a friendly smile is all that’s needed if someone gives the social engineer any attention. Similarly, an attacker can load his or her arms with books or boxes and a friendly employee may actually hold the door open for them to enter.
Sometimes a phone call to an employee can elicit a good deal of information. The attacker can first learn the names of executives through a public source such as web page, a newsletter, or a company brochure. Saying something like, “I’m gathering some information for so-and-so,” and using the name of a high-level executive may be enough to get the employee who answers the phone to give out information to help someone he or she thinks is a fellow employee.
With some basic information from a first phone call, the attacker can build on that with another phone call to another department. Repeated a few times, the attacker can build his or her knowledge, such as identifying how e-mail addresses are formatted (such as firstname.lastname@company.com) and learning how account names are created. Or the attacker may make a phone call to the IT department and ask something like, “I can’t remember my password, can you help me log in?” Such an inquiry may convince an IT professional to change the password and give it to the attacker. It’s also possible for an unsuspecting employee to give up his or her own username and password, allowing the attacker to log on with that employee’s account.
TIP The practice of using gathered information to create another scenario to collect additional information is known as pretexting. The pretext, or the invented scenario, increases the possibility that the person will give up additional information to the social engineer.
Social engineers appeal to someone’s inherent desire to be helpful and liked. They exploit values such as courtesy and appeal to other people’s vanity. In some cases, they can invoke the name of an authority figure, such as an executive, and threaten undesirable action if the employee doesn’t provide the needed information.
One of the primary methods to counteract social engineering is to educate users in the tactics of social engineers. Once employees recognize the value of information and the common tactics used by social engineers, they are better able to identify and thwart a social engineer in action. The following sections identify some common social engineering tactics.
Piggybacking
Piggybacking occurs when someone passes through a controlled entry without providing credentials by following closely behind someone who has provided credentials. For example, Chapter 2 talked about using proximity badges to gain entry to an organization. Employees swipe their badge in front of a badge reader and the door automatically unlocks. If one person swipes his or her badge to unlock the door and the second person walks through the open door without using a badge, the second person is piggybacking on the first.
All employees should use their badge to open the door and gain entry. However, it’s possible for one employee to open the door with his or her badge and other people to just follow that person in. Imagine the beginning of the workday as the majority of the employees are coming into the building. It’s unlikely that each employee will push the door shut behind her on the face of her fellow employees. If the organization is large, employees may not know who’s a fellow employee and who isn’t. A social engineer could easily slip into the crowd and walk into the normally secure building without raising any suspicion.
Although education is a great start against piggybacking, it often isn’t enough. Most people are kind and courteous and slamming the door on someone else is rude. It may be secure, but it’s not courteous. When some people are faced with the choice of being courteous or secure, they choose the courteous path.
A common way to stop piggybacking, in addition to education, is with a mantrap. The formal definition of a mantrap is a large enclosure that allows entry through one side and exit through the other, and can actually lock the person inside. Some are large steel bars formed as a revolving door that looks very similar to a cage.
EXAM TIP Piggybacking is a social engineering tactic where one person uses his or her credentials to gain entry, while a second person follows closely behind without providing credentials. A mantrap protects against piggybacking.
However, instead of using cages to control entries, many organizations simplify this to turnstiles similar to what you see in a subway or bus station. Employees swipe their badge and the turnstile releases to allow one person through. When a mantrap is used, even if it’s a simple one like a turnstile, employees can’t keep the entrance open for a potential attacker, and piggybacking is thwarted.
Impersonation
Another social engineering tactic is impersonation, where the social engineer impersonates someone. Impersonation can be over the phone by invoking the name of someone in authority. It can also be in person.
For example, it’s relatively easy to get a uniform that looks like it’s from another company, such as the phone company. The social engineer can don the uniform, enter the building, and let a receptionist know he or she is there to fix some fictional problem. The attacker may be led directly to the wiring closet, where they can install phone tapping equipment.
EXAM TIP Impersonation is also known as masquerading or spoofing. Chapter 2 presented the concept of spoofing in the context of IP addresses, MAC addresses, and e-mail addresses. In each instance, the attacker attempted to masquerade as something else. In social engineering, the social engineer is attempting to masquerade as someone else.
Dumpster Diving
Many attackers gain information by sifting through someone else’s trash, a practice commonly known as dumpster diving. Depending on how much information an organization or an individual throws away, dumpster diving can provide significant returns.
For example, if an organization regularly throws away papers that include information such as customer names, addresses, and credit card data, an attacker can retrieve this from the trash and use it. Similarly, if an individual throws away offers for free credit, blank checks from a credit card company, or other personal data, an attacker can retrieve it and use it.
As a best practice, any information that contains any type of personal information should not be thrown away. Instead, these papers should be shredded using a crosscut shredder or burned to ensure they cannot be read.
Shoulder Surfing
Shoulder surfing is the practice of looking over someone’s shoulder to gain information as he or she is entering data. For example, an attacker may try to watch someone enter his or her username and password to learn the user’s credentials, or watch someone as he or she enters the numbers for a cipher lock on a door or a PIN for a badge or even for a debit card.
Phishing
Phishing was introduced earlier in this chapter. Attackers send massive numbers of e-mails out with the goal of fishing for victims. The e-mail claims to be from a legitimate company and encourages the user to either click a link or provide a response. For example, the following e-mail could be used as a phishing e-mail:
“Warning. This is a security alert from YourBank. We have noticed suspicious activity on your account. To protect you, we are putting a hold on your account until we can verify certain activities. Please click the following link and validate your account. If you do not validate your account, funds in your account will be frozen and remain inaccessible.”
If you click the link, you’re taken to a bogus website that looks like YourBank, but is actually a malicious website. It may immediately try a drive-by download and may also include text boxes where you can enter your username and password. Of course, if you enter your credentials, the attacker will use them to remove your money.
Money drained from accounts this way are quickly funneled to offshore accounts, and if the activity isn’t discovered within 24 hours, the chances of recovering the money are extremely low. Thankfully, individuals working with a bank are automatically protected from fraud and can usually get their money back. However, business accounts don’t have the same protection. If an employee accidentally gives up credentials for the organization’s bank accounts, the accounts can be drained. If the organization doesn’t have fraud insurance, it can easily lose all its money and face a financial catastrophe.
TIP Phishing attempts have been circulating for years and most IT professionals, and even a lot of end users, know about them. Yet, they continue. Why? The short answer is that they continue to work. Many end users simply don’t understand the risks and continue to respond to these e-mails. When users are educated and stop answering the phishing e-mails, attackers will stop trying these methods (but they’re sure to try different ones). In the meantime, it’s important to educate users of the risks.
You’ve probably received some phishing e-mails that look they are from a bank or a company where you don’t have an account. Attackers send out mass quantities of these e-mails knowing that every recipient doesn’t have an account with the bank, but also knowing that many of them do. Imagine an attacker sends out an e-mail to 10,000 recipients but only 1,000 of the recipients (10 percent) actually have an account with that bank. If an attack reaches 1,000 potential targets, it has some great possibilities of success.
Some conservative estimates state that about 20 percent of the people who receive a sophisticated phishing e-mail respond. That’s 200 users. Out of those 200, imagine that only 20 percent of them actually give up their data. This reduces it down to only 40 users providing information. However, if these users give up banking information, the attacker can get hundreds or perhaps thousands of dollars from each of these 40 users with very little effort.
Even though phishing has been going on for a long time, people still get taken. Consider this case of a phishing attack in January 2011 that was only operational for five hours. A total of 164 users visited the website, and 35 provided their credit card information. We don’t know how many e-mails were sent out, but out of all the people who responded, about 21 percent of them provide information. You can read more about this incident here: http://blog.eset.com/2011/01/26/inside-a-phishing-attack-35-credit-cards-in-5-hours.
A phishing e-mail usually has several basic components;
• Impersonation A phishing e-mail impersonates a legitimate company. It may include actual graphics from the company and use similar fonts. For example, an e-mail that claims it is from PayPal may include PayPal graphics.
• Identification of a problem The e-mail usually indicates some type of problem that is of a concern to the reader. The phrase “suspicious activity” or something similar is often included in these e-mails.
• Call to action Recipients are encouraged to take immediate action. Although the phishing e-mail doesn’t state it this way, the goal is to get the user to click without any more thought.
• Dire consequences The phishing e-mail warns of some dire consequences, such as closing an account, locking out an account, or freezing funds, if the recipient doesn’t respond. For someone doing business through a company such as eBay or PayPal, the threat of his or her account being closed or locked does raise alarm bells that may propel the user into taking immediate action.
Spear Phishing and Whaling
Spear phishing and whaling are variants on the phishing theme. Phishing attacks send out massive amounts of spam e-mail without knowing the targets, but spear phishing and whaling attempt to identify the targets.
A spear phishing attack targets a specific organization. For example, a spear phishing attack could target a military organization by sending out e-mails to recipients with the appearance that the e-mail has come from a Sergeant Jones (or some other title) within the organization. Because it looks like it’s from someone within the organization, recipients will probably open it. It could then state something like the user missed a deadline or that a critical piece of data is needed. It could include an attachment that may install a keylogger or other malware on the user’s system or a link to a malicious site. Because the From address provides a level of trust since it looks like it’s coming from a fellow employee, some users may be more willing to take action that they wouldn’t normally take in response to a typical phishing attempt.
TIP Spear phishing can target any organization, depending on what’s desired by an attacker. If attackers are interested in money, they may try to target a bank. If they are interested in government espionage, they may try to target government employees. The key is that the spear phishing e-mails are targeted to a specific group.
In a whaling attack, the attacker attempts to identify an executive such as a chief executive officer (CEO), president, vice president, or manager. The attacker may be able to get the name and e-mail address information from public sources or through a social engineering attack with another employee. The subject line of a whaling attack may include words such as “Past Due” or “Lawsuit” that may get some immediate attention from the executive.
If an attacker can get a response from a high-profile figure (a whale, if you will), the potential payoff is huge. For example, if they’re able to convince the executive to install a keylogger on his or her system, the attacker can use this to steal highly valuable information and perhaps even account information to empty an organization’s bank accounts.
Vishing
Vishing is a slight variation of a phishing attack. Instead of using e-mail, the attacker uses the telephone system or possibly a Voice over Internet Protocol (VoIP) system. The goal is similar: Trick the user into providing information that the attacker can use for personal gain.
A vishing attack starts by calling many phone numbers. A recording alerts the person of some type of fraudulent activity and encourages them to call a phone number immediately. The attacker is often able to fool caller ID into actually showing the name of the bank that the vishing attack is impersonating. If the user returns the call, he or she is often prompted to enter information such as the credit card number, expiration date, and more.
I remember once being called about suspicious activity on a credit card and I called back. A woman answered and started asking personal questions that raised alarms for me. When I expressed distrust, the woman on the other end said, “You called us,” as if that was supposed to tell me everything was OK. It wasn’t and I ended the call. There weren’t any problems with my credit card then, but if I kept answering questions, there would have been.
In contrast, after a business trip, one of my credit cards had some real suspicious activity. My bank called and left a message asking me to call back. When I called back, the answerer provided information that made it clear the person was an employee of my bank before asking me to provide information about my account. In other words, we provided mutual authentication.
Smishing
Smishing is another variation of a phishing attack, but it uses text messages such as Short Message Service (SMS) messages commonly used with many smartphones. The target is sent a text message indicating that there has been suspicious activity on the user’s account. The user is then instructed to call a phone number to resolve the problem.
When the user calls the number, he or she often hears a voice recording that prompts the user to enter such information as account numbers and personal identification numbers. The user may be prompted to give much more information, such as their birthdate, social security information, and more.
In a variant of a smishing attack, users receive a text message prompting them to install antivirus software on their system. However, this is not antivirus software, but is instead malware or possibly scareware.
Pharming
Pharming is an attack that redirects users to bogus websites. It manipulates one of the host name resolution methods so that host names resolve to a different website.
For example, you may attempt to go to yourbank.com, but a pharming attack redirects you to a bogus website. The attacker creates the bogus website to look exactly like yourbank.com and you may be duped into giving your credentials to the attacker. Other attacks redirect users to malicious websites that try to download malware automatically or trick the user into installing a Trojan horse. Some attacks simply redirect the users to sites that sell a product such as pharmaceutical drugs.
Users use host names to identify computers, and name resolution methods resolve the host name to an IP address. For example, if you want to go to Google, you can type in google.com in your web browser instead of Google’s IP address and the system resolves google.com to an IP address. The primary method of resolving a host name to an IP address on the Internet is Domain Name System (DNS), and a secondary method uses the hosts file.
In some cases, attackers are able to manipulate data in DNS to redirect the users. A DNS cache poisoning attack is one way this has been done due to some previous vulnerabilities with DNS. DNS cache poisoning is often referred to as the first pharming attack.
In other attacks, the attacker manipulates the hosts file. Operating systems look at this file first for name resolution, and if it includes a host name and IP address mapping, DNS is not queried for name resolution. Microsoft systems store this file in the c:windowssystem32driversetc folder by default, and many malicious software attacks have modified this file. In one case, the malware added an entry for Microsoft’s Update site. These computers could no longer connect with this site to check for and download critical updates.
Social Networking Attacks
Attackers are taking advantage of the popularity of social networks such as Facebook, Twitter, and YouTube to launch social engineering attacks. Attackers craft e-mails that look exactly like they came from the social network site and send them out to users.
For example, Facebook often sends notifications to users indicating that they have messages or pending invites and includes a link to the Facebook site. The attacker uses the same template letting the user know a message is waiting, but includes a link to a malicious website. If the user clicks the link, the website may attempt to download malware automatically or encourage the user to install a Trojan horse. In other cases, the site is a fake one claiming to sell cheap drugs or casino gambling access or some other site intended to get the user to enter credit card data.
Raising User Awareness Through Training
A primary method of combating social engineering attacks is by raising user awareness through training. When users recognize the tricks that social engineers use, they are less likely to fall for them.
EXAM TIP A primary purpose of user awareness training is to change users’ behaviors from unsafe actions to safe actions. For example, if users recognize the malicious nature of phishing e-mails, they are less likely to click the link or respond.
User awareness training can’t just be a one-time event, either. Instead, users need to be trained and retrained periodically. Attackers are constantly modifying their attacks and attack methods. Likewise, users need to be updated on these different tactics, in addition to simply being reminded of the risks of giving up data.
The following are some of the common methods used to educate and reeducate users:
• Initial training when hired Many organizations include initial security training as part of a new employee’s indoctrination. This could be a short presentation, a short video, an online presentation, or even a written document for the new employee to read and acknowledge. As risks and threats change, the initial training can be modified.
• Annual refresher training Training can be delivered in exactly the same method as the initial training. It helps ensure that employees who stay at the organization learn about current risks as well as reminding them about basic IT security.
• Newsletters If an organization sends out regular newsletters, it’s relatively easy to add a short article or a sidebar about security. It reminds users about security while providing information on current threats.
• Periodic e-mails Just a simple e-mail reminding users of certain risks, with an example of a recent way that a victim was tricked into giving up information, can be useful.
• Acceptable use policy Most organizations include an acceptable use policy that informs users of the organization’s expectations regarding the employee’s use of computing resources. It lets users know what their responsibilities are and can include basic information on the risks of social engineering attacks. Employees normally review and acknowledge an acceptable use policy when they are hired and then periodically afterward, such as annually.
NOTE Many training companies specialize in providing content for IT security. Organizations can purchase access to online training, computer-based training delivered to the desktop, videos, e-mail-based messages that an organization can tailor and send out, and even articles that an organization can include in a newsletter. By purchasing outsourced materials, the company is able to get access to current, relevant content.
Chapter Review
Traditional definitions indicate that hackers aren’t malicious, but crackers are. However, the media generally uses the term hacker to identify anyone who launches attacks on computers or computer systems with malicious intent. Some security professionals separate the good guys from the bad guys with terms such as white hats and black hats. In general, though, an attacker can cause significant damage no matter what the attacker is called.
Attackers are constantly modifying their attack strategies just as IT security professionals are constantly modifying their protection strategies. Although the attacks used today aren’t the same as those used a few years ago, or even a few months ago, many things are common. A DoS attack launches an attack on a single system from a single system. A DDoS attack launches an attack on a single system from multiple systems.
Botnets are groups of computers (called zombies) controlled by an attacker through a command and control center. Botnets can control tens of thousands of computers, and some have controlled over a million computers. Criminals rent out the botnets to others for money, and these botnets are used to launch attacks or send out spam.
Social engineering is the practice of using primarily nontechnical means to get people to give up sensitive data or perform actions they wouldn’t normally perform. A social engineer uses deception and fraud to trick or manipulate people into giving up information they wouldn’t normally give up. Piggybacking occurs when one person enters a controlled space without providing credentials by following closely behind someone else who has used his or her credentials. Social engineers sometimes impersonate others either in person or over the phone. Dumpster diving is the practice of sorting through trash to get potentially useful information that may have been thrown away.
Phishing is a form of social engineering that uses e-mail. The attacker sends out massive amounts of e-mails hoping that someone responds by either clicking a link or responding to the e-mail with sensitive information such as a username and password. Simply by clicking the link, the responder can install software on their system through a drive-by download such as a keylogger. Variations on phishing attacks include spear phishing (targeted at an organization), whaling (targeted at a specific person, such as an executive), vishing (using telephones or VoIP), and smishing (using text or SMS messages). Pharming attacks redirect users to bogus websites.
A primary method of combating social engineering attacks is through training. The goal is to raise user awareness and change user behaviors from unsafe actions to safe actions. Training can be completed when a person is initially hired, annually, and/or periodically throughout the year. Training can consist of live presentations, online presentations, periodic e-mails, articles in newsletters, or any other means that an organization finds effective.
Questions
1. Of the following attacks, what are often the most costly to an organization?
A. DoS
B. DDoS
C. Insider
D. Gray hat
2. Of the following choices, what is a common DoS attack?
A. TCP flood
B. Piggybacking
C. Smishing
D. Whaling
3. What is the difference between a DoS and a DDoS attack?
A. There is no real difference.
B. A DoS attack uses technical methods, but a DDoS uses nontechnical methods.
C. A DDoS attack is an attack from a single system, but a DoS attack is an attack from multiple systems.
D. A DoS attack is an attack from a single system, but a DDoS attack is an attack from multiple systems.
4. What is a TCP half-open attack?
A. A DoS attack that captures packets for analysis
B. A DoS attack that withholds the third packet of the TCP three-way handshake
C. A DDoS attack that uses a covert channel
D. A DDoS buffer overflow attack
5. An attacker has written a program to shave off a penny from each transaction and divert the penny to the attacker’s bank account. What best describes this attack?
A. Salami attack
B. Sniffing attack
C. Replay attack
D. Cramming
6. Thousands of computers have been infected with malware and are periodically directed to send out spam to other computers. What does this best describe?
A. Zombies
B. A botnet
C. Spear phishing
D. Phishing
7. Which of the following best identifies a computer controlled by a botnet?
A. DoS computer
B. DDoS computer
C. Attacker
D. Zombie
8. An attacker is using Wireshark to capture and analyze TCP sessions. What is the best term that identifies this action?
A. Dumpster diving
B. Shoulder surfing
C. Vishing
D. Sniffing
9. A system has a protocol analyzer installed. What mode must the protocol analyzer operate in to capture all packets that reach the system, including those that are not directly addressed to or from the system?
A. Promiscuous
B. Nonpromiscuous
C. DoS
D. DDoS
10. An application has received more input than it expected and the resulting error has exposed normally protected memory. What is the best explanation for what happened?
A. A phishing attack
B. Salami attack
C. Buffer overflow
D. Session hijacking
11. After visiting a website, a user sees a pop-up indicating her system is infected with a virus. The user downloads the free antivirus software, but finds that it won’t clean the virus unless she purchases the full version. What does this describe? (Choose all that apply.)
A. Scareware
B. Shareware
C. Ransomware
D. Freeware
12. A system has been attacked by an exploit that isn’t published. What type of attack is this?
A. Scareware
B. APT
C. Pharming
D. Zero day exploit
13. What is an APT?
A. A group that that is often sponsored by a government and has the capability and intent to launch persistent attacks against an organization
B. Software that shows users that their system is infected with malware, but won’t remove the malware unless the users pay
C. An attack that redirects users to a bogus website
D. A scan to detect open ports
14. An attacker uses nontechnical means to learn the e-mail address of a manager within a company. Which of the following best describes this attack?
A. Social engineering
B. Shoulder surfing
C. Smishing
D. Covert cramming
15. Of the following choices, what is the best method to prevent piggybacking?
A. Education
B. Mantrap
C. Antivirus software
D. Access controls on the phone system
16. A user receives an e-mail indicating that the user’s bank account has been compromised, and requiring the user to log on immediately to prevent loss of funds. What is the best term to describe this attack?
A. Sniffing
B. Session hijacking
C. Piggybacking
D. Phishing
17. An attacker sends an e-mail to many members of an organization and spoofs the From address to look like it came from within the organization. The e-mail tries to trick recipients into following a link. What is the best definition of this action?
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing
18. A user attempted to access http://mcgraw-hill.com/but was redirected to a website that advertised pharmaceutical drugs for sale. What does this describe?
A. Phishing
B. Impersonation
C. Whaling
D. Pharming
19. What is a primary goal of security-related user awareness training?
A. Increase use of e-mail
B. Change behavior
C. Implement technical solutions
D. Show how to use applications
Answers
1. C. Insider attacks are often the most costly to an organization. They can be intentional or unintentional, but they add up to significant losses. Denial-of-service (DoS) and distributed DoS (DDoS) attacks can be launched internally or externally. A gray hat refers to a cross between a white hat (an ethical professional) and a black hat (a criminal).
2. A. A TCP flood attack (also known as a SYN flood, TCP SYN, or TCP half-open attack) is a common DoS attack that withholds the third packet of the TCP three-way handshake. Piggybacking is a social engineering tactic. Smishing is a form of phishing using SMS messages, while whaling is a form of phishing against a single person, such as an executive.
3. D. A DoS attack is an attack from a single system, and a DDoS attack is an attack from multiple systems. Both typically use technical methods.
4. B. A TCP flood attack (also known as a SYN flood, TCP SYN, TCP flood, or TCP half-open attack) is a common DoS attack that withholds the third packet of the TCP three-way handshake. A sniffing attack captures packets for analysis. It is not a DDoS attack using a covert channel or a DDoS attack using replay.
5. A. A salami attack uses multiple small, usually unnoticeable actions, such as shaving a penny off a transaction. A sniffing attack uses a sniffer (protocol analyzer) to capture and analyze traffic. A replay attack captures data and then later resends it to impersonate one of the parties. Cramming is the practice of adding unauthorized charges to a phone bill.
6. B. A botnet is a group of computers that have been taken over and are controlled by an attacker from a command and control center. These individual computers are referred to as zombies, but together they are a botnet. They may be directed to send out phishing or spear phishing e-mails, but that is the attack not the network.
7. D. Computers controlled within a botnet are commonly called zombies. They are not referred to as DoS or DDoS computers, or attackers, although they can be directed to take part in a DDoS attack.
8. D. Sniffing is the practice of capturing and analyzing packets with a sniffer (a protocol analyzer). Dumpster diving is going through the trash looking for information. Shoulder surfing is the practice of looking over someone’s shoulder to gain information, such as the password that a user enters to log on. Vishing is a form of phishing using telephones or VoIP.
9. A. The protocol analyzer (or sniffer) must be in promiscuous mode. If it is in nonpromiscuous mode, it will only capture packets addressed directly to or from the sniffer. DoS and DDoS are not modes for a sniffer.
10. C. A buffer overflow occurs when a system receives more input than it expected and it is not able to handle the error gracefully. Attackers exploit buffer overflows to insert malware into systems. The best protection against a buffer overflow is to keep systems up to date. Phishing is sent through e-mail. A salami attack uses multiple small, usually unnoticeable actions, such as shaving a penny off a transaction. Session hijacking attempts to take over a session.
11. A, C. Scareware, or ransomware, is malware that scares the users into thinking their system is infected with a virus and encourages users to install a free download. The free download appears as antivirus software that doesn’t remove viruses unless users pay, but it often includes malware itself. Shareware is software that users are free to try and pay for only if they like and continue to use it. Freeware is free software.
12. D. Zero day exploits are attacks that take advantage of vulnerabilities that are unpublished and often include attacks that are unknown by the vendor. Scareware is malware that scares users into thinking their system is infected with a virus and encourages them to install malware on their system. An advanced persistent threat (APT) is a group of people who have the capability and intent to launch extended attacks against organizations. Pharming is an attack that redirects users to bogus websites.
13. A. An advanced persistent threat (APT) is a group of people (often sponsored by a government) who have the capability and intent to launch persistent attacks against organizations. Software that shows a user their system is infected with malware, but won’t remove the malware unless the user pays is scareware or ransomware. Pharming is an attack that redirects users to a bogus website. A port scan is a scan that detects open ports.
14. A. Social engineering uses nontechnical (or low-technical) means to gain information, such as the name of people, e-mail addresses, or even usernames and passwords. Shoulder surfing is just looking over someone’s shoulder, and although it may allow an attacker to see an e-mail address of a manager, it isn’t the best answer. Smishing is a variant of phishing using SMS messages. There’s no such thing as covert cramming.
15. B. A mantrap is the best method to prevent piggybacking, which is the practice of one person following another into a secure area while only the first person provides credentials. Although education of employees can go a long way, ingrained courtesy sometimes overcomes security practices and a person may actually open the door for a social engineer. Antivirus software, access controls, and the phone system aren’t related to the social engineering practice of piggybacking.
16. D. A phishing attack sends out an e-mail to multiple recipients impersonating a legitimate company, indicating a problem, urging the recipient to take action, and warning of dire consequences if the recipient doesn’t respond. A sniffing attack uses a protocol analyzer such as Wireshark to capture and analyze traffic. Session hijacking attempts to take over sessions and doesn’t use e-mail. Piggybacking is the practice of one person following another into a secure area while only the first person provides credentials.
17. B. Spear phishing is a phishing tactic that targets a specific organization. Phishing doesn’t target individual organizations, but instead casts a wide net, hoping to catch someone. Whaling targets specific individuals, such as an executive. Vishing uses voice methods such as the telephone or VoIP.
18. D. A pharming attack is one where the user is redirected to another website by manipulating one of the name resolution methods. Phishing involves sending an e-mail to many users and encouraging thems to respond with personal information or by clicking a link. Impersonation, also known as masquerading or spoofing, is a social engineering tactic where the social engineer impersonates someone. Whaling is phishing attack that targets executives such as CEOs.
19. B. A primary goal of user awareness training is to change user behavior from unsafe practices to safe practices. It isn’t related to applications such as e-mail, and end users aren’t expected to implement technical solutions.