Social Engineering

Social engineering is the term given to the techniques involved in tricking people to divulge sensitive information. Questions about these techniques and how to avoid being scammed belong here.

304 Questions
Phishing
Social Engineering

How do you reduce the phishing risks of social engineering?

As with nearly all social engineering, the best way to reduce the risk of phishing is education, policies and procedures. Some key elements are:

1) Recognize all types of phishing emails. Many phishing emails will be address to a generic "customer" or "sir or ma'am" instead of directed to the customer by name.

2) Do not send personal information via email. There are almost always more secure ways to provide that information to a legitimate entity.

3) Confirm the identity of the sender via another method. Look up the company name and call them about the email for example. Call the number on your bill.

4) Confirm the site you send personal email to is secure before entering the information. Usually the address will start with https:// instead of just http:// and the "lock" icon should be displayed on the browser status bar

5) Do not click on links in email you receive from people you do not know

6) Resist clicking on links in email from people you DO know until you have confirmed the source of the email.

7) Use a "throw away" email address for sites that request an email address. A throw away email address will receive the spam and phishing requests and you never bother to look at it so you never get suckered by what is sent to it.

8) Never use the same password for every site that you have access to. This way if someone manages to get you to divulge the password to one site, they won't have your password to the other sites you use.

9) At no time should you ever supply your ID or password to anyone when you have received an email requesting that you do so. Certainly any reputable site such as eBay, PayPal or the bank or Credit Card Company that you deal with online will not request this kind of information from you.

There are also measures businesses can take to help protect their customers from phishing attacks such as monitoring new and existing domain registrations for addresses similar to their own legitimate site and educating their customers about phishing.

These are certainly not ALL the means to reduce the risks of phishing, but they are a good start.

858687
Internet Security and Privacy
Social Engineering
Software Security

How can social engineering attacks be avoided?

Through education and clear security policies. Social engineering is targeted at the weakest link in any IT solution - the people, particularily their willingness to be helpful, truthful and trusting.

An attacker that specializes in social engineering tactics might, for example, impersonate a company officer in a very remote location and in a very tight spot - the supposed officer may be hours away from an important demonstration for the client, and his computer won't let him connect remotely to the office to download that last, most important spreadsheet he forgot. The impersonator may make a plea "for the sake of their job" or "for the sake of the big sale" and request confidential connection details.

This example attack takes advantage of a few things. The first and most easily visible problem is, that in most bigger companies, no one person really knows most of the workers in person, or even knows their voice. Maybe not even their gender. This allows the attacker to easily impersonate a company officer without even seeing them in person.

The other fact the attacker may have used in this example is two-fold: the abundance of company information usually available (the company's profile, their CEO list, their phone numbers etc.), and the abundance of further, more confidential details people like to share in the so-called "cloud" - sites like facebook or twitter, for example, may allow the attacker to know that that particular employee has been sent off to some remote corner of the world to do bussiness. And so, with the contact phone list in hand and a sob, fake story, the attacker sets out to convince a company worker that he is who he claims to be, and that his need is legitimate. And while there may be many employees he may target, he only needs to break one.

Social engineering attacks also exploit the fact that many companies do not have a strict policy regarding security enforced. Such a policy may well stop such an attack like the one in the example above dead in its tracks: for instance, there may be a closed-list pool of telephone numbers through which off-site officers may contact the company when in need of sensitive data - they may need to thoroughly authenticate by these means.

But such a policy is not yet enough - the company's employees must be educated thoroughly regarding this policy and the consequences if the policy is broken. Like I stated above, it takes just one person feeling sympathetic enough to give the sensitive information away (the attacker may have profiled this person specifically, maybe because a similar thing happened to the person under previous employer?). So the employees must know what might happen, and how to prevent it from happening.

Strong morale and integrity are also an important factor, but building these values is an important role of the company by any standard.

This answer could be improved greatly, as there are many aspects to dealing with these kind of attacks - they are much more espionage-related than computer-related, even though they commonly rely on the fallacies of modern technologies.

858687
Social Engineering

What is reverse social engineering?

An attacker using reverse social engineering to obtain information will present himself as an authority offeringhelp on a particular subject, so that his targets come to him for advice. This is in contrast to simple social engineering, where the attacker portrays himself as needing help.

787980
Social Sciences
The Sims Video Games
Blogging
Engineering
Social Engineering

Find out what is social engineering and identify the strategy in manipulating people.?

(s?

697071
Social Engineering
Business and Industry
Industrial Revolution

Why did businesses hire children?

They could pay them less than adults

232425
Abusive Relationships and Domestic Violence
Philosophy and Philosophers
Social Engineering
Human Origins

How come some people could never admit to their faults or mistakes?

We are all guilty at some point in our lives for not admitting to our faults or mistakes and it's simply the emotional situation we are in at the time. If the person is an abuser they don't often realize they are doing it. The fallacy that the abuser has come from an abusive family and it is a learned emotion is not always true (although a high percentage indicates this is true.) Some abusers come from a very good family and often the abuser was simply spoiled and given all the rights to their every whim. Abusive people need psychiatric help as they don't feel in control of their own lives, can feel they are hard done by and generally hate the world. The only way they seem to strive in their own little world is by abusing their mate or children as it makes them feel as if they have the power. In an abuser's mind they can't abuse the whole world, so they choose a piece of the world which is their homelife. If people simply won't own up to their faults or their mistakes they have gone through life blaming others. They have ceased to mature. We all makes mistakes and we all have faults and it will take the rest of our lives to try and make ourselves a better person. Some faults are so minute that it doesn't really matter if we change them, but if our mistakes or faults are hurting someone else close to us or even hurting the public then we need to do something about it. Marcy Stalkers and the Borderline Personality The Borderline Personality In recent years psychologists have learned about and done case studies on a new personality disorder which the DSM-III-R classifies as an Axis II disorder- the Borderline Personality . This classification includes such personality disorders as the Anti-social Personality, the Histrionic Personality and the Narcissistic Personality. Several psychologists (including myself) diagonosed my stalker as afflicted with the Borderline Personality. Characteristic of the Borderline (derived from research done by Kreisman & Straus, 1989) are: a shaky sense of identity sudden, violent outbursts oversensitivity to real or imagined rejection brief, turbulent love affairs frequent periods of intense depression eating disorders, drug abuse, and other self-destructive tendencies an irrational fear of abandonment and an inability to be alone Not much research has been done on the Borderline Personality, and for many years it was difficult to diagnose- and to treat. A Borderline often feels as though his/her life is marked with a distinctive emptiness; a void in which a relationship often acts to fill. Many times the Borderline is a victim of an early dysfunctional family situation and/or emotional/physical abuse by those he/she trusted early on in childhood. The Borderline is psychotic , in the original, psychological meaning of the term: he/she is not in control and not in touch with reality. To the Borderline, a softly spoken word of advice can be construed as a threat on his/her emotional stability. An outsider's viewpoint that the Borderline is not in touch with reality often ends in a bitter and irrational dissassociation from the outsider on the part of the Borderline. Often, the Borderline ends up very much alone and victim to his/her disillusions. The Borderline stalker is very apt to see his/her actions as perfectly justified; he/she has paranoid disillusions which support these-often with disturbing frequency. The Borderline often has brief love affairs which end abruptly, turbulently and leave the Borderline with enhanced feelings of self-hatred, self-doubt and a fear that is not often experienced by rational people. When the Borderline's relationships turn sour, the Borderline often begins to, at first, harass the estranged partner with unnecessary apologies and/or apologetic behavior (i.e. letters of apology 'from the heart', flowers delivered at one's place of employment, early morning weeping phonecalls, etc.). However, the Borderline does not construe his/her behavior as harassment- to the Borderline he/she is being 'responsible' for his/her past behaviors. The next phase of the Borderline Personality develops relatively quickly and soon he/she feels suddenly betrayed, hurt, etc. and seeks to victimize the estranged partner in any way he/she can Strangely enough, this deleterious behavior is always coupled with a need to be near or in constant contact with the estranged partner . While sending threats to the estranged partner, it is very common for the Borderline to begin to stalk his/her estranged partner in an effort to maintain contact. This effort is motivated by the excruciating fear that the Borderline will end up alone and anger that [the estranged partner] has put him/her in this position. We are finding, in many cases, that a great deal of stalking behavior is associated with Borderline or related personality disorders. Earlier research did not incorporate the Borderline Personality in stalking profiles; research now is beginning to focus on the Borderline in such disorders as Erotomania, etc.

313233
Engineering
Social Engineering

What jobs require social engineering?

"Jobs as engineers certainly require social engineering. Also, there are many maitenance jobs that will require knowledge in the field of social engineering."

495051
Health
Philosophy and Philosophers
Social Engineering

Why is it that some people never get sick?

immune system

353637
Computer Viruses
Social Network Websites
Social Engineering

Who invented the concept of social engineering?

Social Engineering is tricking people into doing something you want them to, so it's been around since the begining of time. The person who brought it into common knowlage was Kevin Mitnick one of the most famous hackers in history wanted by the U.S. Marshalls and after a while caught by them. As his parole he couldn't profit from his experience with hacking for ten years meaning he couldn't write any books, but after the ten years he wrote the Art of Deception which is a great book and has great stories of social engineering.

252627
Computer Terminology
Social Engineering
Software Engineering

What is difference betwee coupling and cohesion?

Coupling within a software system is the degree to which to which each module relies on other modules

cohesion is the measure of a sub systems internal interdependence

192021
Engineering
Social Engineering

Is Social engineering is a collection of techniques intended to trick people into divulging?

Personal Information

171819
Civil Engineering
Social Engineering

What is the Role of Civil Engineers in Society?

Civil engineers have a great deal of role for the society. Civil engineers have indeed changed rural joint and extended families into nuclear families with the 'quarter system' in towns and cities together with migration since independence. Vastu Shastra - sense of the space and direction in relation to the surrounding needs attention of the civil engineers. But, various limitations like space, cost, managerial pressure, so on and so forth - do not allow creative side of the civil engineers to flourish. On a mass scale, the quarter system is cheaper, encourages nuclear family set-up and a sense of equality among the people living in similar structure of the kind in Britain -double storeyed hut like houses all over - equality in structure.

151617
Engineering
Social Engineering

Is there a career specializing in social engineering?

There is no specific career for social engineering. It's basically a fancy name for computer hacker. They are often employed by tabloid journalists, bounty hunters or private investigators.

131415
Social Engineering

What is a Phisher's Tool?

social engineering

131415
Internet Security and Privacy
Social Engineering
White Hat Computer Hacking

How do you combat social engineering?

These answers are on page 320 of 'IT Essentials: PC Hardware and Software Companion Guide' Third Edition.

  • Never give out your password
  • Always ask for the IDs of unknown persons
  • Restrict access of unexpected visitors
  • Escort all visitors
  • Never post your password in your work area
  • Log off, or lock your computer when you leave your desk
  • Do not let anyone follow you through a door that requires an access card.
131415
Social Engineering
Anthropology
Sociology
Kwanzaa

Society are black people white people same society?

yes they are the color of ur skin does not make yyou who you are and mainstram and urban commmunities are in the same boat but conduted differently

131415
Computer Terminology
Computer Viruses
Internet Slang
Social Engineering

Who does social engineering?

Persons seeking to gain access to protected computer networks commonly use "social engineering". Portraying themselves as naïve users and requesting help from other users or administrators of the network, they try to trick their targets into divulging passwords or exposing protected information. A lot of so-called identity theft cases are nothing more than social engineering.

131415
Philanthropy
Social Engineering
Hershey Company
Milton Hershey

How did Milton Hershey change the society?

He gave us chocolate, as well as providing housing and a decent wage for his employees.

111213
India Law and Legal Issues
Social Engineering

Law as an instrument for social engineering?

Law can be said to be an intrument for social enginnering in different ways, first; as a means of trying to control human behaviour with the emphasis of law.,

secondly; and also to predict the actions of people in the relation to commit crime.

111213
Snow Leopards
Social Engineering

What is a human force?

The sovereign force that humans possess to understand, break down, and rearrange the natural world.

111213
Technology
Social Engineering

Does social engineering require technology?

Not necessarily - one can for example search the garbage of a person to learn a lot about him/her.

91011
Computer Viruses
Social Engineering

What Malware is an essential form of social engineering because it entices the user to install the supposedly benign software?

Macro-virus is an essential form of social engineering because it entices the user to install the supposedly benign software.
Malware that essentially is a form of social engineering because it entices the user to install the supposedly benign software is called a trojan horse.

91011
Social Engineering

Social engineering attack?

Any attempt to gain information by tricking another.

91011
Marriage
Philosophy and Philosophers
Human Behavior
Social Engineering

Why some people never marry?

People never marry because they find there partners cheating on them. Because they decide that they don't want the responsibilities when in committed marriage.

91011
Phishing
Social Engineering
Computer Network Security
Computer Security Law

Does dodd 8510-1m requires the iaso to ensure personnel receive system-specific and annual ia awareness training?

8510.01M was signed in 2000 was written to go with DITSCAP (DoDI 5200.40 - signed in 1997), which has since been superseded by DIACAP (DODI 8510.01 - signed in 2007)

Ultimately, responsibility for ensuring the training rests with the IAM, but the IAM can, and often does, delegate the responsibility to the IAO.

C3.4.4 requires preparation of the Environment and Threat Description, which, in turn requires:

C3.4.4.2.1.8. Training. Identify the training for individuals associated with the system's operation and determine if the training is appropriate to their level and area of responsibility. This training should provide information about the security policy governing the information being processed as well as potential threats and the nature of the appropriate countermeasures.

C3.4.7 requires identifying C&A Organizations and the Resources Required, which includes:

C3.4.7.2.3. Resources and Training Requirements. Describe the training requirements, types of training, who is responsible for preparing and conducting the training, what equipment is required, and what training devices must be developed to conduct the training, if training is required. Funding for the training must be identified.

C5.1.2 discusses certifying, among other things, "security education, training, and awareness requirements".

C5.2.4.3 requires: The program manager, user representative, and ISSO should ensure that the proper security operating procedures, configuration guidance, and training is delivered with the system. Note that the term ISSO has since been replaced by IASO in current IA terminology.

C5.3.9.2 requires: "that security Rules of Behavior, a Security Awareness and Training Program, and an Incident Response Program are in place and are current."

Appendix 2, the "MINIMAL SECURITY ACTIVITY CHECKLIST" includes the questions:

Table AP2.T11.

10.(h) Do the ISSO duties include the following:

Implementing or overseeing the implementation of the Security and Training

and Awareness Program?

Table AP2.T12.

3.(o) Do employees receive periodic training in the following areas:

(1) Power shut down and start up procedures?

(2) Operation of emergency power?

(3) Operation of fire detection and alarm systems?

(4) Operation of fire suppression equipment?

(5) Building evacuation procedures?

If you examine DoDI 8500.2, you will find requirements dealing with training including:

5.9 Each IA Manager, in addition to satisfying all responsibilities of an Authorized User, shall: (5.9.2) Ensure that all IAOs and privileged users receive the necessary technical and IA training, education, and certification to carry out their IA duties.

E3.3.7. Requires that:

All DoD employees and IT users shall maintain a degree of understanding

of IA policies and doctrine commensurate with their responsibilities. They shall be capable of appropriately responding to and reporting suspicious activities and conditions, and they shall know how to protect the information and IT they access. To achieve this understanding, all DoD employees and IT users shall receive both initial and periodic refresher IA training. Required versus actual IA awareness training shall be a management review item.

E3.4.6. Information Assurance Managers (IAMs) are responsible for establishing,

implementing and maintaining the DoD information system IA program, and for

documenting the IA program through the DoD IA C&A process. The program shall include procedures for:

E3.4.6.6. Tracking compliance with the IA Controls applicable to the DoD information system and reporting IA management review items, such as C&A status, compliance with personnel security requirements, compliance with training and education requirements, and compliance with CTOs, IAVAs, and other directed solutions.

Within the controls of 8500.2, you will find the following controls:

VIIR-1 Incident Response Planning

An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least annually.

VIIR-2 Incident Response Planning

An incident response plan exists that identifies the responsible CND Service Provider in accordance with DoD Instruction O-8530.2, defines reportable incidents, outlines a standard operating procedure for incident response to include INFOCON, provides for user training, and establishes an incident response team. The plan is exercised at least every 6 months.

PETN-1 Environmental Control Training

Employees receive initial and periodic training in the operation of environmental controls.

PRTN-1 Information Assurance Training

A program is implemented to ensure that upon arrival and periodically thereafter, all personnel receive training and familiarization to perform their assigned IA responsibilities, to include familiarization with their prescribed roles in all IA- related plans such as incident response, configuration management and COOP or disaster recovery.

Templates for validation of the controls by system validators include the following instructions:

For PRRB-1:

1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.

2. The rules shall include the consequences of inconsistent behavior or non-compliance.

3. Signed acknowledgement of the rules shall be a condition of access.

4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.

For PRTN-1

1. A set of rules that describe the IA operations of the DoD information system and clearly delineate IA responsibilities and expected behavior of all personnel shall be in place.

2. The rules shall include the consequences of inconsistent behavior or non-compliance.

3. Signed acknowledgment of the rules shall be a condition of access.

4. Training or reminder of the IA operations rules and code of conduct shall be performed on an annual basis, or as frequently as in accordance with DoD policy.

789

Copyright © 2020 Multiply Media, LLC. All Rights Reserved. The material on this site can not be reproduced, distributed, transmitted, cached or otherwise used, except with prior written permission of Multiply.