Social Engineering and Physical Security
This chapter includes questions from the following topics:
• Define social engineering
• Describe the different types of social engineering attacks
• Describe insider attacks, reverse social engineering, dumpster diving, social networking, and URL obfuscation
• Describe phishing attacks and countermeasures
• List social engineering countermeasures
• Describe physical security measures
Did you hear the one about Proctor & Gamble, toothpaste, and one extraordinarily common-sense-laden guy? If not, I’ll relate here. It seems that back in the 1950s, P&G was looking at different ways to increase sales—particularly in toothpaste. They tried different marketing techniques, radio ads, getting dentists involved to vouch for their products, and all sorts of things. None of it was effective, and vice presidents were getting chewed out on a regular basis.
Early on, while all this was going on, some little guy in the company booked a meeting with the upper management folks and told them he had the answer. His solution, he promised, would cost almost nothing to implement and would result in somewhere around a 40-percent increase in toothpaste sales. The only catch was he wanted $100,000 up front to hear the idea.
Obviously he was laughed out of the room. However, after all the efforts of the best minds the company had failed to deliver, they began to rethink their position and, after wasting thousands upon thousands in advertising and other efforts with no results, they set up a meeting to learn what this guy had to say. After the money was handed over, he slid a small piece of paper across the table. The leadership, marketing, and technical staff all gathered around to see what this guaranteed answer would be. On the paper, the guy had written, “Make the hole bigger.”
Oftentimes people (including, and dare I say especially, technical people) overlook the obvious in favor of a harder, sexier solution. P&G had hundreds of marketing and technical people in their employment. These people were capable, smart, and knew what they were doing, and when given a task to increase sales, they went furiously to work designing a solution. However, they overlooked the obvious and the simple (a bigger hole at the end of the tube will result in more toothpaste being used), and the little guy walked out of the room a wealthy man.
Social engineering and physical security are those obvious and simple solutions you may accidentally overlook. Why spend all the effort to hack into a system and crack passwords offline when you can just call someone up and ask for them? Why bother with trying to steal sensitive business information from encrypted shares when you can walk into the building and sit in on a sales presentation? Sure, you occasionally almost get arrested shuffling around in a dumpster for good information (our esteemed technical editor can attest to this), but most of social engineering is easy, simple, and very effective.
STUDY TIPS Thankfully, most questions you’ll see about these topics are of the straight-forward, definition-based variety. Be careful with the wording in these questions, though, because they’ll sometimes try to trick you up with petty minutia instead of actually testing your knowledge.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.