2 cissp ® Official Study Guide Eighth Edition

Download 19,3 Mb.

Pdf ko'rish

bet	864/881
Sana	08.04.2023
Hajmi	19,3 Mb.
	#925879

1 ... 860 861 862 863 864 865 866 867 ... 881

Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

Social Engineering
Social engineering
is one of the most effective tools attackers use to gain access to a
system. In its most basic form, a social-engineering attack consists of simply calling the
user and asking for their password, posing as a technical support representative or other
authority figure who needs the information immediately. Fortunately, most contemporary
computer users are aware of these scams, and the effectiveness of directly asking a user
for a password is somewhat diminished today. Instead, these attacks rely on phishing
emails that prompt users to log in to a fake site using their actual username and password,
which are then captured by the attacker and used to log into the actual site. Phishing
attacks often target financial services websites, where user credentials can be used to
quickly transfer cash. In addition to tricking users into giving up their passwords, phishing
attacks are often used to get users to install malware or provide other sensitive personal
information.
Phishing messages are becoming increasingly sophisticated and are designed to closely
resemble legitimate communications. For example, the phishing message shown in Figure 21.1
was sent to thousands of recipients representing itself as an official communication from the
Social Security Administration. Users clicking the link were redirected to a malicious website
that captured their sensitive information.
There are also many common variants of phishing. Some of these include the following:
■
Spear phishing
attacks are specifically targeted at an individual based upon research
conducted by the attacker. They may include personal information designed to make
the message appear more authentic.
■
Whaling
attacks are a subset of spear phishing attacks sent to high-value targets, such
as senior executives.
■
Vishing
attacks use phishing techniques over voice communications, such as the
telephone.

932
Chapter 21
■
Malicious Code and Application Attacks
F I g u r e 21.1
Social Security phishing message
Image source: U.S. Social Security Administration
Although users are becoming savvier, social engineering still poses a significant threat
to the security of passwords (and networks in general). Attackers can often obtain sensitive
personal information by “chatting up” computer users, office gossips, and administrative
personnel. This information can provide excellent ammunition when mounting a password-
guessing attack. Furthermore, attackers can sometimes obtain sensitive network topogra-
phy or configuration data that is useful when planning other types of electronic attacks
against an organization.
Dumpster diving
is a variant of social engineering where the attacker literally rummages
through the trash of the target company, searching for sensitive information. This tech-
nique is easily defeated by shredding papers and wiping electronic media, but dumpster div-
ers are still surprisingly successful with their efforts.

Download 19,3 Mb.

Do'stlaringiz bilan baham:

1 ... 860 861 862 863 864 865 866 867 ... 881