Explain the Various Forms of Social Engineering Tactics That Hackers Employ and Provide an Example of Each
Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software. For example, it is much easier to fool someone into giving you their password than it is for you to try hacking their password (unless the password is really weak).
Some ask the end user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy. A successful attack often culminates in access to systems and lost data. Organizations of all sizes should consider backing up business-critical data with a business continuity and disaster recovery solution to recover from such situations. Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work.
Therefore the effectiveness of the risk management process and underlying controls need to be assessed and reviewed over time. This can lead to new analysis and possibly changes in for example risk response (Swanborn, P.G., 1990). The assessment can have the form of ongoing and/or periodical evaluation of the social engineering risk management process.
Staying up to date with software and firmware patches on endpoints is also important, as is keeping track of staff members who handle sensitive information and enabling advanced authentication measures for them.
Swanborn, P.G., De probleemstelling: Een pleidooi voor duidelijke taal. 1990, Sociologische gids. XXXVII(2): p.107-123.
Thiadens, T., Beheer van ICT-voorzieningen; Infrastructuren, applicaties en organisatie. 2002, Academic Service: Schoonhoven. 406p.
Verschuren, P.J.M., J.A.C.M. Doorewaard, and H. Doorewaard Doorewaard, H. and P.J.M. Verschuren, Het ontwerpen van een onderzoek. 2007,
Lemma: Utrecht. 330p