Social Engineering
The last attack that needs to be addressed can be one of the easiest and most productive attacks of allsocial engineering. It plays on human behavior and how we interact with one another. The attack doesn't feel like an attack at all. As a matter of fact, we teach our employees to be customer service oriented, so many times they think they are being helpful and doing the right thing. It is imperative that you understand how easy social engineering has become. Some scenarios of social engineering attacks are provided in the following list:
A vice president calls you and states that she's in real trouble. She's attempting to do a presentation for a very important client and has forgotten her password. She just changed it yesterday and can't remember what it is. She needs to have it right away because she has a room full of clients waiting and she's starting to look incompetent. This is a really big client and means a lot of money to the company.
Someone you have never seen before approaches you as you are entering a secured building. She has her hands full carrying coffee and doughnuts. She smiles and says she just doesn't seem to have an extra hand to grab the door. She asks that you please hold it for her.
You receive a call from the corporate office saying that they are putting a new mail server into place and need to verify current user accounts and passwords. You are told that it is not good to send this information via email, so please print it and fax it directly to a number given to you that is a direct line for the person putting the new server into place.
CAUTION
Social engineering is an attack that plays upon human behavior.
In each of these situations, an attacker tries to manipulate corporate users to gain access or knowledge that will allow him entry into either the building or the network. Empathy and urgency are played upon in the first two scenarios. This makes users feel that it is okay to give out information or allow access to the building. In the third scenario, the user is made to feel that the use of email will be affected if she doesn't comply. Each attack plays on human behavior and our willingness to help and trust others.
The best defense against social engineering is a combination of operational/administrative, technical, and environmental control. It comes down to technology, policies, education, awareness, and training.
Now that we've completed our overviews of the different types of attacks and viruses, you need to understand the auditing process so you can track users' actions on the network to prevent these attacks and viruses from occurring.