🔐
CompTIA Security+
  • Introduction
  • Threats, Vulnerabilities, and Attacks
    • Threats
      • Threat Actors
      • Malware
    • Vulnerabilities
      • Vulnerability Research
      • Vulnerability Discovery
    • Attacks
      • Social Engineering
      • Password Guessing
      • Services & Applications
      • Wireless Communications
  • Technologies and Tools
    • Devices
      • Network Devices
      • Mobile Devices
    • Tools
    • Analysis
    • Troubleshooting
  • Architecture and Design
    • Frameworks & Guides
    • Cloud & Virtualization
    • Physical Security
    • Network Design
    • System Design
      • System Development
      • Application Security
      • Automation
    • Embedded Systems
  • Identity and Access Management
    • Concepts
    • Services
    • Controls
    • Procedures
  • Risk Management
    • Policy
    • Business Impact Analysis
    • Security Controls
    • Information Security
      • Data Security
      • Privacy
    • Contingency Planning
      • Incident Response
      • Disaster Recovery
      • Continuity of Operations
  • Cryptography and PKI
    • Concepts
    • Algorithms
    • Protocols
      • Authentication Protocols
      • Encryption Protocols
      • Network Service Protocols
    • Public Key Infrastructure
      • Concepts
      • Components
      • Certificates
Powered by GitBook
On this page
  • Principles
  • Phishing
  • Spear Phishing
  • Whaling
  • Vishing
  • Proximity-based Attacks
  • Tailgating
  • Shoulder Surfing
  • Community-based Attacks
  • Hoaxes
  • Watering Holes
  • Dumpster Diving

Was this helpful?

  1. Threats, Vulnerabilities, and Attacks
  2. Attacks

Social Engineering

Compare and contrast types of attacks.

Social Engineering attacks target the vulnerability of people. It's human nature to be complacent, sympathetic, and/or trust the kindness of strangers. As a security professional, you must understand how bad guys take advantage of good people to achieve their objectives. Attackers often use Social Engineering to collect intelligence, gain access, or install malicious software. You should also know how to mitigate these attacks through cybersecurity awareness programs. If you want to change someone's behavior, increase their awareness.

Principles

Social Engineering attacks are successful because they use the following principles to take advantage of people: authority, intimidation, consensus, scarcity, familiarity, trust, and urgency. Below are examples for each.

Authority

Calling someone for their password while impersonating an IT helpdesk clerk.

Intimidation

Frightening someone into connecting a USB device to their computer.

Consensus

Exchanging tickets to a football game for administrator privileges.

Scarcity

Emailing someone a link and the promise of limited access to a vaccine if they click on it.

Familiarity

Using common interests and kindness to collect intelligence from an employee about their organization.

Trust

Leveraging an existing relationship to get someone to download unauthorized software.

Urgency

Gaining physical access to a building after asking for directions to the bathroom.

Phishing

Phishing attacks are when someone uses technology to lure someone else into a trap or disclosing sensitive information. Attackers will often automate this process and spam thousands of people in hopes of getting at least a handful of victims.

Spear Phishing

Spear Phishing is when the attacker targets a specific person. For example, you were the target of a Spear Phishing attack if you ever got an bogus email that referenced unique things about you and your interests.

Whaling

Whaling is when the attacker targets a specific person because of their status or position. Imagine what would happen if the CEO of your organization was the victim of a Whaling attack. Do they have access to sensitive information that shouldn't be disclosed?

Vishing

Vishing is phishing over the phone. The attacker is using their voice, tone, and slang to be more convincing than an what they would be in a email.

Proximity-based Attacks

Tailgating

Tailgating is when someone follows closely behind you in order to avoid having to open a door themselves. Organizations will often have physical security controls that require something does not know or have (like a PIN and badge). To bypass these obstacles, an attacker might wait for the right person that is innocent and gullible enough to hold the door open for them.

Shoulder Surfing

Shoulder Surfing is when someone looks over your shoulder to gather sensitive information like PINs and passwords. An attacker may also be able to collect proprietary information like trade secrets, intellectual property, and plans your organization has for the future.

Community-based Attacks

Tailgating and Shoulder Surfing are attacks against a single person. Hoaxes, watering hole attacks, and dumpster diving target the organization as a whole.

Hoaxes

The Online Etymology Dictionary suggests the word "hoax" comes from "hocus-pocus" or "the tricks of a magician." In cybersecurity, hoaxes are simply fabrications of the truth (usually disseminated via email). They serve to create fear, uncertainty, and doubt. Be vigilant of misinformation. The last thing you want is someone being scared into calling the police over a bogus bomb-threat or getting tricked into disabling their anti-virus program because they were told it's spying on them.

Watering Holes

In the physical world, watering holes are where different animals congregate to consume water. A watering hole in cyberspace may be a file server or internal web portal, somewhere where people congregate to consume the same information. Attackers may target services like this to quickly infect multiple computers. You can reduce the success of Watering Hole attacks by restricting access to collaboration tools to only authorized personnel.

Dumpster Diving

Attackers will often go Dumpster Diving to look for discarded items like confidential reports, building or network diagrams, hard disk drives, access badges, etc. As a cybersecurity professional, ensure your organization has an Information Security policy that addresses the lifecycle of information and equipment. It should specifically cover labeling, storage, and disposal.

PreviousAttacksNextPassword Guessing

Last updated 4 years ago

Was this helpful?