About Social Engineering

--Originally published at Intervention IT

We can implement diferent things, processes or systems to protect a network; but it cannot ensure the safety from the users.

People are important in the organizations and systems they are the weakes link. Social engineering is a con game, scam. It means people can attempt to defraud a person or group using their confidence to obtain information of a system or organization.

Social engineers can include hackers, scam artists, salespeople, ordinary people.

It can be implemented using telephone, online, even trash diving and simple persuasion.

Examples are the dumpster diving (look at the thrash of someone to recollect information).

Shoulder surfing that is the act to walk behind someone and look at their info.

Phishing is an attempt to get a user to reveal information. Often implemented trough email or instant messaging.

Spearphishing is target to specific individuals with usually better results. Is difficult to protect against.

 

Attack Surface:

Known, unknown, or potential vulnerabilities across Software, Hardware, network and users.

An attack is anything that can compromise the security of the data.

Passive: Non invasive, like monitoring transmissions.

Active: Attacker tries to break in securing systems to steal, modify or introduce information.

 

Software vulnerabilities are common, they usually are glitch or flaws. In order to reduce them you an update the system with latest security patch or to control the software to be installed can reduce the surface.

Hardware attack surface: Physical access is required, but it can be executed via network.