Social Engineering 1 2 PDF

CompTIA Security+ 501
CompTIA Security+
SY0-501
Instructor: Ron Woerner, CISSP, CISM
CompTIA Security+
Domain 1 –
Threats, Attacks and Vulnerabilities
1.2 Compare and contrast types of attacks
Part 1: Social Engineering Attacks
Cybrary - Ron Woerner 1

1.2 Attack Types

● Social engineering: Phishing; Spear phishing; Whaling;
Vishing; Tailgating; Impersonation; Dumpster diving; Shoulder surfing
● Application/service attacks: Buffer overflow; Injection; Cross-site scripting;
Cross-site request forgery; Privilege escalation; Impersonation/Masquerading;
Replay; Driver manipulation (Shimming; Refactoring);
● Cryptographic attacks: Birthday; Known plain text/cipher text; Rainbow tables;
Dictionary; Brute force; Pass the hash
● Hijacking and related attacks: Clickjacking; Session hijacking; URL hijacking;
Typo squatting); MAC spoofing; IP spoofing
● Network / Wireless Attacks: DoS; DDoS; Man-in-the-middle; Amplification;
DNS poisoning; Domain hijacking; ARP poisoning; Initialization Vector (IV);
Evil twin; Rogue AP; Jamming; Bluejacking; Bluesnarfing
Social Engineering
Definition:
● The process by which intruders gain access to facilities, network, systems,
data and even employees by exploiting the generally trusting nature of
people.
● The use of deception to manipulate individuals into divulging confidential or
personal information that may be used for fraudulent purposes.
● Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)

Social Engineering Attack Types

● Online
○ Phishing; Vishing; Whaling; Spear Phishing
○ Spoofing
● Offline / Physical
○ Tailgating
○ Impersonation
○ Dumpster diving
○ Shoulder surfing
● Either
Communications Spoofing / Fraud
● Phishing: sending emails purporting to be

from reputable companies in order to induce
individuals to reveal personal information.
● Spear Phishing: sending emails ostensibly
from a known or trusted sender in order to
induce targeted individuals to reveal
confidential information.

Phishing Example
Communications Spoofing / Fraud
● Whaling: a phishing attack that is specifically aimed at

wealthy, powerful, or prominent individuals.
● Vishing: making phone calls or leaving voice
messages purporting to be from reputable companies.
● Pharming: traffic redirect to a spoofed web site
● Variants - SMiShing

Communications Spoofing
● Vishing: the fraudulent practice of
making phone calls or leaving voice
messages purporting to be from
reputable companies in order to
induce individuals to reveal
personal information.
● Variants: SMiShing
Communications Spoofing
● Hoax: Malicious actors issuing false warnings to
alarm users
● Swatting: Fraudulent calls to the police
● Watering Hole Attack: A security exploit in which
the attacker seeks to compromise a specific
group of end users by infecting websites that
members of the group are known to visit.

Social Engineering Attacks – Physical

Tailgating: Gaining entry to electronically locked systems is to follow
someone through the door they just unlocked

Dumpster Diving: The practice of
foraging in garbage that has
been put out on the street in
dumpsters, garbage cans, etc.,
for discarded items that may still
be valuable, useful, or used to
commit fraud.


● Shoulder Surfing: watching someone “over their shoulder” when they enter
sensitive data such as a password or credit card information.
Social Engineering – Principles

Reasons for effectiveness
● Authority ● Familiarity / Liking
● Intimidation ● Trust
● Consensus / Social Proof ● Urgency
● Scarcity ● Reciprocity
Reference: Cialdini, Influence, Science and Practice, 5th ed, 2009

Social Engineering – Prevention

● User education
● “Trust, but verify”
● “If you see something, say something”
Sample question
A user contacts you suspecting that his computer is
infected. Yesterday he opened an email that looked like
it was from a colleague. When he later talked to that
person, she said she never sent an email. What type of
attack is the most likely the cause of the infection?
A. Phishing
B. Trojan
C. Spear phishing
D. Whaling

Sample question
You observe a delivery person entering your building
by following an employee through a locked door into
a secure facility. Which term best describes this type
of attack:
A. Shoulder surfing
B. Reciprocity
C. Tailgating
D. Whaling
Security+ Lab Guide

Social Engineering Reconnaissance
● Often a compromise in a company begins by
attackers searching through social media for
information on employees or the organization
● Attackers is looking to gain access to internal
systems by impersonating or exploiting
internal employees

CompTIA Security+
Domain 1 –
Part 2: Application/service Attacks
Attack Types
● Social engineering: Phishing; Spear phishing; Whaling; Vishing; Tailgating;
Impersonation; Dumpster diving; Shoulder surfing
Replay; Driver manipulation (Shimming; Refactoring); Zero-Day (0-Day)
Exploits
Evil twin; Rogue AP; Jamming; Bluejacking

Application Attacks
● Buffer overflow
● Injection
● Cross-site scripting (XSS)
● Cross-site request forgery (CSRF or XSRF)
● Privilege escalation
OWASP Top 10 Application Security Risks - 2017
https://www.owasp.org/index.php/Top_10-2017_Top_10

Application Attacks –
Buffer overflow
● When more data are written to

a buffer than it can hold
● An anomaly where a program,
while writing data to a buffer,
overruns the buffer's boundary
and overwrites adjacent
memory locations.
Application Attacks – Injection
● Occur when untrusted data is sent to an interpreter as

part of a command or query.
● The most common fall into the following categories:
○ Escape characters not filtered correctly
○ Type handling not properly done
○ Conditional errors
○ Time delays
● The way to defend against this attack is always to filter

input.
● Examples: SQL Injection, OS, LDAP, XML

Application Attacks – Cross-site scripting &

Cross-site request forgery
● Cross-site scripting (XSS): occur whenever an application

includes untrusted data in a new web page without proper
validation or escaping, or updates an existing web page with
user-supplied data using a browser API that can create HTML
or JavaScript.
○ Example: Ron<SCRIPT>alert(‘hello’)</SCRIPT>Woerner
● Cross-site request forgery (CSRF/XSRF): an attack that forces

an end user to execute unwanted actions on a web application.
Also known as a session riding or one-click attack
Privilege Escalation
The act of exploiting a bug, design flaw or configuration
oversight in an operating system or software
application to gain elevated access to resources that
are normally protected from an application or user.

Prevention & Response
● Good coding practices – See OWASP
● Filter and validate any user input
● Use a Web Application Firewall (WAF)
● Build security into the Software Development
Life Cycle (SDLC)
● Have an incident response plan in place
Zero-Day (0-Day) Exploits
● An attack that exploits a previously unknown security

vulnerability.
● It may take advantage of a security vulnerability on the
same day that the vulnerability becomes generally known.
● Example: Stuxnet
● Prevention:
○ Defense in depth;
○ Patch;
○ Keep AV up-to-date

Impersonation / Masquerading / Replay Attacks

● The act if pretending to be someone or something to gain unauthorized
access to a system.
● Capturing network traffic via eavesdropping, then reestablishing a

communications session by replaying captured traffic using spoofed
authentication credentials.
● Prevention: Token authentication (Kerberos),

MFA/TFA, Encryption, Sequenced session identification
Driver manipulation
● Driver: A program that controls a device (printers,

media, keyboards, etc.)
● Shimming: creating a library—or modifying an existing

one—to bypass a driver and perform a function other
than the one for which the API was created.
● Refactoring: set of techniques used to identify the flow
and then modify the internal structure of code without
changing the code’s visible behavior

Cryptographic attacks
See section on Cryptography
● Birthday: an attack on cryptographic hash that looks for

hash collisions – exploiting the 1-to-1 nature of hashing
functions.
● Known plain text/cipher text: An the attacker attempts to
derive a cryptographic key by using pairs of known plain
text along with the corresponding cipher text.
● Frequency analysis: Looking at the blocks of an
encrypted message to determine if any common
patterns exists
Cryptographic attacks
Password attacks:
● Dictionary: systematically entering each word in a
dictionary as a password
● Brute force: systematically attempting all possible combinations of
letters, numbers, and symbols. Usually automated.
● Rainbow tables: all of the possible password hashes are computed in
advance and those hash values are compared with the password
database.
● Pass the hash: An attacker attempts to authenticate to a remote
server or service by intercepting password hashes on a network.

Sample question
During a breach investigation, you notice that the attacker
entered the database through a web front end application
by manipulating the database code to exploit a
vulnerability. What is the most likely name for this type of
attack?
A. SQL parsing
B. Database injection
C. SQL injection
D. Session hijacking
Sample question
Which of the following type of attack is the result of
software vulnerabilities and is caused by supplying
more data than is expected in an input field?
A. Buffer overflow attack

B. Cross site scripting
C. Denial-of-Service (DoS) attack
D. App overloading

Sample question
Which form of attack uses special programs that attempt
all possible character combinations to determine
passwords?
A. brute-force attack
B. dictionary attack
C. password guessing
D. birthday attack
CompTIA Security+
Domain 1 –
Part 2: Application/service Attacks

CompTIA Security+
Domain 1 –
Part 3: Network & Wireless Attacks
Attack Types
● Social engineering: Phishing; Spear phishing; Whaling; Vishing; Tailgating;
Impersonation; Dumpster diving; Shoulder surfing
Replay; Driver manipulation (Shimming; Refactoring);
Evil twin; Rogue AP; Jamming; Bluejacking

Hijacking and related attacks
● Clickjacking: tricking a web user into clicking a spoofed button or graphic.

● Session hijacking (Cookie hijacking): exploiting a valid computer session, or
session key, to gain unauthorized access to information or services.
● URL hijacking / Typo squatting: the act of registering domains that are
similar to those for a known entity but based on a misspelling or typographical
error. (examples: g00gle.com, gooogle.com)
Network Hijacking Attacks
MAC spoofing: The Media Access

Control (MAC) address is a hard-coded
on a network interface controller (NIC)
number. Many drivers allow the MAC
address to be changed. A technique for
changing a factory-assigned MAC
address of a network interface on a
networked device.


IP spoofing: A technique used to gain unauthorized access to
machines, whereby an attacker illicitly impersonates another machine
by manipulating IP packets. IP Spoofing involves modifying the packet
header with a forged (spoofed) source IP address, a checksum, and the
order value.

ARP spoofing: when an attacker sends a
fake ARP (Address Resolution Protocol) messages
over a local area network. This results in the linking of an
attacker's MAC address with the IP address of a
legitimate computer or server on the network.

Man-in-the-Middle Attacks
● An attack where the attacker secretly relays and
possibly alters the communication between two parties
who believe they are directly communicating with each
other.
● The attacker may either observe (confidentiality attack)
or alter (integrity attack)
Denial of Service Attacks (DoS)
● Preventing access to resources by users authorized

to use those resources. Attacking systems availability.
● May accomplish:
○ Deny access to information, applications, systems, or communications.
○ Bring down a website while the communications and systems continue
to operate.
○ Crash the operating system (a simple reboot may restore the server to
normal operation).
○ Fill the communications channel of a network and prevent access by
authorized users.

Distributed Denial of Service Attacks

(DDoS)
● A DoS attack utilizing multiple

compromised computer systems
as sources of attack traffic
● Amplifies the concepts of a DoS
attack by using multiple
computer systems (often through
botnets) to conduct the attack
against a single organization
DoS & DDoS – Prevention

● Work with your ISP / network provider
● Border protection / Intrusion Detection & Protection System
● Update Network Appliances, Operating Systems and Applications
● End users’ systems are up-to-date and deploy anti-virus – bot prevention

Amplification Attacks
● The goal of the attacker is to get a response to their
request in a greater than 1:1 ratio so that the additional
bandwidth traffic works to congest and slow the responding
server down.
● The ratio achieved is known as the amplification factor ,
and high numbers are possible with UDP based protocols
such as NTP, CharGen, and DNS.
● Usually employed as a part of a DDoS attack
Domain Hijacking /
DNS Poisoning / DNS Spoofing
● AKA Resolution Attacks
● Poisoning: When an attacker alters the
domain-name-to-IP-address mappings in a DNS system
to redirect traffic to a rogue system or perform a DoS attack.
● Spoofing: When an attacker sends false replies to a requesting system in
place of a valid DNS response.
● Protect any internal DNS servers

● Use authoritative DNS sources

Wireless Attacks
● Evil twin: A rogue wireless access point poses
as a legitimate wireless service provider to intercept
information that users transmit
● Rogue AP: Any wireless access point added to your
network that has not been authorized
● Initialization Vector (IV): an arbitrary number that can
be used along with a secret key for data encryption.
This number, also called a nonce, is employed only one
time in any session. If the IV is weak, as in WEP, it may
be reused.
● Jamming: Causing interference with a wireless signal.
PAN Wireless Attacks

● Bluejacking: the sending of unsolicited
messages (think spam) over a Bluetooth
connection
● Bluesnarfing:
○ The gaining of unauthorized access through
a Bluetooth connection
○ Intercepting data through a Bluetooth
connection

Sample question
Of the below term, which one best describes the
type of attack that captures portions of a session to
play back later to convince a host that it continues to
communicate with the original system?
A. IP hijacking
B. Jamming
C. Trojan
D. Replay
Sample question
You have a user call you from a hotel saying
there’s an issue with your organization’s web site
and that it looks like it’s been compromised. You
check it from your work at it appears fine. What is a
likely cause associated with the user at the hotel?
A. Logic bomb
B. DNS Poisoning
C. Trojan horse
D. Evil twin

CompTIA Security+
Domain 1 –
Part 3: Network & Wireless Attacks
CompTIA Security+
Domain 1 –
Part 1: Social Engineering Attacks

Social Engineering 1 2 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Social Engineering 1 2 PDF

Uploaded by

Copyright:

Available Formats

CompTIA Security+ 501

Instructor: Ron Woerner, CISSP, CISM

Part 1: Social Engineering Attacks

Cybrary - Ron Woerner 1

1.2 Attack Types

● Reference: Chris Hadnagy, The Art of Human Hacking (Wiley, 2010)

Cybrary - Ron Woerner 2

Social Engineering Attack Types

Communications Spoofing / Fraud

● Phishing: sending emails purporting to be

Cybrary - Ron Woerner 3

Communications Spoofing / Fraud

● Whaling: a phishing attack that is specifically aimed at

Cybrary - Ron Woerner 4

Cybrary - Ron Woerner 5

Social Engineering Attacks – Physical

Social Engineering Attacks – Physical

Cybrary - Ron Woerner 6

Social Engineering Attacks – Physical

Social Engineering – Principles

● Consensus / Social Proof ● Urgency

Reference: Cialdini, Influence, Science and Practice, 5th ed, 2009

Cybrary - Ron Woerner 7

Social Engineering – Prevention

Cybrary - Ron Woerner 8

Security+ Lab Guide

Cybrary - Ron Woerner 9

Part 2: Application/service Attacks

Cybrary - Ron Woerner 10

OWASP Top 10 Application Security Risks - 2017

Cybrary - Ron Woerner 11

● When more data are written to

Application Attacks – Injection

● Occur when untrusted data is sent to an interpreter as

● The way to defend against this attack is always to filter

Cybrary - Ron Woerner 12

Application Attacks – Cross-site scripting &

● Cross-site scripting (XSS): occur whenever an application

● Cross-site request forgery (CSRF/XSRF): an attack that forces

Cybrary - Ron Woerner 13

Zero-Day (0-Day) Exploits

● An attack that exploits a previously unknown security

Cybrary - Ron Woerner 14

Impersonation / Masquerading / Replay Attacks

● Capturing network traffic via eavesdropping, then reestablishing a

● Prevention: Token authentication (Kerberos),

● Driver: A program that controls a device (printers,

● Shimming: creating a library—or modifying an existing

Cybrary - Ron Woerner 15

● Birthday: an attack on cryptographic hash that looks for

Cybrary - Ron Woerner 16

A. Buffer overflow attack

Cybrary - Ron Woerner 17

Part 2: Application/service Attacks

Cybrary - Ron Woerner 18

Part 3: Network & Wireless Attacks

Cybrary - Ron Woerner 19

Hijacking and related attacks

● Clickjacking: tricking a web user into clicking a spoofed button or graphic.

Network Hijacking Attacks

MAC spoofing: The Media Access

Cybrary - Ron Woerner 20

Network Hijacking Attacks