Difference between revisions of "Social Engineering"

From OWASP
Jump to: navigation, search
(New page: '''Social Engineering''' '''Definition''' An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning user...)
 
Line 1: Line 1:
 
'''Social Engineering'''
 
'''Social Engineering'''
  
'''Definition'''
+
==Definition ==
 
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.
 
An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.
  
'''Examples'''
+
 
 +
== Examples ==
 
Example #1: (Believe it or not, this has worked for some attackers!)
 
Example #1: (Believe it or not, this has worked for some attackers!)
 
1. An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”
 
1. An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”
Line 10: Line 11:
 
4. System bugs are then exploited to gain complete control of the system.
 
4. System bugs are then exploited to gain complete control of the system.
  
 
+
== Countermeasures ==
'''Countermeasures'''
+
 
– Educate staff
 
– Educate staff
 
– Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are
 
– Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are
 
– Identify security-related transactions that must be done in person
 
– Identify security-related transactions that must be done in person

Revision as of 13:49, 19 April 2007

Social Engineering

Definition

An attack based on deceiving users or administrators at the target site. Social engineering attacks are typically carried out by telephoning users or operators and pretending to be an authorized user, to attempt to gain illicit access to systems.


Examples

Example #1: (Believe it or not, this has worked for some attackers!) 1. An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.” 3. The attacker then logs in as one of the users from over the network. 4. System bugs are then exploited to gain complete control of the system.

Countermeasures

– Educate staff – Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are – Identify security-related transactions that must be done in person