Question

Social Engineering:

Search the Internet and refer to your readings for effective social engineering techniques. Now, suppose you wanted to obtain access to confidential digital information stored on servers at a small local company called InfoLeak, Inc. The company is situated in a small town and has less than 100 employees. Of these 100 employees, only 5 are responsible for information technology and network security. The remaining employees are administrative, sales and research/development. The company is very open and community-friendly, often holding offsite company meetings and gatherings at local bars and restaurants.

Given your knowledge of social engineering, computer security and the general details of InfoLeak, Inc., provide a detailed strategy for obtaining the confidential information.

Answer 1

Social Engineering, with regards to data security, alludes to mental control of individuals into performing activities or unveiling classified or confidential data. A sort of certainty trap with the end goal of data social event, extortion, or framework get to, it contrasts from a conventional "con" in that it is regularly one of many strides in a more mind boggling misrepresentation conspire. The expression "social engineering" as a demonstration of mental control of a human, is additionally connected with the sociologies, yet its use has gotten on among PC and data security experts.Various types of social engineering attacks for obtaining the confidential information from the source(host) are :

1. Baiting: Baiting is the point at which an attacker leaves a malware-contaminated physical gadget, for example, a USB pendrive in a place it is certain to be found. The discoverer at that point grabs the gadget and loads it onto his PC, inadvertently introducing the malware. And in the given example the company is very small (less people to see you), so it won't be a tough job to catch an employee into this bait.

2. Phishing: Phishing is the point at which a malicious party sends a deceitful email masked as a genuine email, frequently implying to be from a trusted source. The message is intended to trap the beneficiary into sharing individual or money related data or tapping on a connection that introduces malware.

In the given example, due to less number of employees, and out of which only 5 are responsible for information technology and Network Security, they lack in giving attention to each and every mail thoroughly and it will be quite easy to trap them by using some official logos and names to pass them through some malicious link for gethering confidential data from their system.

3. Renumeration: implies something for something: An attacker calls arbitrary(random) numbers at an organization, guaranteeing to get back to from specialized help(technical support). In the long run this individual will hit somebody with a serious issue, thankful that somebody is providing back some help to them. The attacker will "help" take care of the issue and, all the while, have the client type commands that give the attacker access to dispatch malware. For implementing this technique you must be good in talking. This was greatly misused 15 years ago.

4. Pretexting: Pretexting is the point at which one gathering misleads another to access advantaged information. For instance, a pretexting trick could include an attacker who claims to require individual or money related information so as to affirm the personality of the beneficiary. This can also be easily done in the above mentioned example, if someone is asking about some company commodity code and all, you'll ask the other employee that time itself (bacause of small organization) and chances will be high that the attacker will get the information he needed. Apart from these, as the company often holding offsite company meeting and gatherings at local bars and restaurants, there can be some chances to lure the company's employee by buying drinks for them and in the process taking out some important information.