Lab - Social Engineering

Objective
In this lab, you will research examples of social engineering and identify ways to recognize and prevent it.

Resources
 Computer with Internet Access

Step 1: Research Social Engineering Examples

Social engineering, as it relates to information security, is used to describe the techniques used by a person
(or persons) who manipulate people in order to access or compromise information about an organization or its
computer systems. A social engineer is usually difficult to identify and may claim to be a new employee, a
repair person, or researcher. The social engineer might even offer credentials to support that identity. By
gaining trust and asking questions, he or she may be able to piece together enough information to infiltrate an
organization's network. (Rekayasa sosial, berkaitan dengan keamanan informasi, digunakan untuk
menggambarkan teknik yang digunakan oleh seseorang (atau orang) yang memanipulasi orang dalam
rangka untuk mengakses atau membahayakan informasi tentang organisasi atau sistem
komputernya.Seorang insinyur sosial tidak biasa nya suli tuntuk mengidentifikasi dan dapat klaim untuk
menjadi karyawan baru,perbaikan orang,atau peneliti. Insinyur sosial bahkan mungkin menawarkan
kredensial untuk mendukung identitas tersebut. Denganmendapatkan kepercayaan danmengajukan
pertanyaan, ia mungkin dapat mengumpulkan informasi yang cukup untuk menyusup ke jaringan organisasi)
Use any Internet browser to research incidents of social engineering. Summarize three examples found in
your research. (Gunakan browser internet apapun untuk penelitian insiden rekayasa sosial. Ringkaslah tiga
contoh yang terdapat dalam penelitian Anda)
1. 2015 Ubiquiti Networks Scam
Not all hackers are looking for sensitive information; sometimes they just want cold, hard cash.
2. 2013 Department of Labor Watering Hole Attack
Watering hole attacks are some of the broadest social engineering exploits but also some of the
hardest for cybersecurity professionals to measure in terms of how much information was actuall.
compromised.
3. 2011 RSA SecurID Phishing Attack
Security firms should be the most secure targets when it comes to any type of information system
attack, but they are also juicy targets that draw more than their fair share of attempts.

Step 2: Recognize the Signs of Social Engineering

Social engineers are nothing more than thieves and spies. Instead of hacking their way into your network via
the Internet, they attempt to gain access by relying on a person’s desire to be accommodating. Although not
specific to network security, the scenario below illustrates how an unsuspecting person can unwittingly give
away confidential information. (Insinyur sosial tidak lebih dari pencuri dan pengintai. Daripada hacking cara
mereka ke jaringan Anda melalui internet, mereka berusaha untuk mendapatkan akses dengan
mengandalkan keinginan seseorang untuk menampung. Meskipun tidak spesifik untuk keamanan jaringan,
skenario di bawah ini menggambarkan bagaimana orang yang tidak curiga dapat tanpa disadari memberikan
informasi rahasia)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 4
Lab Title Only Here - No Numbering

"The cafe was relatively quiet as I, dressed in a suit, sat at an empty table. I placed my briefcase on the
table and waited for a suitable victim. Soon, just such a victim arrived with a friend and sat at the table
next to mine. She placed her bag on the seat beside her, pulling the seat close and keeping her hand on
the bag at all times.
After a few minutes, her friend left to find a restroom. The mark [target] was alone, so I gave Alex and
Jess the signal. Playing a couple, Alex and Jess asked the mark if she would take a picture of them both.
She was happy to do so. She removed her hand from her bag to take the camera and snap a picture of
the “happy couple” and, while distracted, I reached over, took her bag, and locked it inside my briefcase.
My victim had yet to notice her purse was missing as Alex and Jess left the café. Alex then went to a
nearby parking garage.
It didn’t take long for her to realize her bag was gone. She began to panic, looking around frantically. This
was exactly what we were hoping for so, I asked her if she needed help.
She asked me if I had seen anything. I told her I hadn’t but convinced her to sit down and think about
what was in the bag. A phone. Make-up. A little cash. And her credit cards. Bingo!
I asked who she banked with and then told her that I worked for that bank. What a stroke of luck! I
reassured her that everything would be fine, but she would need to cancel her credit card right away. I
called the “help-desk” number, which was actually Alex, and handed my phone to her.
Alex was in a van in the parking garage. On the dashboard, a CD player was playing office noises. He
assured the mark that her card could easily be canceled but, to verify her identity, she needed to enter
her PIN on the keypad of the phone she was using. My phone and my keypad.
When we had her PIN, I left. If we were real thieves, we would have had access to her account via ATM
withdrawals and PIN purchases. Fortunately for her, it was just a TV show."
(Kafe itu relatif tenang karena saya, mengenakan jas, duduk di meja kosong. Aku meletakkan koper saya
di atas meja dan menunggu korban yang cocok.Segera, hanya seperti korban tiba dengan seorang
teman dan duduk di meja sebelah saya. Dia menaruh tasnya di kursi di sampingnya, menarik tempat
duduk dekat dan menjaga tangannya di atas tas setiap saat.
Setelah beberapa menit, temannya pergi untuk menemukan kamar kecil. Tanda [target] itu sendiri, jadi
saya memberi Alex dan Jess The Signal. Bermain sepasang, Alex dan Jess bertanya apakah dia akan
mengambil gambar dari mereka berdua. Dia senang melakukannya. Dia melepaskan tangannya dari
tasnya untuk mengambil kamera dan memotret "pasangan yang bahagia" dan, sementara terganggu,
saya mengulurkan tangan, membawa tasnya, dan mengunci di dalam koper saya.Korban saya belum
melihat dompet yang hilang sebagai Alex dan Jess meninggalkan kafe. Alex kemudian pergi ke garasi
parkir di dekatnya.
Tidak butuh waktu lama baginya untuk menyadari tasnya sudah pergi. Dia mulai panik, melihat sekeliling
dengan panik. Ini adalah persis apa yang kami berharap untuk begitu, aku bertanya apakah dia
membutuhkan bantuan.
Dia bertanya Apakah saya telah melihat apa-apa. Aku bilang padanya aku tidak tapi meyakinkannya
untuk duduk dan berpikir tentang apa yang ada di dalam tas. Telepon. Make-up. Sedikit uang tunai. Dan
kartu kreditnya. Dalam sebuah Bingo!
Aku bertanya siapa dia membelai dan kemudian mengatakan padanya bahwa saya bekerja untuk bank
itu. Apa keberuntungan! Aku meyakinkannya bahwa segala sesuatu akan baik, tapi dia akan perlu untuk
membatalkan kartu kreditnya segera. Aku menelepon "Help-Desk" nomor, yang sebenarnya Alex, dan
menyerahkan telepon saya padanya.
Alex berada di sebuah van di garasi parkir. Pada dashboard, CD player sedang bermain suara kantor.Dia
meyakinkan tandabahwa kartu dapat dengan mudah dibatalkan tetapi, untuk memverifikasi identitasnya,
ia harus memasukkan PIN pada keypad telepon dia menggunakan. Telepon saya dan keypad saya.
Ketika kami punya PIN-nya, aku pergi. Jika kita adalah pencuri nyata, kita akan memiliki akses ke
akunnya melalui penarikan ATM dan pembelian pin. Untungnya baginya, itu hanya sebuah acara TV)

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 4
Lab Title Only Here - No Numbering

"Hacking VS Social Engineering -by Christopher Hadnagy http://www.hackersgarage.com/hacking-vs-

social-engineering.html
Remember: “Those who build walls think differently than those who seek to go over, under, around, or
through them." Paul Wilson - The Real Hustle
(Ingatlah: "mereka yang membangun dinding berpikir secara berbeda daripada mereka yang berusaha
untuk pergi, di bawah, di sekitar, atau melalui mereka. "Paul Wilson-The Real Hustle)
Research ways to recognize social engineering. Describe three examples found in your research.
(Penelitian cara untuk mengenali rekayasa sosial. Jelaskan tiga contoh yang ditemukan dalam penelitian
Anda)
1. If Tech Support Calls you , It Might be a Social Engineering Attack
2 . Don't Fall for "Act NOW!" False Urgency Requests
3 . Beware of Fear Tactics Such as "Help Me or The Boss is Going to Be Mad"

Step 3: Research Ways to Prevent Social Engineering

(Penelitian cara untuk mencegah rekayasa sosial)
Does your company or school have procedures in place to help to prevent social engineering? (Apakah
perusahaan atau sekolah Anda memiliki prosedur untuk membantu mencegah rekayasa sosial?)
Ya
If so, what are some of those procedures? (Jika demikian, Apa apa saja prosedur tersebut?)
1. Calendar of expected vendors. Require that all service engagements and vendors be scheduled on
a centralized calendar. If a vendor shows up and is not on the calendar, standard policy should be for
them to reschedule.
2. P rocedure to verify identity. You can create a standard vendor release form that states the nature
of their business, or perhaps require that the internal contact person be available to verify their
identity.
3. Assign ing a gatekeeper. If the gatekeeper, such as a security officer or manager, does not notify
the front desk authorizing entrance, then they won’t be let in.
4. Require an escort. When a vendor will be on-site, have someone available to escort that person to
the appropriate location and monitor them as they work.
5. Us ing visitor badges. Require that all visitors check in upon arrival, and then issue them a visitor’s
badge. Badges can also be color coded for the type of access they are allowed.

Use the Internet to research procedures that other organizations use to prevent social engineers from gaining
access to confidential information. List your findings. (Gunakan internet untuk penelitian prosedur yang
digunakan organisasi lain untuk mencegah insinyur sosial dari mendapatkan akses ke informasi rahasia.
tuliskan temuan Anda)

Security sponsor. A senior manager, probably board-level, who can provide the necessary authority
to ensure that all staff take the business of security seriously. Security manager. A management-level
employee who has responsibility for orchestrating the development and upkeep of a security policy.
IT security officer. A technical staff member who has responsibility for developing the IT
infrastructure and operational security policies and procedures. Facilities security officer. A member
of the facilities team who is responsible for developing site and operational security policies and
procedures. Security

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 4
Lab Title Only Here - No Numbering

awareness officer. A management-level member of staff—often from within the human resources or
personnel development department—who is responsible for the development and execution of
security awareness campaigns.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 4 of 4