Lab - Social Engineering

Objective
In this lab, you will research examplesof social engineering and identify ways to recognize and prevent it.

Resources
 Computer with Internet Access

Step 1: Research Social Engineering Examples

Social engineering,as it relates to information security,is used todescribe the techniques used by aperson (or
persons) who manipulate people in order to accessor compromise information about an organization or its
computer systems. A social engineer is usuallydifficult to identifyand may claim to be a new employee, a
repair person, or researcher. The social engineer might even offer credentials to support that identity. By
gaining trust and asking questions, he or she may be able to piece together enough information to infiltrate an
organization's network.
Use any Internet browser to research incidents of social engineering. Summarize three examples found in
your research.
1. 2011 RSA SecurID Phishing Attack
In 2011, one of these attacks bit encryption giant RSA and succeeded in netting hackers
valuable information about the company’s SecurID two-factor authentication fobs.
2. 2015 Ubiquiti Networks Scam
In 2015, Ubiquiti, a specialized manufacturer of wifi hardware and software based in San Jose,
found this out the hard way when their finance department was targeted in a fraud scheme
revolving around employee impersonation.
3. 2013 Department of Labor Watering Hole Attack
In a watering hole attack, cyber criminals set up a website or other resource that appears to be
official and legitimate and wait for victims to come to them. Unless those victims come
forward, it’s hard to know who was snared.

Step 2: Recognize the Signs of Social Engineering

Social engineers are nothing more than thieves and spies. Instead of hacking their way into your network via
the Internet, they attempt to gain access by relying on a person’s desire to be accommodating. Although not
specific to network security, the scenario below illustrates how an unsuspecting person can unwittingly give
away confidential information.
"The cafe was relatively quiet as I, dressed in a suit, sat at an empty table. I placed my briefcase on the
table and waited for a suitable victim. Soon, just such a victim arrived with a friend and sat at the table
next to mine. She placed her bag on the seat beside her, pulling the seat close and keeping her hand on
the bag at all times.
After a few minutes, her friend left to find a restroom. The mark [target] was alone, so I gave Alex and
Jess the signal. Playing a couple, Alex and Jess asked the mark if she would take a picture of them both.
She was happy to do so. She removed her hand from her bag to take the camera and snap a picture of
the “happy couple” and, while distracted, I reached over, took her bag, and locked it inside my briefcase.
My victim had yet to notice her purse was missing as Alex and Jess left the café. Alex then went to a
nearby parking garage.
It didn’t take long for her to realize her bag was gone. She began to panic, looking around frantically. This
was exactly what we were hoping for so, I asked her if she needed help.

© 2019Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 3
Lab Title Only Here - No Numbering

She asked me if I had seen anything. I told her I hadn’t but convinced her to sit down and think about
what was in the bag. A phone. Make-up. A little cash. And her credit cards. Bingo!
I asked who she banked with and then told her that I worked for that bank. What a stroke of luck! I
reassured her that everything would be fine, but she would need to cancel her credit card right away. I
called the “help-desk” number, which was actually Alex, and handed my phone to her.
Alex was in a van in the parking garage. On the dashboard, a CD player was playing office noises. He
assured the mark that her card could easily be canceled but, to verify her identity, she needed to enter
her PIN on the keypad of the phone she was using. My phone and my keypad.
When we had her PIN, I left. If we were real thieves, we would have had access to her account via ATM
withdrawals and PIN purchases. Fortunately for her, it was just a TV show."
"Hacking VS Social Engineering -by Christopher Hadnagy http://www.hackersgarage.com/hacking-vs-
social-engineering.html
Remember: “Those who build walls think differently than those who seek to go over, under, around, or
through them." Paul Wilson - The Real Hustle
Research ways to recognize social engineering.Describe three examples found in your research.
 If Tech Support Calls You, Suspect a Social Engineering Attack
If you receive an unsolicited call from someone claiming to be tech support, this is a huge red flag that you are
likely being set up for a social engineering attack. Tech support has enough incoming calls and doesn't need
to go looking for problems. Hackers and social engineers who claim to be tech support try to obtain
information such as passwords or direct you to visit malware sites so they can infect or take control of your
computer.
 Beware of Unscheduled Inspections
Social engineers often pose as IT inspectors as a pretext. They carry clipboards and wear uniforms to sell
their pretext. Their goal is usually to get access to restricted areas to obtain information or install software
such as keyloggers onto computers within the organization that they are targeting.
 Don't Fall for 'Act Now' False Urgency Requests
The pressure to act quickly may override your ability to stop and think about what is happening. Never make
quick decisions because people you don't know are pressuring you. Tell them they will have to come back
later when you can vet their story, or tell them you will call them back after you have verified their story with a
third party.

Step 3: Research Ways to Prevent Social Engineering

Does your company or school have procedures in place to help to prevent social engineering?
yes
If so, what are some of those procedures?
1. Calendar of expected vendors. Require that all service engagements and vendors be scheduled on
acentralized calendar. If a vendor shows up and is not on the calendar, standard policy should be for them
toreschedule.
2. P rocedure to verify identity. You can create a standard vendor release form that states the nature of
theirbusiness, or perhaps require that the internal contact person be available to verify their identity.
3. Assign ing a gatekeeper. If the gatekeeper, such as a security officer or manager, does not notify the
frontdesk authorizing entrance, then they won’t be let in.
4. Require an escort. When a vendor will be on-site, have someone available to escort that person to
theappropriate location and monitor them as they work.

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 2 of 3
Lab Title Only Here - No Numbering

5. Using visitor badges. Require that all visitors check in upon arrival, and then issue them a visitor’s badge.
Badges can also be color coded for the type of access they are allowed.

Use the Internet to research procedures that other organizations use to prevent social engineers from gaining
access to confidential information.List your findings.
Security sponsor. A senior manager, probably board-level, who can provide the necessary authority
toensure that all staff take the business of security seriously. Security manager. A management-level
employee who has responsibility for orchestrating the development and upkeep of a security policy. ITsecurity
officer. A technical staff member who has responsibility for developing the IT infrastructure andoperational
security policies and procedures. Facilities security officer. A member of the facilities team who is responsible
for developing site and operational security policies and procedures. Security awareness officer. A
management-level member of staff—often from within the human resources or personnel development
department—who is responsible for the development and execution of securityawareness campaigns.

Nama : M. Indra Taruna

Bidang : Cyber Security

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 3 of 3