What Is the Process of Using or Manipulating People to Gain Access to Network Resources?

Psychological manipulation of people into performing actions or divulging confidential information

In the context of data security, social engineering science is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social applied science inside the social sciences, which does not concern the divulging of confidential information. A blazon of confidence play tricks for the purpose of information gathering, fraud, or system admission, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme.^[1]

It has likewise been defined as "whatever human activity that influences a person to take an activity that may or may non be in their best interests."^[2]

An case of social engineering is the use of the "forgot countersign" role on most websites which require login. An improperly-secured password-recovery organization can exist used to grant a malicious attacker full access to a user'south business relationship, while the original user will lose admission to the account.

Data security culture [edit]

Employee behavior can take a big impact on information security in organizations. Cultural concepts tin help different segments of the organization work effectively or work against effectiveness towards information security within an organization. "Exploring the Relationship between Organizational Civilization and Data Security Culture" provides the post-obit definition of information security civilization: "ISC is the totality of patterns of beliefs in an organisation that contribute to the protection of information of all kinds."^[3]

Andersson and Reimers (2014) found that employees often do not see themselves as part of the organisation Information Security "effort" and oftentimes have actions that ignore organizational information security best interests.^[iv] Research shows Information security culture needs to be improved continuously. In "Information Security Culture from Analysis to Modify," authors commented that "it'south a never catastrophe process, a wheel of evaluation and change or maintenance." They propose that to manage information security civilisation, five steps should exist taken: Pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.^[five]

• Pre-Evaluation: to identify the awareness of information security within employees and to analyse current security policy.
• Strategic Planning: to come upwardly with a meliorate awareness-program, we need to prepare clear targets. Clustering people is helpful to achieve it.
• Operative Planning: set a good security culture based on internal communication, management-buy-in, and security sensation and preparation program.^[5]
• Implementation: four stages should be used to implement the information security culture. They are commitment of the management, communication with organizational members, courses for all organizational members, and commitment of the employees.^[5]

Techniques and terms [edit]

All social engineering techniques are based on specific attributes of human decision-making known every bit cognitive biases.^{[6] [7]} These biases, sometimes called "bugs in the human hardware," are exploited in various combinations to create attack techniques, some of which are listed below. The attacks used in social engineering science can be used to steal employees' confidential information. The most common type of social engineering happens over the phone. Other examples of social engineering attacks are criminals posing every bit exterminators, fire marshals and technicians to go unnoticed as they steal company secrets.

One instance of social engineering is an individual who walks into a building and posts an official-looking announcement to the company bulletin that says the number for the help desk has changed. Then, when employees call for help the individual asks them for their passwords and IDs thereby gaining the ability to admission the company's private data. Some other example of social engineering would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Gradually the hacker gains the trust of the target and so uses that trust to get access to sensitive information like countersign or bank account details.^[eight]

Social engineering relies heavily on the six principles of influence established by Robert Cialdini. Cialdini'south theory of influence is based on 6 key principles: reciprocity, commitment and consistency, social proof, authorization, liking, scarcity.

Six central principles [edit]

[edit]

In social engineering science, the attacker may pose as authority to increase the likelihood of adherence from the victim.

Intimidation [edit]

Assaulter (potentially disguised) informs or implies that there volition be negative consequences if certain actions are non performed. Consequences could include subtle intimidation phrases such as "I'll tell your manager" to much worse.

[edit]

People will exercise things that they meet other people are doing. For example, in one experiment^{[ which? ]}, one or more confederates would look upwardly into the sky; bystanders would then look up into the sky to come across what they were missing. At 1 point this experiment was aborted, equally and so many people were looking up that they stopped traffic. See conformity, and the Asch conformity experiments.

Scarcity [edit]

Perceived scarcity will generate demand. The common advertizing phrase "while supplies concluding" capitalizes on a sense of scarcity.

Urgency [edit]

Linked to scarcity, attackers apply urgency as a time-based psychological principle of social engineering. For case, saying offers are bachelor for a "express fourth dimension simply" encourages sales through a sense of urgency.

Familiarity / Liking [edit]

People are easily persuaded past other people whom they like. Cialdini cites the marketing of Tupperware in what might at present be called viral marketing. People were more probable to buy if they liked the person selling it to them. Some of the many biases favoring more bonny people are discussed. Encounter concrete attractiveness stereotype.

[edit]

Vishing [edit]

Vishing, otherwise known as "vocalization phishing", is the criminal practice of using social engineering over a phone organization to gain access to private personal and financial information from the public for the purpose of financial reward.^[9] It is also employed by attackers for reconnaissance purposes to get together more detailed intelligence on a target organization.

Phishing [edit]

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an eastward-mail that appears to come from a legitimate business—a bank, or credit menu visitor—requesting "verification" of information and alarm of some dire consequence if it is not provided. The east-mail service usually contains a link to a fraudulent spider web folio that seems legitimate—with company logos and content—and has a course requesting everything from a home accost to an ATM bill of fare's Pivot or a credit card number. For example, in 2003, there was a phishing scam in which users received emails supposedly from eBay claiming that the user'southward account was about to be suspended unless a link provided was clicked to update a credit carte (data that the genuine eBay already had).^[ten] By mimicking a legitimate system's HTML code and logos, it is relatively simple to make a fake Website look authentic. The scam tricked some people into thinking that eBay was requiring them to update their account information by clicking on the link provided. By indiscriminately spamming extremely large groups of people, the "phisher" counted on gaining sensitive fiscal information from the small percentage (yet large number) of recipients who already have eBay accounts and also fall prey to the scam.

Smishing [edit]

The act of using SMS text messaging to lure victims into a specific class of action. Like phishing information technology can be clicking on a malicious link or divulging data. Examples are text messages that claim to be from a common carrier (like FedEx) stating a package is in transit, with a link provided.

Impersonation [edit]

Pretending or pretexting to be another person with the goal of gaining access physically to a system or building. Impersonation is used in the "SIM swap scam" fraud.

Other concepts [edit]

Pretexting [edit]

Pretexting (adj. pretextual) is the act of creating and using an invented scenario (the pretext) to appoint a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.^[11] An elaborate prevarication, it most oftentimes involves some prior research or setup and the utilize of this data for impersonation (eastward.g., date of birth, Social Security number, last bill amount) to constitute legitimacy in the mind of the target.^[12] As a groundwork, pretexting can be interpreted as the showtime evolution of social engineering, and connected to develop as social engineering science incorporated electric current-mean solar day technologies. Current and past examples of pretexting demonstrate this development.

This technique can be used to fool a business into disclosing customer information as well as by private investigators to obtain telephone records, utility records, cyberbanking records and other information direct from company service representatives.^[13] The information tin can then be used to establish even greater legitimacy under tougher questioning with a manager, e.g., to make account changes, become specific balances, etc.

Pretexting can also be used to impersonate co-workers, constabulary, bank, tax regime, clergy, insurance investigators—or whatsoever other private who could have perceived authority or correct-to-know in the mind of the targeted victim. The pretexter must simply prepare answers to questions that might be asked by the victim. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to retrieve on ane's feet to create a pretextual scenario.

Vishing [edit]

Phone phishing (or "vishing") uses a rogue interactive vocalisation response (IVR) system to recreate a legitimate-sounding re-create of a bank or other institution'southward IVR system. The victim is prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally cost costless) number provided in social club to "verify" data. A typical "vishing" organisation will pass up log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords. More advanced systems transfer the victim to the attacker/defrauder, who poses as a customer service agent or security expert for further questioning of the victim.

Spear phishing [edit]

Although similar to "phishing", spear phishing is a technique that fraudulently obtains private information by sending highly customized emails to few end users. It is the principal difference between phishing attacks because phishing campaigns focus on sending out loftier volumes of generalized emails with the expectation that merely a few people will respond. On the other hand, spear-phishing emails require the attacker to perform additional inquiry on their targets in social club to "trick" end users into performing requested activities. The success rate of spear-phishing attacks is considerably higher than phishing attacks with people opening roughly three% of phishing emails when compared to roughly 70% of potential attempts. When users actually open the emails phishing emails have a relatively modest 5% success rate to have the link or zipper clicked when compared to a spear-phishing attack's 50% success charge per unit.^[14]

Spear-phishing success is heavily dependent on the corporeality and quality of OSINT (open-source intelligence) that the attacker tin can obtain. Social media account activity is one example of a source of OSINT.

Water holing [edit]

Water holing is a targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safety to do things they would not do in a unlike situation. A wary person might, for example, purposefully avoid clicking a link in an unsolicited electronic mail, but the same person would non hesitate to follow a link on a website they ofttimes visit. So, the aggressor prepares a trap for the unwary casualty at a favored watering pigsty. This strategy has been successfully used to gain access to some (supposedly) very secure systems.^[15]

The assailant may set out by identifying a group or individuals to target. The grooming involves gathering information about websites the targets frequently visit from the secure system. The information gathering confirms that the targets visit the websites and that the organisation allows such visits. The attacker and so tests these websites for vulnerabilities to inject code that may infect a visitor's arrangement with malware. The injected code trap and malware may be tailored to the specific target group and the specific systems they utilize. In fourth dimension, one or more than members of the target group volition get infected and the attacker tin can gain admission to the secure system.

Baiting [edit]

Baiting is like the existent-earth Trojan horse that uses physical media and relies on the curiosity or greed of the victim. In this attack, attackers leave malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people volition find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and marvel-piquing labels, and wait for victims.

For example, an aggressor may create a disk featuring a corporate logo, available from the target's website, and label it "Executive Salary Summary Q2 2012". The attacker then leaves the disk on the flooring of an elevator or somewhere in the anteroom of the target company. An unknowing employee may find information technology and insert the disk into a computer to satisfy their marvel, or a good Samaritan may notice information technology and return it to the visitor. In whatever case, merely inserting the disk into a computer installs malware, giving attackers access to the victim'southward PC and, perhaps, the target company'southward internal calculator network.

Unless computer controls block infections, insertion compromises PCs "auto-running" media. Hostile devices can likewise be used.^[17] For example, a "lucky winner" is sent a costless digital sound role player compromising whatever computer it is plugged to. A "road apple tree" (the vernacular term for horse manure, suggesting the device's undesirable nature) is any removable media with malicious software left in opportunistic or conspicuous places. It may exist a CD, DVD, or USB flash bulldoze, among other media. Curious people have it and plug it into a computer, infecting the host and any attached networks. Again, hackers may give them enticing labels, such equally "Employee Salaries" or "Confidential".^[eighteen]

One study done in 2016 had researchers drop 297 USB drives around the campus of the University of Illinois. The drives contained files on them that linked to webpages owned by the researchers. The researchers were able to see how many of the drives had files on them opened, but not how many were inserted into a computer without having a file opened. Of the 297 drives that were dropped, 290 (98%) of them were picked up and 135 (45%) of them "called habitation".^[nineteen]

Quid pro quo [edit]

Quid pro quo means something for something:

• An attacker calls random numbers at a visitor, challenge to be calling dorsum from technical support. Eventually this person will hit someone with a legitimate problem, grateful that someone is calling back to help them. The assailant volition "aid" solve the trouble and, in the process, have the user type commands that requite the assailant access or launch malware.
• In a 2003 information security survey, 91% of office workers gave researchers what they claimed was their countersign in respond to a survey question in exchange for a cheap pen.^[20] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no endeavor to validate the passwords.^[21]

Tailgating [edit]

An attacker, seeking entry to a restricted expanse secured by unattended, electronic access control, e.one thousand. past RFID card, simply walks in behind a person who has legitimate access. Post-obit common courtesy, the legitimate person will usually hold the door open up for the attacker or the attackers themselves may ask the employee to concur it open for them. The legitimate person may fail to ask for identification for any of several reasons, or may accept an assertion that the assaulter has forgotten or lost the appropriate identity token. The attacker may also simulated the action of presenting an identity token.

Other types [edit]

Mutual confidence tricksters or fraudsters also could exist considered "social engineers" in the wider sense, in that they deliberately deceive and manipulate people, exploiting human weaknesses to obtain personal benefit. They may, for example, use social applied science techniques every bit function of an IT fraud.

Equally of the early 2000s, some other type of social engineering technique includes spoofing or hacking IDs of people having popular e-mail IDs such as Yahoo!, Gmail, or Hotmail. Additionally, some spoofing attempts included emails from major online service providers, like PayPal.^[22] This led to the "proposed standard" of Sender Policy Framework RFC 7208 dated April 2014, in combination with DMARC, equally means to combat spoofing. Among the many motivations for this deception are:

• Phishing credit-card business relationship numbers and their passwords.
• Bang-up individual e-mails and chat histories, and manipulating them past using common editing techniques before using them to extort money and creating distrust among individuals.
• Corking websites of companies or organizations and destroying their reputation.
• Estimator virus hoaxes
• Convincing users to run malicious code within the web browser via cocky-XSS assail to allow access to their web account

Another type is to read sensitive data of unshielded or unprotected Displays and input devices, called Shoulder surfing.

Countermeasures [edit]

Organizations reduce their security risks by:

Training to Employees: Grooming employees in security protocols relevant to their position. (e.grand., in situations such every bit tailgating, if a person's identity cannot be verified, then employees must be trained to politely refuse.)

Standard Framework: Establishing frameworks of trust on an employee/personnel level (i.e., specify and railroad train personnel when/where/why/how sensitive information should be handled)

Scrutinizing Information: Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, estimator organisation, etc.)

Security Protocols: Establishing security protocols, policies, and procedures for treatment sensitive information.

Event Test: Performing unannounced, periodic tests of the security framework.

Inoculation: Preventing social technology and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to like or related attempts.^[23]

Review: Reviewing the above steps regularly: no solutions to information integrity are perfect.^[24]

Waste Management: Using a waste direction service that has dumpsters with locks on them, with keys to them limited only to the waste management company and the cleaning staff. Locating the dumpster either in view of employees then that trying to admission information technology carries a take chances of existence seen or caught, or backside a locked gate or debate where the person must trespass earlier they tin attempt to access the dumpster.^[25]

[edit]

1. Information gathering: Information gathering is the first and foremost step of the lifecycle. It requires much patience and keenly watching habits of the victim. This step gathering information almost the victim's interests, personal information. Information technology determines the success rate of the overall attack.
2. Engaging with victim: Later gathering required corporeality of information, the assaulter opens a chat with the victim smoothly without the victim finding anything inappropriate.
3. Attacking: This step mostly occurs subsequently a long period of engaging with the target and during this information from the target is retrieved by using social engineering. In phase, the attacker gets the results from the target.
4. Endmost interaction: This is the final step which includes slowly shutting down the advice by the attacker without arising any suspicion in the victim. In this mode, the motive is fulfilled besides as the victim rarely comes to know the assail even happened.^[26]

[edit]

Frank Abagnale Jr. [edit]

Frank Abagnale Jr. is an American security consultant known for his background as a erstwhile con man, check forger, and impostor while he was between the ages of xv and 21. He became one of the most notorious impostors,^[27] challenge to have assumed no fewer than 8 identities, including an airline pilot, a physician, a U.S. Bureau of Prisons amanuensis, and a lawyer. Abagnale escaped from police force custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary) earlier turning 22 years old.^[28] The popular Steven Spielberg moving picture Catch Me If You Can is based on his life.

Kevin Mitnick [edit]

Kevin Mitnick is an American computer security consultant, author and hacker, best known for his high-profile 1995 arrest and afterward five-year conviction for various computer and communications-related crimes.^[29]

Susan Headley [edit]

Susan Headley was an American hacker active during the late 1970s and early on 1980s widely respected for her expertise in social engineering science, pretexting, and psychological subversion.^[30] She was known for her specialty in breaking into military calculator systems, which ofttimes involved going to bed with military machine personnel and going through their apparel for usernames and passwords while they slept.^[31] She became heavily involved in phreaking with Kevin Mitnick and Lewis de Payne in Los Angeles, but later framed them for erasing the system files at US Leasing later on a falling out, leading to Mitnick's kickoff conviction. She retired to professional poker.^[32]

James Linton [edit]

James Linton is a British hacker and social engineer who in 2017 used OSINT and spear phishing techniques to play a trick on a variety of targets over email including the CEOs of Major Banks, and members of the Trump White Business firm Administration. He then went to work in email security where he socially engineered BEC (Business concern Email Compromise) threat actors to collect specific threat intelligence.

Badir Brothers [edit]

Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from nativity—managed to set an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, vocalization impersonation, and Braille-display computers.^{[33] [34]}

Christopher J. Hadnagy [edit]

Christopher J. Hadnagy is an American social engineer and information technology security consultant. He is best known as an writer of 4 books on social engineering and cyber security^{[35] [36] [37] [38]} and founder of Innocent Lives Foundation, an organization that helps tracking and identifying child trafficking using various security techniques such as seeking the assistance of information security specialists, utilizing data from open-source intelligence (OSINT) and collaborating with police force enforcement.^{[39] [twoscore]}

Law [edit]

In common law, pretexting is an invasion of privacy tort of appropriation.^[41]

Pretexting of telephone records [edit]

In December 2006, U.s. Congress approved a Senate sponsored nib making the pretexting of phone records a federal felony with fines of up to $250,000 and ten years in prison for individuals (or fines of upward to $500,000 for companies). It was signed by President George W. Bush on 12 January 2007.^[42]

Federal legislation [edit]

The 1999 "GLBA" is a U.S. Federal law that specifically addresses pretexting of cyberbanking records equally an illegal deed punishable nether federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of the Federal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA states, in role: "Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or do in or affecting commerce, and if it shall appear to the Commission that a proceeding by information technology in respect thereof would be to the interest of the public, information technology shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."

The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer'southward relationship with the financial institution. For example, a pretexter using fake pretenses either to get a consumer's accost from the consumer's bank, or to go a consumer to disclose the proper noun of their bank, would be covered. The determining principle is that pretexting only occurs when data is obtained through false pretenses.

While the sale of cell phone records has gained significant media attention, and telecommunication records are the focus of the two bills currently before the The states Senate, many other types of private records are being bought and sold in the public market. Aslope many advertisements for cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is safe to presume that those records will be offered for sale every bit well. Currently, it is legal to sell telephone records, but illegal to obtain them.^[43]

1st Source Information Specialists [edit]

U.South. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Free energy and Commerce Subcommittee on Telecommunications and the Internet, expressed business concern over the easy access to personal mobile telephone records on the Cyberspace during a Firm Energy & Commerce Committee hearing on "Phone Records For Auction: Why Aren't Telephone Records Safe From Pretexting?" Illinois became the kickoff state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Data Specialists, Inc. A spokeswoman for Madigan's part said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the accommodate. The attorneys general of Florida and Missouri speedily followed Madigan'southward pb, filing suits respectively, confronting 1st Source Information Specialists and, in Missouri's case, one other records broker – First Information Solutions, Inc.

Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against Beginning Data Solutions and 1st Source Information Specialists. U.Due south. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the do. The Consumer Telephone Records Protection Act of 2006 would create felony criminal penalties for stealing and selling the records of mobile phone, landline, and Voice over Internet Protocol (VoIP) subscribers.

Hewlett Packard [edit]

Patricia Dunn, former chairwoman of Hewlett Packard, reported that the HP board hired a private investigation company to delve into who was responsible for leaks inside the board. Dunn best-selling that the visitor used the do of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to pace down from the lath if information technology was desired by board members.^[44] Unlike Federal law, California police force specifically forbids such pretexting. The 4 felony charges brought on Dunn were dismissed.^[45]

Preventive measures [edit]

Taking some precautions reduce the risk of existence a victim to social applied science frauds. The precautions that can be made are as follows:

• Exist aware of offers that seem "Too good to exist true".
• Use multifactor authentication.
• Avert clicking on attachments from unknown sources.
• Not giving out personal or financial data (such as credit card information, Social Security Numbers, or depository financial institution business relationship information) to anyone via email, phone, or text messages.
• Use of spam filter software.
• Avoid befriending people that yous do not know in real life.
• Teach kids to contact a trusted developed in case they are being bullied over the cyberspace (cyberbullying) or feel threatened past anything online.^[46]

See also [edit]

• Certified Social Engineering science Prevention Specialist (CSEPS)
• Code Shikara – Calculator worm
• Conviction fox – Try to defraud a person or group afterward first gaining their confidence
• Countermeasure (calculator) – Procedure to reduce a security threat
• Cyber-HUMINT – Set of skills used past internet hackers
• Cyberheist
• Inoculation theory – Explanation of how an attitude or belief tin be protected against influence in much the aforementioned way a body tin can be protected against disease
• Internet Security Awareness Training
• IT risk – Any risk related to it, which may underlie an organization's business organisation processes in varying degrees
• Media pranks, which often utilise similar tactics (though usually not for criminal purposes)
• Penetration test – Method of evaluating estimator and network security by simulating a cyber attack
• Phishing – Act of attempting to acquire sensitive information past posing as a trustworthy entity
• Physical information security
• Piggybacking (security)
• SMS phishing
• Threat (figurer)
• Vocalisation phishing – Use of social engineering over voice telephony past criminals to convince victims to divulge sensitive information
• Vulnerability (calculating) – Exploitable weakness in a computer system
• Cyber security sensation

References [edit]

1. ^ Anderson, Ross J. (2008). Security applied science: a guide to edifice dependable distributed systems (2nd ed.). Indianapolis, IN: Wiley. p. 1040. ISBN978-0-470-06852-6. Chapter ii, page 17
2. ^ "Social Engineering Divers". Security Through Instruction . Retrieved 3 October 2021.
3. ^ Lim, Joo S., et al. "Exploring the Relationship between Organizational Culture and Information Security Culture." Australian Data Security Management Conference.
4. ^ Andersson, D., Reimers, 1000. and Barretto, C. (March 2014). Post-Secondary Education Network Security: Results of Addressing the Cease-User Challenge.publication date 11 March 2014 publication clarification INTED2014 (International Applied science, Education, and Development Briefing)
5. ^ ^{a b c} Schlienger, Thomas; Teufel, Stephanie (2003). "Information security culture-from assay to change". South African Computer Journal. 31: 46–52.
6. ^ Jaco, Thousand: "CSEPS Course Workbook" (2004), unit of measurement 3, Jaco Security Publishing.
7. ^ Kirdemir, Baris (2019). "HOSTILE INFLUENCE AND EMERGING Cerebral THREATS IN CYBERSPACE". Eye for Economics and Foreign Policy Studies.
8. ^ Hatfield, Joseph M (June 2019). "Virtuous human hacking: The ethics of social engineering in penetration-testing". Computers & Security. 83: 354–366. doi:x.1016/j.cose.2019.02.012. S2CID 86565713.
9. ^ Choi, Kwan; Lee, Ju-lak; Chun, Yong-tae (one May 2017). "Voice phishing fraud and its modus operandi". Security Journal. 30 (two): 454–466. doi:10.1057/sj.2014.49. ISSN 0955-1662. S2CID 154080668.
10. ^ Austen, Ian (vii March 2005). "On EBay, E-mail Phishers Detect a Well-Stocked Pond". The New York Times. ISSN 0362-4331. Retrieved 1 May 2021.
11. ^ The story of HP pretexting scandal with discussion is available at Davani, Faraz (14 August 2011). "HP Pretexting Scandal by Faraz Davani". Retrieved 15 August 2011 – via Scribd.
12. ^ "Pretexting: Your Personal Information Revealed", Federal Trade Committee
13. ^ Fagone, Jason (24 November 2015). "The Serial Swatter". The New York Times . Retrieved 25 November 2015.
14. ^ "The Real Dangers of Spear-Phishing Attacks". FireEye. 2016. Retrieved nine October 2016.
15. ^ "Chinese Espionage Campaign Compromises Forbes.com to Target United states Defense, Financial Services Companies in Watering Hole Style Set on". invincea.com. ten February 2015. Retrieved 23 February 2017.
16. ^ "Archived re-create" (PDF). Archived from the original (PDF) on 11 October 2007. Retrieved ii March 2012. {{cite web}}: CS1 maint: archived copy every bit championship (link)
17. ^ Conklin, Wm. Arthur; White, Greg; Cothren, Chuck; Davis, Roger; Williams, Dwayne (2015). Principles of Computer Security, Fourth Edition (Official Comptia Guide). New York: McGraw-Colina Education. pp. 193–194. ISBN978-0071835978.
18. ^ Raywood, Dan (iv Baronial 2016). "#BHUSA Dropped USB Experiment Detailed". info security . Retrieved 28 July 2017.
19. ^ Leyden, John (18 April 2003). "Function workers give abroad passwords". The Register . Retrieved eleven April 2012.
20. ^ "Passwords revealed past sweet deal". BBC News. xx April 2004. Retrieved 11 April 2012.
21. ^ "Email Spoofing – What it Is, How it Works & More than - Proofpoint United states of america". www.proofpoint.com. 26 February 2021. Retrieved eleven October 2021.
22. ^ Treglia, J., & Delia, M. (2017). Cyber Security Inoculation. Presented at NYS Cyber Security Briefing, Empire State Plaza Convention Heart, Albany, NY, iii–iv June.
23. ^ Mitnick, K., & Simon, Due west. (2005). "The Art of Intrusion". Indianapolis, IN: Wiley Publishing.
24. ^ Allsopp, William. Unauthorised admission: Physical penetration testing for it security teams. Hoboken, NJ: Wiley, 2009. 240–241.
25. ^ "social technology – GW Information Security Web log". blogs.gwu.edu . Retrieved xviii February 2020.
26. ^ Salinger, Lawrence M. (2005). Encyclopedia of White-Collar & Corporate Law-breaking. SAGE. ISBN978-0-7619-3004-four.
27. ^ "How Frank Abagnale Would Swindle You lot". U.Due south. News. 17 December 2019. Archived from the original on 28 April 2013. Retrieved 17 Dec 2019.
28. ^ "Kevin Mitnick sentenced to nearly four years in prison; computer hacker ordered to pay restitution to victim companies whose systems were compromised" (Press release). United States Chaser's Office, Key District of California. nine August 1999. Archived from the original on 13 June 2013.
29. ^ "DEF CON Three Archives – Susan Thunder Keynote". DEF CON . Retrieved 12 August 2017.
30. ^ "Archived re-create". Archived from the original on 17 April 2001. Retrieved 6 Jan 2007. {{cite web}}: CS1 maint: archived copy as championship (link)
31. ^ Hafner, Katie (August 1995). "Kevin Mitnick, unplugged". Esquire. 124 (2): 80(9).
32. ^ "Wired 12.02: Three Bullheaded Phreaks". Wired. fourteen June 1999. Retrieved 11 April 2012.
33. ^ "Social Applied science A Young Hacker'south Tale" (PDF). xv February 2013. Retrieved 13 January 2020.
34. ^ "43 All-time Social Engineering Books of All Time". BookAuthority . Retrieved 22 January 2020.
35. ^ \ (31 August 2018). "Bens Book of the Calendar month Review of Social Engineering The Science of Human being Hacking". RSA Briefing . Retrieved 22 Jan 2020. {{cite spider web}}: CS1 maint: numeric names: authors list (link)
36. ^ "Book Review: Social Engineering: The Scientific discipline of Homo Hacking". The Ethical Hacker Network. 26 July 2018. Retrieved 22 January 2020.
37. ^ Hadnagy, Christopher; Fincher, Michele (22 Jan 2020). "Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Due east-mails". ISACA . Retrieved 22 January 2020.
38. ^ "WTVR:"Protect Your Kids from Online Threats"
39. ^ Larson, Selena (14 August 2017). "Hacker creates organization to unmask child predators". CNN. Retrieved 14 November 2019.
40. ^ Restatement 2d of Torts § 652C.
41. ^ "Congress outlaws pretexting". 109th Congress (2005–2006) H.R.4709 – Telephone Records and Privacy Protection Act of 2006. 2007.
42. ^ Mitnick, K (2002): "The Fine art of Deception", p. 103 Wiley Publishing Ltd: Indianapolis, Indiana; U.s. of America. ISBN 0-471-23712-4
43. ^ HP chairman: Use of pretexting 'embarrassing' Stephen Shankland, viii September 2006 1:08 PM PDT CNET News.com
44. ^ "Calif. court drops charges against Dunn". CNET. 14 March 2007. Retrieved 11 April 2012.
45. ^ "What is Social Applied science | Assail Techniques & Prevention Methods | Imperva". Learning Center . Retrieved 18 Feb 2020.

Farther reading [edit]

• Boyington, Gregory. (1990). 'Baa Baa Black Sheep' Published by Gregory Boyington ISBN 0-553-26350-1
• Harley, David. 1998 Re-Floating the Titanic: Dealing with Social Engineering Attacks EICAR Conference.
• Laribee, Lena. June 2006 Evolution of methodical social engineering taxonomy projection Master's Thesis, Naval Postgraduate School.
• Leyden, John. 18 April 2003. Office workers give away passwords for a cheap pen. The Register. Retrieved 2004-09-09.
• Long, Johnny. (2008). No Tech Hacking – A Guide to Social Technology, Dumpster Diving, and Shoulder Surfing Published by Syngress Publishing Inc. ISBN 978-one-59749-215-7
• Mann, Ian. (2008). Hacking the Human: Social Technology Techniques and Security Countermeasures Published by Gower Publishing Ltd. ISBN 0-566-08773-1 or ISBN 978-0-566-08773-8
• Mitnick, Kevin, Kasperavičius, Alexis. (2004). CSEPS Form Workbook. Mitnick Security Publishing.
• Mitnick, Kevin, Simon, William L., Wozniak, Steve,. (2002). The Art of Deception: Controlling the Human Element of Security Published by Wiley. ISBN 0-471-23712-iv or ISBN 0-7645-4280-X
• Hadnagy, Christopher, (2011) Social Engineering: The Art of Human Hacking Published past Wiley. ISBN 0-470-63953-9
• North.J. Evans. (2009). "Information Engineering Social Technology: An Academic Definition and Study of Social Technology-Analyzing the Homo Firewall." Graduate Theses and Dissertations. 10709. https://lib.dr.iastate.edu/etd/10709
• Z. Wang, L. Sun and H. Zhu. (2020) "Defining Social Engineering in Cybersecurity," in IEEE Access, vol. viii, pp. 85094-85115, doi: 10.1109/Access.2020.2992807.

External links [edit]

• Social Engineering Fundamentals – Securityfocus.com. Retrieved 3 August 2009.
• "Social Engineering, the USB Manner". Light Reading Inc. vii June 2006. Archived from the original on 13 July 2006. Retrieved 23 April 2014.
• Should Social Engineering be a part of Penetration Testing? – Darknet.org.great britain. Retrieved 3 August 2009.
• "Protecting Consumers' Phone Records", Electronic Privacy Information Centre U.s.a. Commission on Commerce, Science, and Transportation . Retrieved 8 February 2006.
• Plotkin, Hal. Memo to the Press: Pretexting is Already Illegal. Retrieved ix September 2006.

hopkinsmaders90.blogspot.com

Source: https://en.wikipedia.org/wiki/Social_engineering_(security)

Share this post