The Seven Deadly Social Engineering Vices
By Stu Sjouwerman, for KnowBe4.com Security Awareness Training
You may not be aware that there is a scale of seven deadly vices connected to social engineering. The deadliest social engineering attacks are the ones that have the highest success rates, often approaching 100%. What is the secret of these attacks, how come they succeed so well?
Your own observations show you that people are very different. Some are always enthusiastic and willing to learn something new. Others are more conservative but courteous to their co-workers. A bit further down this scale are people that always looks like they are bored with life and then at the bottom are those who just don’t care and basically are in apathy about everything.
Successful social engineers first determine where their target is on this scale, and then select an attack that will have the highest degree of success with that person, trying to closely match their target’s look on life.
This scale of vices can be approached from either a negative or positive side. You can either call it gullibility or you can call it trust, call it greed or self-interest, but since we’re talking vices here we’ll stick to the negative labels.
Here are seven social engineering attacks that I hope are a good example of each one of the deadly vices, but note there is always overlap and things are not that clear-cut. We are dealing with humans after all!
The attacker left a USB stick next to the washing basin in the restroom of the floor that had the executive offices and their administrative assistants. It was clearly marked ‘Q1 Salary Updates’. The USB drive had modified malware on it that installed itself and called home from any workstation it was plugged into. This attack was 90% effective.
The attacker focused in on the CEO of his target company. He did his research, found the CEO had a relative battling cancer and was active in an anti-cancer charity. The attacker spoofed someone from the charity, asked the CEO for his feedback on a fund-raising campaign and attached an infected PDF. Mission achieved, the CEO’s PC was owned and the network followed shortly after. And of course holding the door open for a stranger with his hands full of boxes is a classic ‘Courtesy’ piggybacking example that we all know.
This excerpt appears with permission from knowbe4.com.
399 total views, 2 views today