From the course: Ethical Hacking: Social Engineering
Visualizing the victim
From the course: Ethical Hacking: Social Engineering
Visualizing the victim
- [Instructor] Before launching a social engineering attack, the malicious actor must identify a target and then trick someone into giving them what they want by preying on basic human nature. In an organization, the social engineer will take advantage of the very characteristics that make us good employees, characteristics such as being helpful. We train our employees to ensure customer satisfaction. As a result, employees want to be helpful, which can lead to giving away too much information. We also want them to provide timely responses in order to avoid getting into trouble. For example, someone may have reprimanded an employee at some point for waiting too long for verification and offending someone. Therefore, an employee might provide information without ensuring source authentication. Malicious actors also prey on our trusting nature. Most social engineers are extremely confident in their behavior, and if someone tells an individual that they're a certain person and appear genuine, there's a tendency to believe someone's word. In addition, social engineering works with some not-so-great qualities, such as someone taking shortcuts and cutting corners instead of validating someone's identity. They may just accept someone's word and give him or her what they want, and then go back to doing what they were doing before someone interrupted them. In order to conduct an effective social engineering attack, the malicious actor must identify a potential victim. The exercise then goes through a process, starting with reconnaissance, establishing trust, exploiting that trust, and then departure. The malicious actor has various techniques that they can use to gain access to a building or system. For example, when trying to gain access to a building, they can try tailgating. Now, this is when an unauthorized person follows an authorized individual into a secured location without the knowledge of the authorized individual. Somewhat related is piggybacking. Now, this is when an unauthorized person follows an authorized individual into a secured location with the knowledge of the authorized individual. The individual many times will allow someone to follow them, as they assume that they have a legitimate reason for entering the location, such as a pizza delivery person. But what if no one is entering the building? For example, if a malicious actor needs to gain access into a building, they first try to find a target like this custodian. The malicious actor will check out the custodian and determine that they would be a good target. To really sell the scene, they might go to a nearby door and attempt to open it. They can even pretend to try to find their access card. A talented social engineer will get what they want without raising any suspicion. A social engineering exploit may very well lead to a major security breach. Protect yourself, train employees to validate someone's identity, as identification without authorization is dangerous.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.