Attack the Action Taken by a Social Engineer to Gather Trophies and Other Sensitive Information

Attack
the action taken by a social engineer to gather trophies and other sensitive information from an organization
Auto-Reply
a technique used by email users to notify those who contact them of their whereabouts - often used by the social engineer to impersonate those who are out of touch for a period of time
Back Door
an alternate means of accessing private systems that does not involve going through public areas - typical with PBX systems
Baseline
a starting point - the state of your security posture when RocketReady begins working with your organization - all progress your organization makes is measured against the baseline
Breach
a loss of information - usually results in public humiliation, fines, and loss of productivity
Building Block
a seemingly innocuous piece of data that is combined with other bits of data to help the social engineer build an attack
Caller ID Spoofing
using a program or device to change the caller ID display of the phone call - usually used by social engineers to make their incoming calls appear to belong to the organization they are attacking
Casing
studying an organization from a distance - used by social engineers prior to attempting to gain physical access to an organization
Conference Call Crashing
participating in a conference call to steal information, done to gain an understanding of how the organization operates and to learn of private organization information
Cracker
this is a hacker with malicious intent
Culture of Security
an organization-wide understanding of security concerns, roles, and responsibilities - a commitment by personnel to carry out their security responsibilities
Deception
using fraudulent means to gather sensitive information - posing as a legitimate person
Dumpster Diving
raiding trash cans and dumpsters in order to steal sensitive information - usually in the form of documents or hard drives
Earwigging
influencing someone by tirelessly talking to them
Eavesdropping
listening to a victim's private conversations - usually done in a public place.
Ethical Hacking
performing an assessment of your organization to understand where your vulnerabilities are
Exploitation
the process of using fraudulently obtained information or ingratiation into the organization in order to misuse assets or data
Fax Machine
a place where a large number of sensitive documents sit unattended - one of the first places a social engineer will look once inside your facility
Google Hacking
using search engines, such as Google, to uncover information about an individual or an organization
Hacker
a person, typically with expertise in technology and programming, who breaks into computer systems using various means, including social engineering - not all hackers have malicious intent
Human Firewall
your employees - one of the two ways to stop malicious intruders from accessing your network
Identity Theftstealing sensitive information about a person in order to impersonate them - this might be done for financial or criminal reasons
Impact - the significance of the consequence when a vulnerability is exploited
Infiltrationthe process of gaining access to unauthorized systems or areas by using false identities or stolen credentials - additionally it refers to the use of physical vicinity to gain sensitive information (such as through eavesdropping or shoulder surfing)
Information Security
the protection of information against unauthorized disclosure, transfer, modification, or destruction, whether accidental or intentional
Insider
a malicious employee who will use their access along with social engineering techniques to gain sensitive information
Intrusion Detection System (IDS)
set of devices and software that work together to detect unwanted activity - the RocketReady social engineering IDS detects malicious activity via Messaging/Email, Phone/PBX, and Facility access
IP Address
the exact location of a computer or server on the Internet
Mail Room
a place where a large number of sensitive documents sit unattended - one of the first places a social engineer will look once inside your facility
Malicious
with intent to do harm - social engineers always intend to harm the organization, usually for profit
Malware
malicious software, such as a virus, worm, or Trojan horse which is designed to damage or hijack your computers or network
Manipulation
directly causing employees of the organization to give up sensitive information - usually done through pretext calls or email phishing
Mark
the victim the social engineer has chosen to attack
Organizational Structure
used to learn the names and titles of employees, the relationships between employees, and different divisions / departments within the organization
Outlook Web Access (OWA) aka Webmail
a coveted trophy for the social engineer as access to OWA yields much sensitive information
Phishing
sending fraudulent emails from a legitimate source in an attempt to get people to give up sensitive information or visit a fraudulent web site where it can be collected
Phone Attack
the use of the phone call or the phone system to gain sensitive information
Piggybacking
connecting to a network without explicit authorization
Policies and Procedures
a description of the standard way of operating - should thoroughly address the threat of social engineering in all relevant policies, such as those dealing with user authentication
Portable Electronic Devices
laptops, cell phones, PDAs, USB drives, and other devices that are used to work away from the office - often house sensitive information that is susceptible to loss if the device is lost or stolen
Pretexting
occurs when the social engineer uses a fake identity and makes a phone call to a victim - the goal is to convince the victim to give up sensitive information.
Printer
a place where a large number of sensitive documents sit unattended - one of the first places a social engineer will look once inside your facility
Private Branch Exchange (PBX)
type of phone systems utilized by most large corporations - used by the social engineer to troll for information and set up fraudulent mailboxes
Raiding
physically stealing items that provide information - raiding can occur at an employee's desk, the fax machines/printers, or the mailroom
Risk
an organization's exposure to loss or damage
Road Apple
an external device (such as a CD or USB key) that is infected with malware - curiosity drives the victim to load the device onto their computer thus unleashing the malware
Security Awareness
understanding the threats you face and how to deal with them
Shoulder Surfing
viewing an employee's papers, monitor, or laptop screen without them knowing
Social Engineering
a collection of malicious techniques used to manipulate people into performing actions or divulging confidential information
Tailgating
following an employee through a secure entry point - typically done in a place where employees collect such as a smoking area or parking area
Target
the victim the social engineer has chosen to attack
Threat
an entity or individual that has the potential to cause harm to information, systems, or reputation
Trophy
a large piece of sensitive information the social engineer is after
Username and Password
two simple pieces of information that can help a social engineer gain "legitimate" access to your network - usernames are usually standardized company-wide, passwords are usually weak, and often given up for very little
Virtual Private Network (VPN)
allows users to access the company network remotely - once a social engineer obtains the procedures to access the VPN they can perform their attacks from any location
Vishing
using email or phone to convince the victim to contact a phone number where the victim is prompted to enter sensitive information via the keypad - the crook is able to capture this information (credit card numbers, account numbers, date of birth, etc.)
Voicemail Attack
exploring the organization's phone system for valuable information - setting up a fraudulent voicemail box
Voicemail Greeting
the information we leave for callers - typically with alternate contact and scheduling information - used by social engineers to impersonate employees who are out of town
Vulnerability
a weakness in the system, organization, or procedure that can be exploited to cause harm
Wardriving
searching for wireless networks by moving vehicle
Website Spoofing
creating a fraudulent website that looks and feels like a legitimate site - typically designed to look like an organization's internal sites and used in conjunction with phishing emails
Wetware
an employee's mind, logic, and reasoning abilities - this is what is hacked by social engineers
Zero Knowledge Assessment
performing an audit of the organization with no prior knowledge of the organization's policies, internal operations, personnel, vendors, etc.