Social Engineering – N10-008 CompTIA Network+ : 4.2

Attackers often use social engineering to gain access to a physical building or confidential data. In this video, you’ll learn about phishing, tailgating, piggybacking, and shoulder surfing.

If you’ve ever received an email message or a text message that’s encouraging you to visit a website or type in some type of credentials, then you may be a victim of phishing. The link that someone provides appears to be going to a legitimate page where you would put in your email address and your password. But in reality, you’re visiting the attacker’s website and not the legitimate website. You, of course, want to check the URL that you’re visiting.

But perhaps, better security would be not to click any links that you receive in an email or a text message. You might also find that, when you visit one of these unauthorized sites, that there’s something not quite right about the text, the graphics, or something else that might be on the page. If we look at this landing page that I was given in a phishing email, you can see that the image for the logo isn’t quite right, which may give you some concern that you may not be on a legitimate web page.

In fact, the actual web page for logging into web mail on Rackspace is now quite different than their older pages. So you can see, immediately, the legitimate page is on the right, and the phishing page is on the left. Another security concern might be at your place of business. We want to be sure that only authorized people are able to gain access to your place of work. So you always want to be looking out for tailgating.

Tailgating is when an authorized person allows an unauthorized person to gain access to what is normally a locked door. This attacker or person following does not have consent from you to gain access to the building. And they’re hoping that they can sneak through the door while it’s still open when nobody else is looking.

Similar to tailgating is piggybacking. With piggybacking, the person who’s coming in behind you is known by you. And in fact, you’re allowing them to come into the door behind you. But they’re not using any credentials or access cards to gain that access. Maybe their hands are full. They’re holding a box. And they’re asking other people to hold the door, so they’re able to get through because they don’t have a way to pull out their badge.

We want to be nice and polite and allow these people to gain access, but it’s more important that we check and make sure that they’re actually allowed into the building. The challenge with security, of course, is once you’re inside that locked door, most organizations allow you to roam relatively freely. The security that you have at that front door is paramount. So you want to be sure to only allow authorized persons through that door.

There should be a specific policy for visitors where they might have to have a visitor badge or they might have to be escorted wherever they go in the building. You might also want to require that everyone passing through a door must scan in. This might be part of your policy and a voluntary process, as people go through a normal door, or there may be a specific kind of door that limits access to the building unless you scan in.

This would be an access control vestibule or some people may refer to this as an airlock. And only one person can go through at a time. And if you see someone inside your building who doesn’t have a visitor badge and they don’t have an employee badge, you should always ask them who they are, what they’re doing, and if they’re authorized to be in that area. During our normal workday, we may have things on our screens that contain sensitive information.

And we want to be sure that only authorized users are able to see that information. If someone happens to walk by your office or look at your monitor when this information is on the screen, they may be viewing information that you did not intend for them to see. Although this shoulder surfing is relatively easy to do when you’re inside your office, it’s also easy when you’re outside your office. If you go to a coffee shop or you’re in an airport, you can see how easy it is to read the laptop screens of the people around you.

And in cities where buildings are very close to each other, it’s remarkable how much you can see of someone else’s computer from across the way, using binoculars or a telescope. There’s also malware that can embed itself in systems and allow the attacker to see what’s on your screen from anywhere in the world. To prevent this type of shoulder surfing, you should always be aware of your surroundings, and know who may be walking by at any particular time.

If you’re in a busy area, like an airport or you’re on a flight, you may want to consider using privacy filters. This particular laptop has a privacy filter. And even though you’re sitting right next to the person, the screen looks completely black. Only the person directly in front of the screen can see the information that’s being displayed.

If you’re close to a window, and you’re in a city, you may want to make sure that your monitor is not able to be viewed from that window or from a hallway. You should always be aware of what information you have on your screen, where you might happen to be at any particular time, and who might be able to see that information. By using a few very simple security techniques, you should be able to prevent any cases of shoulder surfing.