Career Relevancy

Social engineering is the art of convincing people to reveal confidential information. Social engineers depend on the fact that people know certain valuable information yet are generally careless in protecting it. System hacking is the art of gaining access to a network and escalating privileges once inside the network. The system hacker will then execute applications by installing malicious programs.

Background:

You have likely heard of the term “social engineering” before. This term refers to the act of coercing people into certain actions based on their perception of certain media, messages, or other tools. In the world of network security, this term refers directly to the tactics hackers may use to get users to willingly hand over information without ever being suspicious that they are being preyed upon. These often come in the form of emails with sender names that the user may recognize (though the originator of the email is not a friend or coworker), suspicious links that are passed off as legitimate, or other types of engagement where users enter sensitive information with the expectation that the receiver is a secure, safe source. In actuality, the hacker can capture valuable information with this method, gaining access to the inner workings of a network with the credentials given to them by the user.

There is no single security mechanism that can protect from social engineering techniques used by attackers. Only educating employees on how to recognize and respond to social engineering attacks can minimize attackers’ chances of success. Before going ahead with this module, let’s first discuss various social engineering concepts.

Prior to performing social engineering attack, an attacker gathers information about the target organization from various sources such as official websites of the target organizations where employee IDs, names, and email addresses are shared. An attacker may also use advertisements of the target organization through the type of print media required for high-tech workers trained in Oracle databases or UNIX servers. Lastly, blogs, forums, etc. where employees share basic personal and organizational information can also be a gold mine for an attacker.

After gathering information, an attacker executes a social engineering attack using approaches such as impersonation, piggybacking, tailgating, reverse social engineering, and others.

Social engineering is an art of manipulating people to divulge sensitive information to perform some malicious action. Despite security policies, attackers can compromise an organization’s sensitive information using social engineering as it targets the weakness of people. Most often, employees are not even aware of a security lapse on their part and reveal the organization’s critical information inadvertently.

To succeed, attackers take a special interest in cultivating social engineering skills that appear innocuous to users. Their success lies in how well they can convince unsuspecting users that there is no threat. Attackers always look for new ways to access information. They also ensure that they know the organization’s perimeter and the people on the perimeter. For example, security guards, receptionists, and help-desk workers to exploit human oversight.

People have conditioned themselves not to be overly suspicious and they associate certain behavior and appearances with known entities. For instance, a man in a uniform carrying a pile of packages for delivery will be considered a delivery person. With the help of social engineering tricks, attackers succeed in obtaining confidential information, authorization and access details of people by deceiving and manipulating human vulnerability.

System Hacking Concepts

An attacker first obtains information during the footprinting, scanning, and enumeration phases, which they then use to exploit the target system. There are three steps in the CEH Hacking Methodology (CHM):

First is gaining access. This involves gaining access to low-privileged user accounts by cracking passwords through techniques such as brute-forcing, password guessing, and social engineering, and then escalating their privileges to administrative levels, to perform a protected operation.

After successfully gaining access to the target system, attackers work to maintain high levels of access to perform malicious activities such as executing malicious applications and stealing, hiding, or tampering with sensitive system files.

Lastly, in order to maintain future system access, attackers attempt to avoid recognition by legitimate system users. To remain undetected, attackers wipe out the entries corresponding to their activities in the system log, thus avoiding detection by users.

Every criminal has a specific goal they want to achieve. Likewise, attackers can have certain goals behind their system attacks. In system hacking, the attacker first tries to gain access to a target system using information obtained and loopholes found in the system’s access control mechanism. Once attackers succeed in gaining access to the system, they are free to perform malicious activities such as stealing sensitive data, implementing a sniffer to capture network traffic, and infecting the system with malware. At this stage, attackers use techniques such as password cracking and social engineering tactics to gain access to the target system.

After gaining access to a system using an account with few privileges, attackers may then try to increase their administrator privileges to perform protected system operations, so that they can proceed to the next level of the system hacking phase: executing applications. Attackers exploit known system vulnerabilities to escalate user privileges.

Once attackers have administrator privileges, they attempt to install malicious programs such as Trojans, backdoors, rootkits, and keyloggers, which grant them remote system access, thereby enabling them to execute malicious codes remotely. Installing rootkits allows them to gain access at the operating system level to perform malicious activities. To maintain access for use at a later date, they may install backdoors.

Attackers use rootkits and steganography techniques to attempt to hide the malicious files they install on the system, and thus their activities. To remain undetected, it is important for attackers to erase all evidence of security compromise from the system. To achieve this, they might modify or delete logs in the system using certain log-wiping utilities, thus removing all evidence of their presence.

Prompt

Considering the proliferation of social engineering, should companies have the authority to limit or deny usage of personal items in the workplace? Explain your answer.

Your initial and reply posts should work to develop a group understanding of this topic. Challenge each other. Build on each other. Always be respectful but discuss this and figure it out together.

Institution Writing Guidelines 300-400 LVL

Purpose: The Institution Writing Guidelines (IWG) exist to simplify student writing requirements and instructor grading, clarify and standardize writing expectations, focus instructor grading and student effort on content, and gradually introduce students to more complex and restrictive writing guidelines over time.

Below you will find the detailed information for your 300 and 400 level courses:

· Formatting (Specific to 300-400 level courses)

· Grammar/Spelling

· Sources (Specific to 300-400 level courses)

· Plagiarism

Formatting

· The top of the paper needs:

· Student name

· Date of submission or writing

· Course name

· Title of the paper

· It is recommended the paper identification information be placed at the top right. What matters is the information is present. Example:

· The paper should be set with one-inch margins all around

· 12-point font sans serif or serif, no decorative fonts. Recommended—but not mandatory—fonts include: Serif family (Times New Roman, Book Antiqua, Minion Pro), Sans Serif family (Calibri, Arial, Verdana)

· Double spacing lines is required

Grammar/Spelling

· General spelling, grammar, and punctuation expectations apply. The focus of the writing must address the issues raised by the prompt, emphasized in the rubric, and the learning objective(s) covered by the writing task

· The serial comma is expected (example: word, word, word, and word)

· Double-spacing after sentences is discouraged

Sources

· Students are expected to use citations, including in-text citations as needed. The guidelines are:

· In Text

· The Author, Year, page number (for quotes) format. Ex: (Doe, 2016, pp. 23-25)

· Sentence punctuation follows the in-text citation

· Reference Citation

· Example 1: Martinez, A. (2016). The way things should be. Harper.

· Example 2: Martinez. (2016). The way things should be. Retrieved, March 4, 2018, from

https://worldswisdom.com

· References are not to be graded on punctuation, italics, inclusion of initials, date format, etc. Grading for references will focus on the required basic elements not the presentation of the elements.

· Rubrics will be followed and the focus remains on content, not style

Plagiarism

Plagiarism is not acceptable. Instructors should follow the academic policy on plagiarism. Egregious examples of plagiarism or repetitive plagiarism will be referred to the student’s dean for additional evaluation.