The Study and Art of Sending Information in a Secure Fashion Is Known as

Psychological manipulation of people into performing actions or divulging confidential data

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. This differs from social engineering within the social sciences, which does not business the divulging of confidential information. A type of confidence trick for the purpose of data gathering, fraud, or organization access, information technology differs from a traditional "con" in that it is oft one of many steps in a more complex fraud scheme.^[1]

Information technology has also been defined as "any act that influences a person to take an action that may or may not be in their all-time interests."^[two]

An case of social applied science is the use of the "forgot password" function on well-nigh websites which require login. An improperly-secured password-recovery system can be used to grant a malicious attacker full access to a user'due south business relationship, while the original user will lose admission to the account.

Information security civilisation [edit]

Employee behaviour can have a big affect on information security in organizations. Cultural concepts can aid unlike segments of the system work effectively or work against effectiveness towards information security within an organization. "Exploring the Human relationship between Organizational Culture and Information Security Culture" provides the following definition of data security civilisation: "ISC is the totality of patterns of behavior in an organization that contribute to the protection of information of all kinds."^[iii]

Andersson and Reimers (2014) found that employees oftentimes do not see themselves as part of the organisation Information Security "effort" and often take actions that ignore organizational data security all-time interests.^[4] Research shows Information security culture needs to be improved continuously. In "Information Security Civilisation from Assay to Alter," authors commented that "it'southward a never ending process, a cycle of evaluation and modify or maintenance." They suggest that to manage information security culture, 5 steps should be taken: Pre-evaluation, strategic planning, operative planning, implementation, and post-evaluation.^[5]

• Pre-Evaluation: to identify the awareness of information security within employees and to analyse current security policy.
• Strategic Planning: to come up up with a ameliorate awareness-program, we need to set articulate targets. Clustering people is helpful to achieve it.
• Operative Planning: set a adept security culture based on internal advice, management-buy-in, and security sensation and training program.^[5]
• Implementation: four stages should be used to implement the information security culture. They are commitment of the management, communication with organizational members, courses for all organizational members, and commitment of the employees.^[5]

Techniques and terms [edit]

All social technology techniques are based on specific attributes of human decision-making known equally cerebral biases.^{[6] [vii]} These biases, sometimes chosen "bugs in the human hardware," are exploited in diverse combinations to create attack techniques, some of which are listed beneath. The attacks used in social engineering can exist used to steal employees' confidential information. The most common type of social engineering science happens over the phone. Other examples of social technology attacks are criminals posing as exterminators, fire marshals and technicians to go unnoticed every bit they steal company secrets.

One example of social applied science is an individual who walks into a edifice and posts an official-looking announcement to the company message that says the number for the assist desk-bound has changed. Then, when employees call for aid the individual asks them for their passwords and IDs thereby gaining the power to admission the visitor'south private information. Some other case of social applied science would be that the hacker contacts the target on a social networking site and starts a conversation with the target. Gradually the hacker gains the trust of the target and then uses that trust to get access to sensitive information like countersign or bank business relationship details.^[8]

Social applied science relies heavily on the six principles of influence established by Robert Cialdini. Cialdini's theory of influence is based on six key principles: reciprocity, commitment and consistency, social proof, potency, liking, scarcity.

Half dozen central principles [edit]

[edit]

In social engineering science, the assaulter may pose as authorization to increment the likelihood of adherence from the victim.

Intimidation [edit]

Attacker (potentially disguised) informs or implies that there will exist negative consequences if certain actions are not performed. Consequences could include subtle intimidation phrases such as "I'll tell your manager" to much worse.

[edit]

People will practise things that they see other people are doing. For example, in ane experiment^{[ which? ]}, ane or more than confederates would look up into the heaven; bystanders would then look upwards into the sky to see what they were missing. At one betoken this experiment was aborted, as so many people were looking up that they stopped traffic. See conformity, and the Asch conformity experiments.

Scarcity [edit]

Perceived scarcity will generate demand. The mutual advertizement phrase "while supplies last" capitalizes on a sense of scarcity.

Urgency [edit]

Linked to scarcity, attackers employ urgency as a fourth dimension-based psychological principle of social engineering. For example, saying offers are available for a "express fourth dimension merely" encourages sales through a sense of urgency.

Familiarity / Liking [edit]

People are easily persuaded by other people whom they like. Cialdini cites the marketing of Tupperware in what might now be called viral marketing. People were more likely to buy if they liked the person selling information technology to them. Some of the many biases favoring more than attractive people are discussed. See physical attractiveness stereotype.

[edit]

Vishing [edit]

Vishing, otherwise known as "voice phishing", is the criminal practice of using social engineering over a telephone system to proceeds access to individual personal and fiscal data from the public for the purpose of financial reward.^[9] It is too employed by attackers for reconnaissance purposes to gather more detailed intelligence on a target organization.

Phishing [edit]

Phishing is a technique of fraudulently obtaining private information. Typically, the phisher sends an electronic mail that appears to come from a legitimate concern—a bank, or credit card company—requesting "verification" of information and alarm of some dire consequence if it is not provided. The e-post unremarkably contains a link to a fraudulent web folio that seems legitimate—with company logos and content—and has a form requesting everything from a dwelling house accost to an ATM bill of fare's PIN or a credit card number. For example, in 2003, there was a phishing scam in which users received emails supposedly from eBay claiming that the user'due south account was about to be suspended unless a link provided was clicked to update a credit bill of fare (information that the genuine eBay already had).^[10] By mimicking a legitimate organization's HTML code and logos, it is relatively simple to make a simulated Website look authentic. The scam tricked some people into thinking that eBay was requiring them to update their account information by clicking on the link provided. By indiscriminately spamming extremely large groups of people, the "phisher" counted on gaining sensitive financial data from the modest percentage (yet big number) of recipients who already accept eBay accounts and also fall casualty to the scam.

Smishing [edit]

The human action of using SMS text messaging to lure victims into a specific course of activity. Like phishing it tin can exist clicking on a malicious link or divulging information. Examples are text letters that claim to be from a mutual carrier (like FedEx) stating a parcel is in transit, with a link provided.

Impersonation [edit]

Pretending or pretexting to be some other person with the goal of gaining access physically to a organisation or building. Impersonation is used in the "SIM swap scam" fraud.

Other concepts [edit]

Pretexting [edit]

Pretexting (adj. pretextual) is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a fashion that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.^[11] An elaborate lie, it well-nigh often involves some prior research or setup and the use of this information for impersonation (east.thousand., engagement of birth, Social Security number, last bill amount) to establish legitimacy in the mind of the target.^[12] As a background, pretexting can be interpreted as the first development of social engineering, and continued to develop as social technology incorporated current-day technologies. Current and past examples of pretexting demonstrate this development.

This technique can be used to fool a business organisation into disclosing customer information besides as by private investigators to obtain telephone records, utility records, banking records and other information straight from company service representatives.^[xiii] The information can then be used to establish even greater legitimacy under tougher questioning with a managing director, east.g., to make account changes, go specific balances, etc.

Pretexting can also exist used to impersonate co-workers, police, bank, tax regime, clergy, insurance investigators—or whatever other individual who could have perceived authority or right-to-know in the heed of the targeted victim. The pretexter must simply ready answers to questions that might be asked past the victim. In some cases, all that is needed is a voice that sounds authoritative, an earnest tone, and an ability to think on ane's anxiety to create a pretextual scenario.

Vishing [edit]

Phone phishing (or "vishing") uses a rogue interactive vox response (IVR) system to recreate a legitimate-sounding copy of a banking concern or other establishment's IVR system. The victim is prompted (typically via a phishing email) to call in to the "bank" via a (ideally cost free) number provided in order to "verify" data. A typical "vishing" organisation will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, oft disclosing several different passwords. More advanced systems transfer the victim to the attacker/defrauder, who poses as a customer service amanuensis or security adept for further questioning of the victim.

Spear phishing [edit]

Although similar to "phishing", spear phishing is a technique that fraudulently obtains private information by sending highly customized emails to few end users. It is the main departure between phishing attacks because phishing campaigns focus on sending out high volumes of generalized emails with the expectation that only a few people volition respond. On the other manus, spear-phishing emails require the attacker to perform additional research on their targets in club to "pull a fast one on" end users into performing requested activities. The success rate of spear-phishing attacks is considerably higher than phishing attacks with people opening roughly iii% of phishing emails when compared to roughly 70% of potential attempts. When users actually open the emails phishing emails take a relatively minor five% success rate to have the link or attachment clicked when compared to a spear-phishing attack's 50% success charge per unit.^[14]

Spear-phishing success is heavily dependent on the amount and quality of OSINT (open-source intelligence) that the aggressor can obtain. Social media account activity is one example of a source of OSINT.

Water holing [edit]

Water holing is a targeted social engineering strategy that capitalizes on the trust users accept in websites they regularly visit. The victim feels safety to practice things they would not do in a different situation. A wary person might, for case, purposefully avoid clicking a link in an unsolicited email, but the aforementioned person would not hesitate to follow a link on a website they often visit. And so, the attacker prepares a trap for the unwary prey at a favored watering pigsty. This strategy has been successfully used to proceeds access to some (supposedly) very secure systems.^[15]

The attacker may ready out by identifying a group or individuals to target. The preparation involves gathering data about websites the targets often visit from the secure system. The information gathering confirms that the targets visit the websites and that the system allows such visits. The attacker and then tests these websites for vulnerabilities to inject code that may infect a company'due south system with malware. The injected code trap and malware may be tailored to the specific target group and the specific systems they apply. In fourth dimension, 1 or more members of the target group will get infected and the attacker can gain access to the secure organization.

Baiting [edit]

Baiting is like the real-earth Trojan horse that uses physical media and relies on the marvel or greed of the victim. In this attack, attackers leave malware-infected floppy disks, CD-ROMs, or USB wink drives in locations people will discover them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and wait for victims.

For example, an assaulter may create a deejay featuring a corporate logo, bachelor from the target's website, and label it "Executive Salary Summary Q2 2012". The attacker then leaves the disk on the floor of an elevator or somewhere in the entrance hall of the target visitor. An unknowing employee may find it and insert the deejay into a computer to satisfy their marvel, or a practiced Samaritan may find information technology and return it to the company. In whatever instance, just inserting the disk into a estimator installs malware, giving attackers access to the victim's PC and, perhaps, the target visitor'due south internal estimator network.

Unless estimator controls cake infections, insertion compromises PCs "auto-running" media. Hostile devices can also be used.^[17] For case, a "lucky winner" is sent a complimentary digital audio actor compromising any calculator it is plugged to. A "road apple tree" (the colloquial term for horse manure, suggesting the device's undesirable nature) is whatsoever removable media with malicious software left in opportunistic or conspicuous places. It may be a CD, DVD, or USB flash drive, amidst other media. Curious people take it and plug it into a computer, infecting the host and any fastened networks. Again, hackers may give them enticing labels, such as "Employee Salaries" or "Confidential".^[18]

Ane study washed in 2016 had researchers drop 297 USB drives around the campus of the University of Illinois. The drives contained files on them that linked to webpages endemic by the researchers. The researchers were able to see how many of the drives had files on them opened, but not how many were inserted into a computer without having a file opened. Of the 297 drives that were dropped, 290 (98%) of them were picked up and 135 (45%) of them "called home".^[19]

Quid pro quo [edit]

Quid pro quo ways something for something:

• An attacker calls random numbers at a visitor, claiming to be calling back from technical support. Somewhen this person will hit someone with a legitimate trouble, grateful that someone is calling dorsum to aid them. The attacker volition "help" solve the problem and, in the process, have the user type commands that requite the assaulter access or launch malware.
• In a 2003 data security survey, 91% of function workers gave researchers what they claimed was their countersign in answer to a survey question in exchange for a cheap pen.^[20] Similar surveys in later years obtained similar results using chocolates and other cheap lures, although they made no effort to validate the passwords.^[21]

Tailgating [edit]

An attacker, seeking entry to a restricted surface area secured past unattended, electronic admission command, e.g. past RFID card, only walks in behind a person who has legitimate access. Post-obit common courtesy, the legitimate person will usually concord the door open up for the attacker or the attackers themselves may ask the employee to hold it open for them. The attacker will frequently purport to exist on a phone call using a mobile to prevent questioning by an employee. The legitimate person may fail to enquire for identification for any of several reasons, or may take an exclamation that the attacker has forgotten or lost the appropriate identity token. The attacker may also fake the activeness of presenting an identity token.

Other types [edit]

Common confidence tricksters or fraudsters besides could be considered "social engineers" in the wider sense, in that they deliberately deceive and dispense people, exploiting man weaknesses to obtain personal do good. They may, for example, use social engineering techniques as part of an It fraud.

As of the early 2000s, another type of social engineering technique includes spoofing or hacking IDs of people having popular eastward-post IDs such as Yahoo!, Gmail, or Hotmail. Additionally, some spoofing attempts included emails from major online service providers, like PayPal.^[22] This led to the "proposed standard" of Sender Policy Framework RFC 7208 dated April 2014, in combination with DMARC, as means to combat spoofing. Amidst the many motivations for this deception are:

• Phishing credit-card account numbers and their passwords.
• Cracking private e-mails and chat histories, and manipulating them by using common editing techniques earlier using them to extort coin and creating distrust among individuals.
• Bully websites of companies or organizations and destroying their reputation.
• Computer virus hoaxes
• Convincing users to run malicious code inside the web browser via self-XSS attack to allow access to their web business relationship

Another blazon is to read sensitive information of unshielded or unprotected Displays and input devices, called Shoulder surfing.

Countermeasures [edit]

Organizations reduce their security risks by:

Training to Employees: Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person'due south identity cannot exist verified, then employees must exist trained to politely reject.)

Standard Framework: Establishing frameworks of trust on an employee/personnel level (i.east., specify and train personnel when/where/why/how sensitive information should be handled)

Scrutinizing Information: Identifying which data is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (edifice, computer system, etc.)

Security Protocols: Establishing security protocols, policies, and procedures for treatment sensitive data.

Issue Test: Performing unannounced, periodic tests of the security framework.

Inoculation: Preventing social engineering and other fraudulent tricks or traps by instilling a resistance to persuasion attempts through exposure to like or related attempts.^[23]

Review: Reviewing the above steps regularly: no solutions to information integrity are perfect.^[24]

Waste Management: Using a waste matter management service that has dumpsters with locks on them, with keys to them express only to the waste product management visitor and the cleaning staff. Locating the dumpster either in view of employees then that trying to access it carries a run a risk of being seen or defenseless, or backside a locked gate or fence where the person must trespass before they can attempt to access the dumpster.^[25]

[edit]

1. Data gathering: Information gathering is the first and foremost pace of the lifecycle. Information technology requires much patience and keenly watching habits of the victim. This step gathering information about the victim's interests, personal information. It determines the success charge per unit of the overall assail.
2. Engaging with victim: Afterwards gathering required amount of information, the attacker opens a chat with the victim smoothly without the victim finding anything inappropriate.
3. Attacking: This step generally occurs after a long period of engaging with the target and during this data from the target is retrieved by using social engineering. In phase, the assaulter gets the results from the target.
4. Endmost interaction: This is the terminal step which includes slowly shutting down the advice past the attacker without arising whatever suspicion in the victim. In this way, the motive is fulfilled as well as the victim rarely comes to know the assail even happened.^[26]

[edit]

Frank Abagnale Jr. [edit]

Frank Abagnale Jr. is an American security consultant known for his background as a former con homo, bank check forger, and impostor while he was between the ages of xv and 21. He became one of the most notorious impostors,^[27] claiming to have assumed no fewer than eight identities, including an airline pilot, a physician, a U.Southward. Bureau of Prisons agent, and a lawyer. Abagnale escaped from police custody twice (once from a taxiing airliner and once from a U.S. federal penitentiary) earlier turning 22 years former.^[28] The popular Steven Spielberg movie Catch Me If Y'all Tin can is based on his life.

Kevin Mitnick [edit]

Kevin Mitnick is an American computer security consultant, author and hacker, best known for his high-contour 1995 arrest and subsequently five-year conviction for various computer and communications-related crimes.^[29]

Susan Headley [edit]

Susan Headley was an American hacker active during the late 1970s and early on 1980s widely respected for her expertise in social engineering, pretexting, and psychological subversion.^[30] She was known for her specialty in breaking into military computer systems, which often involved going to bed with military personnel and going through their clothes for usernames and passwords while they slept.^[31] She became heavily involved in phreaking with Kevin Mitnick and Lewis de Payne in Los Angeles, but later on framed them for erasing the system files at US Leasing afterward a falling out, leading to Mitnick'due south first confidence. She retired to professional poker.^[32]

James Linton [edit]

James Linton is a British hacker and social engineer who in 2017 used OSINT and spear phishing techniques to pull a fast one on a variety of targets over email including the CEOs of Major Banks, and members of the Trump White House Administration. He then went to work in email security where he socially engineered BEC (Business Email Compromise) threat actors to collect specific threat intelligence.

Badir Brothers [edit]

Brothers Ramy, Muzher, and Shadde Badir—all of whom were blind from birth—managed to set an all-encompassing phone and reckoner fraud scheme in State of israel in the 1990s using social engineering, vox impersonation, and Braille-brandish computers.^{[33] [34]}

Christopher J. Hadnagy [edit]

Christopher J. Hadnagy is an American social engineer and information technology security consultant. He is best known as an author of four books on social engineering and cyber security^{[35] [36] [37] [38]} and founder of Innocent Lives Foundation, an organisation that helps tracking and identifying child trafficking using various security techniques such as seeking the assistance of information security specialists, utilizing data from open-source intelligence (OSINT) and collaborating with police force enforcement.^{[39] [40]}

Law [edit]

In common police force, pretexting is an invasion of privacy tort of cribbing.^[41]

Pretexting of phone records [edit]

In Dec 2006, United states Congress approved a Senate sponsored bill making the pretexting of telephone records a federal felony with fines of upwards to $250,000 and ten years in prison for individuals (or fines of upward to $500,000 for companies). It was signed past President George W. Bush on 12 January 2007.^[42]

Federal legislation [edit]

The 1999 "GLBA" is a U.S. Federal constabulary that specifically addresses pretexting of cyberbanking records equally an illegal act punishable nether federal statutes. When a business organisation entity such as a private investigator, SIU insurance investigator, or an adjuster conducts whatever type of charade, it falls under the dominance of the Federal Trade Commission (FTC). This federal bureau has the obligation and potency to ensure that consumers are not subjected to whatsoever unfair or deceptive business practices. US Federal Merchandise Commission Act, Section 5 of the FTCA states, in part: "Whenever the Commission shall have reason to believe that whatever such person, partnership, or corporation has been or is using whatsoever unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Committee that a proceeding by information technology in respect thereof would exist to the interest of the public, information technology shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."

The statute states that when someone obtains any personal, non-public information from a financial establishment or the consumer, their activeness is subject field to the statute. It relates to the consumer'south relationship with the fiscal establishment. For example, a pretexter using faux pretenses either to get a consumer's address from the consumer's depository financial institution, or to get a consumer to disclose the name of their bank, would exist covered. The determining principle is that pretexting merely occurs when information is obtained through faux pretenses.

While the sale of jail cell telephone records has gained meaning media attention, and telecommunications records are the focus of the ii bills currently before the United states Senate, many other types of private records are being bought and sold in the public market. Alongside many advertisements for prison cell phone records, wireline records and the records associated with calling cards are advertised. As individuals shift to VoIP telephones, it is rubber to assume that those records will exist offered for auction as well. Currently, it is legal to sell telephone records, merely illegal to obtain them.^[43]

1st Source Data Specialists [edit]

U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Cyberspace during a House Energy & Commerce Committee hearing on "Phone Records For Sale: Why Aren't Telephone Records Rubber From Pretexting?" Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc. A spokeswoman for Madigan'southward office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suits respectively, against 1st Source Data Specialists and, in Missouri's case, 1 other records broker – First Data Solutions, Inc.

Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists. U.S. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Phone Records Protection Act of 2006 would create felony criminal penalties for stealing and selling the records of mobile phone, landline, and Vocalization over Internet Protocol (VoIP) subscribers.

Hewlett Packard [edit]

Patricia Dunn, former chairwoman of Hewlett Packard, reported that the HP board hired a private investigation visitor to delve into who was responsible for leaks within the board. Dunn acknowledged that the visitor used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this deed and offered to step downwards from the board if it was desired past board members.^[44] Unlike Federal law, California law specifically forbids such pretexting. The four felony charges brought on Dunn were dismissed.^[45]

Preventive measures [edit]

Taking some precautions reduces the risk of being a victim of social applied science frauds. The precautions that can be made are every bit follows:

• Be aware of offers that seem "Too good to be true".
• Use multifactor authentication.
• Avoid clicking on attachments from unknown sources.
• Non giving out personal or financial data (such as credit card information, Social Security Numbers, or bank account data) to anyone via email, phone, or text messages.
• Apply of spam filter software.
• Avoid befriending people that you do not know in real life.
• Teach kids to contact a trusted adult in example they are being bullied over the internet (cyberbullying) or feel threatened past annihilation online.^[46]
• Don't make instant decisions, but when possible take five minutes to evaluate the data presented.

See as well [edit]

• Certified Social Engineering science Prevention Specialist (CSEPS)
• Code Shikara – Computer worm
• Conviction trick – Attempt to defraud a person or group later on first gaining their confidence
• Countermeasure (computer) – Process to reduce a security threat
• Cyber-HUMINT – Set of skills used by cyberspace hackers
• Cyberheist
• Inoculation theory – Explanation of how an attitude or conventionalities tin can be protected against influence in much the same way a body tin can exist protected confronting affliction
• Net Security Sensation Preparation
• IT risk – Any risk related to it, which may underlie an organization'due south business processes in varying degrees
• Media pranks, which often employ like tactics (though usually not for criminal purposes)
• Penetration test – Method of evaluating computer and network security by simulating a cyber attack
• Phishing – Act of attempting to acquire sensitive information by posing as a trustworthy entity
• Physical information security – Common ground of physical and information security
• Piggybacking (security)
• SMS phishing
• Threat (reckoner)
• Voice phishing – Use of social applied science over voice telephony by criminals to convince victims to divulge sensitive information
• Vulnerability (computing) – Exploitable weakness in a computer arrangement
• Cyber security awareness

References [edit]

1. ^ Anderson, Ross J. (2008). Security applied science: a guide to building dependable distributed systems (2nd ed.). Indianapolis, IN: Wiley. p. 1040. ISBN978-0-470-06852-half-dozen. Chapter 2, page 17
2. ^ "Social Engineering science Defined". Security Through Education . Retrieved iii October 2021.
3. ^ Lim, Joo S., et al. "Exploring the Relationship between Organizational Civilisation and Data Security Culture." Australian Information Security Management Conference.
4. ^ Andersson, D., Reimers, K. and Barretto, C. (March 2014). Post-Secondary Education Network Security: Results of Addressing the Terminate-User Challenge.publication date 11 March 2014 publication description INTED2014 (International Engineering science, Education, and Evolution Briefing)
5. ^ ^{a b c} Schlienger, Thomas; Teufel, Stephanie (2003). "Information security culture-from analysis to change". S African Figurer Journal. 31: 46–52.
6. ^ Jaco, K: "CSEPS Course Workbook" (2004), unit 3, Jaco Security Publishing.
7. ^ Kirdemir, Baris (2019). "HOSTILE INFLUENCE AND EMERGING Cerebral THREATS IN CYBERSPACE". Centre for Economics and Foreign Policy Studies.
8. ^ Hatfield, Joseph M (June 2019). "Virtuous man hacking: The ethics of social engineering in penetration-testing". Computers & Security. 83: 354–366. doi:10.1016/j.cose.2019.02.012. S2CID 86565713.
9. ^ Choi, Kwan; Lee, Ju-lak; Chun, Yong-tae (i May 2017). "Voice phishing fraud and its modus operandi". Security Journal. 30 (two): 454–466. doi:10.1057/sj.2014.49. ISSN 0955-1662. S2CID 154080668.
10. ^ Austen, Ian (7 March 2005). "On EBay, E-Mail Phishers Find a Well-Stocked Swimming". The New York Times. ISSN 0362-4331. Retrieved 1 May 2021.
11. ^ The story of HP pretexting scandal with discussion is available at Davani, Faraz (xiv August 2011). "HP Pretexting Scandal by Faraz Davani". Retrieved 15 August 2011 – via Scribd.
12. ^ "Pretexting: Your Personal Information Revealed", Federal Trade Committee
13. ^ Fagone, Jason (24 November 2015). "The Serial Swatter". The New York Times . Retrieved 25 November 2015.
14. ^ "The Real Dangers of Spear-Phishing Attacks". FireEye. 2016. Retrieved ix Oct 2016.
15. ^ "Chinese Espionage Campaign Compromises Forbes.com to Target US Defence, Financial Services Companies in Watering Hole Style Attack". invincea.com. 10 February 2015. Retrieved 23 February 2017.
16. ^ "Archived copy" (PDF). Archived from the original (PDF) on 11 October 2007. Retrieved ii March 2012. {{cite web}}: CS1 maint: archived copy as championship (link)
17. ^ Conklin, Wm. Arthur; White, Greg; Cothren, Chuck; Davis, Roger; Williams, Dwayne (2015). Principles of Computer Security, Fourth Edition (Official Comptia Guide). New York: McGraw-Colina Education. pp. 193–194. ISBN978-0071835978.
18. ^ Raywood, Dan (4 August 2016). "#BHUSA Dropped USB Experiment Detailed". info security . Retrieved 28 July 2017.
19. ^ Leyden, John (18 April 2003). "Office workers requite away passwords". The Register . Retrieved 11 April 2012.
20. ^ "Passwords revealed by sweet deal". BBC News. 20 Apr 2004. Retrieved 11 Apr 2012.
21. ^ "Email Spoofing – What it Is, How it Works & More - Proofpoint US". www.proofpoint.com. 26 February 2021. Retrieved 11 October 2021.
22. ^ Treglia, J., & Delia, Chiliad. (2017). Cyber Security Inoculation. Presented at NYS Cyber Security Conference, Empire Country Plaza Convention Middle, Albany, NY, 3–4 June.
23. ^ Mitnick, K., & Simon, Due west. (2005). "The Art of Intrusion". Indianapolis, IN: Wiley Publishing.
24. ^ Allsopp, William. Unauthorised access: Concrete penetration testing for it security teams. Hoboken, NJ: Wiley, 2009. 240–241.
25. ^ "social engineering – GW Information Security Blog". blogs.gwu.edu . Retrieved 18 Feb 2020.
26. ^ Salinger, Lawrence Chiliad. (2005). Encyclopedia of White-Collar & Corporate Offense. SAGE. ISBN978-0-7619-3004-4.
27. ^ "How Frank Abagnale Would Swindle You". U.S. News. 17 December 2019. Archived from the original on 28 Apr 2013. Retrieved 17 December 2019.
28. ^ "Kevin Mitnick sentenced to nearly four years in prison; estimator hacker ordered to pay restitution to victim companies whose systems were compromised" (Printing release). Usa Chaser's Office, Central Commune of California. 9 August 1999. Archived from the original on thirteen June 2013.
29. ^ "DEF CON III Athenaeum – Susan Thunder Keynote". DEF CON . Retrieved 12 August 2017.
30. ^ "Archived re-create". Archived from the original on 17 April 2001. Retrieved half-dozen January 2007. {{cite spider web}}: CS1 maint: archived re-create as title (link)
31. ^ Hafner, Katie (Baronial 1995). "Kevin Mitnick, unplugged". Esquire. 124 (2): 80(9).
32. ^ "Wired 12.02: Three Blind Phreaks". Wired. 14 June 1999. Retrieved 11 April 2012.
33. ^ "Social Technology A Young Hacker's Tale" (PDF). 15 Feb 2013. Retrieved 13 January 2020.
34. ^ "43 Best Social Engineering Books of All Time". BookAuthority . Retrieved 22 January 2020.
35. ^ \ (31 August 2018). "Bens Volume of the Calendar month Review of Social Engineering The Science of Man Hacking". RSA Briefing . Retrieved 22 Jan 2020. {{cite web}}: CS1 maint: numeric names: authors list (link)
36. ^ "Book Review: Social Engineering science: The Scientific discipline of Human Hacking". The Ethical Hacker Network. 26 July 2018. Retrieved 22 January 2020.
37. ^ Hadnagy, Christopher; Fincher, Michele (22 January 2020). "Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails". ISACA . Retrieved 22 January 2020.
38. ^ "WTVR:"Protect Your Kids from Online Threats"
39. ^ Larson, Selena (14 August 2017). "Hacker creates organization to unmask child predators". CNN. Retrieved xiv Nov 2019.
40. ^ Restatement 2d of Torts § 652C.
41. ^ "Congress outlaws pretexting". 109th Congress (2005–2006) H.R.4709 – Telephone Records and Privacy Protection Act of 2006. 2007.
42. ^ Mitnick, 1000 (2002): "The Art of Deception", p. 103 Wiley Publishing Ltd: Indianapolis, Indiana; United states of america of America. ISBN 0-471-23712-4
43. ^ HP chairman: Use of pretexting 'embarrassing' Stephen Shankland, 8 September 2006 1:08 PM PDT CNET News.com
44. ^ "Calif. court drops charges against Dunn". CNET. fourteen March 2007. Retrieved 11 Apr 2012.
45. ^ "What is Social Engineering | Assail Techniques & Prevention Methods | Imperva". Learning Heart . Retrieved 18 February 2020.

Further reading [edit]

• Boyington, Gregory. (1990). 'Baa Baa Blackness Sheep' Published past Gregory Boyington ISBN 0-553-26350-1
• Harley, David. 1998 Re-Floating the Titanic: Dealing with Social Applied science Attacks EICAR Conference.
• Laribee, Lena. June 2006 Development of methodical social engineering taxonomy project Master'due south Thesis, Naval Postgraduate School.
• Leyden, John. 18 April 2003. Role workers give abroad passwords for a cheap pen. The Annals. Retrieved 2004-09-09.
• Long, Johnny. (2008). No Tech Hacking – A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing Published past Syngress Publishing Inc. ISBN 978-1-59749-215-7
• Mann, Ian. (2008). Hacking the Human: Social Engineering science Techniques and Security Countermeasures Published by Gower Publishing Ltd. ISBN 0-566-08773-1 or ISBN 978-0-566-08773-eight
• Mitnick, Kevin, Kasperavičius, Alexis. (2004). CSEPS Class Workbook. Mitnick Security Publishing.
• Mitnick, Kevin, Simon, William L., Wozniak, Steve,. (2002). The Art of Deception: Decision-making the Homo Chemical element of Security Published by Wiley. ISBN 0-471-23712-four or ISBN 0-7645-4280-Ten
• Hadnagy, Christopher, (2011) Social Engineering: The Art of Man Hacking Published by Wiley. ISBN 0-470-63953-9
• Due north.J. Evans. (2009). "Information technology Social Engineering: An Academic Definition and Study of Social Engineering-Analyzing the Human Firewall." Graduate Theses and Dissertations. 10709. https://lib.dr.iastate.edu/etd/10709
• Z. Wang, L. Sunday and H. Zhu. (2020) "Defining Social Engineering in Cybersecurity," in IEEE Access, vol. 8, pp. 85094-85115, doi: x.1109/Admission.2020.2992807.

External links [edit]

• Social Engineering Fundamentals – Securityfocus.com. Retrieved 3 August 2009.
• "Social Engineering, the USB Fashion". Calorie-free Reading Inc. seven June 2006. Archived from the original on 13 July 2006. Retrieved 23 April 2014.
• Should Social Engineering be a role of Penetration Testing? – Darknet.org.u.k.. Retrieved 3 Baronial 2009.
• "Protecting Consumers' Phone Records", Electronic Privacy Information Middle The states Committee on Commerce, Science, and Transportation . Retrieved eight February 2006.
• Plotkin, Hal. Memo to the Printing: Pretexting is Already Illegal. Retrieved 9 September 2006.

brunoyouserainvid.blogspot.com

Source: https://en.wikipedia.org/wiki/Social_engineering_(security)

Share this post