# SEC-5: Social Engineering and Attacks Status: not started Domain: - 2.0 Security Objective alignment: - 2.5 Social engineering and attacks ## What You Need To Know This objective is scenario-heavy. The exam describes an attack and expects you to identify the type or best prevention. Think in categories: - Human manipulation - Availability attacks - Spoofing/on-path attacks - Password attacks - Web app attacks - Insider/supply chain risks - Vulnerable systems ## Memory Trick Use **PHISH-DOS-PASS-WEB-SUPPLY**: - **PHISH**: phishing, vishing, smishing, QR phishing, spear phishing, whaling - **DOS**: DoS and DDoS - **PASS**: brute force, dictionary, plaintext passwords - **WEB**: SQL injection and XSS - **SUPPLY**: service provider, hardware, software supply chain Physical/social trick: - **Tailgating = no consent** - **Piggybacking = with consent** ## Phishing Variants Phishing: - Fraud messages that trick users into clicking, logging in, paying, or sharing data. - Often uses spoofed email, fake sites, urgency, or suspicious links. Vishing: - Voice phishing by phone or voicemail. Smishing: - SMS/text phishing. QR code phishing: - Malicious QR code points to a fake or harmful site. Spear phishing: - Targeted phishing aimed at a specific person or group. Whaling: - Spear phishing aimed at executives or high-value targets. Business Email Compromise (BEC): - Attacker uses email trust to request money, gift cards, payroll changes, or wire transfers. - Prevention: verify requests through a separate trusted channel. ## Physical/Social Attacks Shoulder surfing: - Watching someone enter or view sensitive information. - Prevention: privacy screens, awareness, monitor placement. Tailgating: - Unauthorized person follows through a secure door without consent. Piggybacking: - Authorized person knowingly lets someone follow them in. Impersonation: - Pretending to be someone trusted, such as help desk, vendor, executive, or employee. Dumpster diving: - Searching trash for information useful in later attacks. - Prevention: shredding, secure disposal, clean desk policy. ## Availability Attacks DoS: - Denial of Service. - One system/attack source makes a service unavailable. DDoS: - Distributed Denial of Service. - Many systems, often botnets, attack at once. Prevention/mitigation: - ISP filtering - Cloud DDoS protection - Firewall/rate-limit patterns - Redundancy ## Spoofing and On-Path Attacks On-path attack: - Attacker intercepts/redirects traffic between victim and destination. - Formerly called man-in-the-middle. ARP poisoning: - Local network attack that tricks devices about MAC-to-IP mappings. Evil twin: - Fake Wi-Fi access point that looks legitimate. - Prevention: VPN, HTTPS, avoid unknown Wi-Fi, verify SSID, use enterprise authentication. On-path browser attack: - Malware in the browser proxies or manipulates traffic from the victim's own machine. ## Zero-Day Attacks Zero-day: - Exploit for a vulnerability not yet known or patched by the vendor. Exam clue: - No patch exists yet, or the vulnerability was unknown before exploitation. Mitigation: - Defense in depth, least privilege, behavior detection, segmentation, rapid patching when fixes arrive. ## Password Attacks Plaintext password storage: - Passwords stored unencrypted. - Bad design. Hashing: - One-way representation of a password. - Used for password storage. Brute force: - Try every possible password combination. Dictionary attack: - Try likely words/password lists and substitutions. Mitigation: - Long passwords - MFA - Account lockout/rate limiting - Strong hashing - Password managers ## Web App Attacks SQL injection: - Attacker modifies database queries through unsafe input. - Example effect: view, change, or delete database data. - Prevention: input validation, parameterized queries, secure coding. XSS: - Cross-site scripting. - Attacker injects scripts into trusted web pages or links. - Can steal cookies/session tokens or act as the user. - Prevention: input validation/output encoding, secure coding, browser updates. Memory trick: - **SQL injection attacks the database.** - **XSS attacks the user's browser trust.** ## Insider and Supply Chain Insider threat: - Employee, contractor, or trusted person misuses access. - May be malicious or careless. Supply chain attack: - Attacker compromises a vendor, provider, update, hardware, or software source. - Trusted relationship becomes the attack path. Service provider risk: - Third-party providers may have access to internal systems. Mitigation: - Vendor audits - Least privilege - Contract security requirements - Monitor provider access - Verify software signatures ## Vulnerable Systems Non-compliant systems: - Do not meet organization standards. Unpatched systems: - Missing security updates. Unprotected systems: - Security controls disabled or absent. EOL/EOSL: - End of life/end of service life. - No normal security patches or support. BYOD: - Bring Your Own Device. - User-owned device accessing company data. - Needs policy, MDM, data separation, and security requirements. ## Commands To Enter Windows: ```powershell arp -a ``` What it does: - Shows ARP cache entries. - Useful conceptually for ARP poisoning discussions. ```powershell netstat -ano ``` What it does: - Shows active network connections and listening ports. ```powershell ipconfig /all ``` What it does: - Shows IP, DNS, gateway, and adapter information. ```powershell whoami /groups ``` What it does: - Shows group membership and helps discuss insider/privilege risk. Linux: ```bash ip neigh ``` What it does: - Shows neighbor/ARP table entries. ```bash ss -tulpn ``` What it does: - Shows listening sockets and processes when allowed. ```bash ip route ``` What it does: - Shows routes, including default gateway. ## Mini Lab Goal: - Practice identifying attack types safely. Windows: 1. Run `arp -a`. 2. Run `netstat -ano`. 3. Run `ipconfig /all`. 4. Record: - Default gateway: - One ARP entry: - One active/listening connection: Linux: 1. Run `ip neigh`. 2. Run `ss -tulpn`. 3. Run `ip route`. 4. Record: - Default gateway: - One neighbor entry: - One listening service: Scenario practice: 1. A CFO gets an email asking for a wire transfer. 2. A user scans a QR code on a parking meter and lands on a fake payment site. 3. A fake Wi-Fi network copies the hotel SSID. 4. An attacker tries every possible password. 5. A vendor software update is compromised. 6. A website search box runs attacker-supplied JavaScript. 7. A database query is manipulated through form input. For each: - Name the attack. - Name one prevention or mitigation. ## Quick Check Before Quiz You are ready for the SEC-5 quiz when you can answer these without looking: - What is the difference between phishing, vishing, smishing, spear phishing, and whaling? - What is the difference between tailgating and piggybacking? - What does an evil twin imitate? - What is the difference between SQL injection and XSS? - What is a supply chain attack? - What is the difference between DoS and DDoS?