1
00:00:01,610 --> 00:00:04,160
‫Social engineering terminologies and techniques.

2
00:00:06,600 --> 00:00:13,020
‫Hackers, ethical hackers or pen testers use social engineering tactics because it's usually easier

3
00:00:13,020 --> 00:00:16,770
‫to exploit people than it is to discover ways to hack the software.

4
00:00:17,190 --> 00:00:21,780
‫For example, it's much easier to fool someone into giving you their password than it is for you to

5
00:00:21,780 --> 00:00:23,400
‫try hacking their passwords.

6
00:00:24,150 --> 00:00:30,600
‫Social engineering is psychological manipulation of people into performing actions or divulging confidential

7
00:00:30,600 --> 00:00:31,260
‫information.

8
00:00:31,980 --> 00:00:38,280
‫The types of information that you seek can vary, but you usually try to trick the targeted victim into

9
00:00:38,280 --> 00:00:44,640
‫giving you their passwords or bank information or access to their computer to secretly install malicious

10
00:00:44,640 --> 00:00:49,170
‫software that will give you access to their passwords and sensitive information.

11
00:00:49,440 --> 00:00:56,550
‫As well as giving you control over their computers, you usually use the human relations and the intentions

12
00:00:56,550 --> 00:00:59,160
‫of the people in social engineering attacks.

13
00:00:59,910 --> 00:01:05,880
‫If you have enough information about the company, send a phishing emails to the victims as the employer

14
00:01:06,000 --> 00:01:07,760
‫instead of someone they don't know.

15
00:01:07,770 --> 00:01:12,360
‫You won't believe the results in a social engineering attack.

16
00:01:12,510 --> 00:01:17,100
‫You get the best results if you use the fear and curiosity of the victims.

17
00:01:19,330 --> 00:01:23,440
‫Scare them, there is abnormal traffic from your computer to the others.

18
00:01:23,740 --> 00:01:26,140
‫It's probably a worm trying to spread.

19
00:01:26,650 --> 00:01:31,420
‫Have you ever visited a website that you shouldn't or downloaded something that you shouldn't trust

20
00:01:33,130 --> 00:01:34,450
‫or make them curious?

21
00:01:35,170 --> 00:01:36,040
‫Prepare a CD.

22
00:01:36,730 --> 00:01:39,700
‫Drop it next to the victim accidentally.

23
00:01:40,210 --> 00:01:42,310
‫And curiosity killed the cat.

24
00:01:43,540 --> 00:01:48,550
‫Let's explain why the human being is always under attack with the writings of Rick Ferguson, who's

25
00:01:48,550 --> 00:01:52,240
‫the director of security research and communications at Microsoft.

26
00:01:52,780 --> 00:01:56,110
‫People are always the weakest link in information security.

27
00:01:56,380 --> 00:02:02,770
‫You can deploy all the technology you want, but people simply cannot be programmed and can't be anticipated.

28
00:02:03,160 --> 00:02:09,010
‫As long as an attacker makes their delivery vehicle credible enough, a target is likely to click the

29
00:02:09,010 --> 00:02:10,900
‫link or open the file.

30
00:02:12,350 --> 00:02:19,100
‫The bugs in the human hardware are exploited in various combinations to create attack techniques, some

31
00:02:19,100 --> 00:02:20,840
‫of which are listed on this slide.

32
00:02:21,410 --> 00:02:24,350
‫Let's talk about the most famous techniques briefly.

33
00:02:26,010 --> 00:02:32,160
‫Shoulder surfing is simply the technique used to obtain confidential data, such as pin numbers and

34
00:02:32,160 --> 00:02:36,720
‫passwords by observing the information without getting the victim's attention.

35
00:02:37,590 --> 00:02:44,130
‫For example, by looking over the victim's shoulder, this attack can be performed either at close range

36
00:02:44,340 --> 00:02:50,580
‫by directly looking over the victim's shoulder or from a longer range by, for example, using a pair

37
00:02:50,580 --> 00:02:52,380
‫of binoculars or similar hardware.

38
00:02:53,250 --> 00:02:59,820
‫Shoulder surfing is likely to be performed best in crowded places because it's easy to observe the information

39
00:03:00,090 --> 00:03:01,980
‫without getting the victim's attention.

40
00:03:03,500 --> 00:03:08,990
‫Dumpster diving, also known as trashing, is another popular method of social engineering.

41
00:03:09,560 --> 00:03:13,880
‫It's briefly looking for valuable things in someone else's waste bin.

42
00:03:14,450 --> 00:03:21,860
‫A huge amount of information can be collected through company dumpsters, company phone books, organizational

43
00:03:21,860 --> 00:03:29,870
‫charts, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts

44
00:03:29,870 --> 00:03:37,340
‫of sensitive data or login names and passwords, printouts of source code, etc. All of this information

45
00:03:37,340 --> 00:03:43,070
‫can be used to assist a social engineering attack to gain access to the target company's network.

46
00:03:45,280 --> 00:03:50,350
‫The dictionary meaning of tailgating is to drive to closely behind another vehicle.

47
00:03:50,830 --> 00:03:59,140
‫But as a social engineering attack technique, tailgating is seeking entry to a restricted area secured

48
00:03:59,140 --> 00:04:04,900
‫by unattended electronic access control, for example, by an RFID card.

49
00:04:06,010 --> 00:04:12,610
‫In this technique, you simply walk in behind a person who has legitimate access following common courtesy.

50
00:04:12,880 --> 00:04:19,240
‫The legitimate person will usually hold the door open for you, or you yourself may ask the employee

51
00:04:19,240 --> 00:04:20,620
‫to hold it open for you.

52
00:04:21,220 --> 00:04:27,610
‫The legitimate person may fail to ask for identification for any of several reasons, or may accept

53
00:04:27,610 --> 00:04:32,440
‫an assertion that the attacker has forgotten or lost the appropriate identity token.

54
00:04:33,070 --> 00:04:38,650
‫You may also fake the action of presenting an identity token or the action of looking through your pockets

55
00:04:38,830 --> 00:04:40,690
‫to find your identity token.

56
00:04:42,310 --> 00:04:44,920
‫During this course, we will see fishing in detail.

57
00:04:45,580 --> 00:04:49,810
‫For now, let's just talk about the concept in a phishing attack.

58
00:04:50,080 --> 00:04:56,680
‫Typically, the attacker sends an email that appears to come from a legitimate business a bank, a credit

59
00:04:56,680 --> 00:05:03,310
‫card company requesting verification of information and warning of some terrible consequences if it's

60
00:05:03,310 --> 00:05:04,090
‫not provided.

61
00:05:04,720 --> 00:05:11,500
‫The email usually contains a link to a fraudulent web page that seems legitimate with company logos

62
00:05:11,500 --> 00:05:18,400
‫and content, and has a form requesting everything from a home address to an ATM cards pin or a credit

63
00:05:18,400 --> 00:05:19,090
‫card number.