UC Santa CruzInformation Technology Services
  Home About ITS Services ITS News Policies Governance ITS Staff Site Jobs Find An Answer Feedback

Computer Security Tutorial Module 2 (Text-Only Version)

Home > IT Security Awareness > Computer Security Tutorial Module 2 (Text-Only Version)

Computer Security Tutorial (Text-Only Version)
Module 2: Social Engineering


Introduction

"Social Engineering is the practice of obtaining confidential information by manipulation of legitimate users" - Wikipedia

  • The principle behind social engineering is that "users are the weak link in security."

The Issue
The underlying principle behind social engineering is that it can be easier to trick people than to hack into computing systems by force. Social engineers get personal information or access to computing systems by exploiting people's natural tendency to want to trust and be helpful, and by taking advantage of our tendency to act quickly when faced with a crisis.

A Social Engineer will commonly use email, the Internet, or the telephone to trick people into revealing sensitive information or get them to do something that is against policy.

Three extremely common examples of social engineering are:

  • Spam scams/phishing: deceptive e-mails designed to get people to reveal personal, financial or log-in information (more info follows).
  • Impersonation: attackers typically pose as someone in authority, or an I.T. representative, in order to obtain information or direct access to systems. For targeted attacks, hackers will even go through dumpsters ("dumpster diving", see below) or do other research so they know enough to convince you to trust them.
  • Dumpster diving: describes the practice of going through trash to obtain valuable information. Any sensitive information--paper or electronic--that is thrown away intact is vulnerable to dumpster diving.

Spam Scams

Spam scams are deceptive e-mails designed to get people to reveal personal, financial or log-in information, click on links or open attachments that can infect computers, or send money. Classic examples include:

  • Phishing
  • Phony security alerts
  • The "Nigerian" bank account scam

Phishing
Phishing schemes typically involve email pretending to be from someone in authority or from trusted businesses, such as Citibank or Paypal, an Internet service provider (ISP), or even a government agency. The email asks you go to a website to "update," "validate," or "confirm" your personal, financial or password information or face negative consequences. The email links and websites can look legitimate, but they are really designed to steal your information.

Phony Security Alert
Phony security alerts are usually emails or pop-up windows that claim to be from a reputable software or hardware manufacturer (Microsoft, HP, etc.), or from a trusted name like "IT Security." These emails or pop-ups warn that your computer is at risk of being infected or hacked, and usually contain an attachment or a link to a patch that they claim will fix the problem. When you follow the link or click on the attachment, the "patch" you download is actually a malicious program which then proceeds to infect your computer (and possibly others connected to it).

Nigerian Bank Account Scam
In this scheme, an email claims to be from a VIP from another country who needs assistance accessing a large sum of money. They ask to temporarily transfer this money into your bank account with the promise that you will receive a percentage as payment for your assistance. Over time, the scammer will inform you about "fees" or "taxes" that must be paid for them to transfer the money. They will also ask you to send your bank account information so they can make the transfer. The goal of this very successful scam is to collect both money and bank account information.

Protecting Yourself

  • Don't give sensitive personal, financial, log-in, business, system or network information to anyone you don't know (in person, over the phone, via e-mail or the Internet), or who doesn't have a legitimate need for it. Keep in mind that you may have to enter your password for someone to work on your computer, but you shouldn't have to tell it to them.
  • Destroy or securely erase sensitive information before recycling or throwing it away.
  • Delete unsolicited e-mails; don't open, forward, reply to, or click on links or attachments in them.
  • If an offer sounds too good to be true, it probably is. If you want to investigate something, look it up on your own (e.g. do a Google search) instead of clicking on an unknown or unsolicited link.
  • Even snippets of information can be harmful if someone is clever enough to get bits of information from several different people.
  • You can report deceptive email to spam@uce.gov. The FTC uses these reports to pursue legal action against people who send this email.

Additional Information

  • SecurityFocus™ has an older (2001), yet still relevant and informative, 2-part article about social engineering on its website at: http://www.securityfocus.com/infocus/1527
  • Keep an eye out for additional examples of social engineering in the Internet and email modules of this tutorial.

 

Social Engineering Completion Cerificate

Other Training Modules

Introduction to Computer Security
Internet Privacy and Security
Practice "Safe Emailing"
Password Strength and Security
Ten Other Essential Security Measures
Protecting PII and Other Restricted Data
Reporting I.T. Security Incidents
Additional Information & Resources
Security Self-Test: Questions & Scenarios

Rev. January 2009