Social Engineering

According to the ISSAF, social engineering can be broken down into the following attacks (Open Information Systems Security Group, 2006):

• Shoulder surfing: Watching an authorized user access the system and obtaining his or her credentials as he or she enters them into the system

• Physical access to workstations: Allowing physical access to a system gives penetration testers an opportunity to install malicious code, including backdoor access

• Masquerading as a user: Contacting help desk while pretending to be a user, requesting access information or elevated privileges

• Masquerading as a monitoring staff: Requesting access to a system by pretending to be an auditor or security personnel

• Dumpster diving: Searching trash receptacles for computer printouts that contain sensitive information

• Handling (finding) sensitive information: Finding unsecured sensitive documents lying on desks or tables

• Password storage: Looking for written-down passwords stored near the computer

• Reverse social engineering: Pretending to be someone in a position of power (such as a help desk employee) who can assist a victim resolve a problem while obtaining sensitive information from the victim