Diving, Surfing, and Pharming

In this lesson, we are going to continue our discussion of social engineering techniques, looking at "Tailgating", also referred to as "Piggybacking". "Tailgating" or "Piggybacking" happens when access tokens or badges are being used in a single-factor or multi-factor authentication scheme for physical access to buildings, to certain rooms, to certain floors, for example, on an elevator or certain high security areas like the data center.

Each subject uses their badge or token with the sensor every time they access a building or protected area. So it's often considered a violation of a security policy. For example, the acceptable use policy, "AUP", combined with some enforcement policy, If users do not comply by piggybacking or tailgating on somebody else's access.

For example, two people coming back from lunch or coming back from the restroom, one flashes their token and the other just follows them through without using their factor. All access must be audited and visible. Something else to consider as far as social engineering goes is "Dumpster Diving".

"Dumpster Diving" is an attack where the goal is to reclaim important information by searching through trash containers and dumpsters. They can find "Credit card information", "Invoices and receipts", other manifests. They can discover the internal "IP addressing" structure. They can find "Organizational charts". They can obtain the "Names of key employees" or executive management. They can find Manuals and charts" or intellectual property on "Memos and sticky notes".

It's very important from a physical security standpoint that your dumpsters and trash containers be fenced in using locking mechanisms and also have good lighting and good monitoring, for example, with cameras. There's also "Shoulder Surfing". This is an attack where the goal is to look over the shoulder of an individual as he or she enters a password or a PIN or any sensitive information. This is much easier to do today because we have so many camera-equipped mobile devices, phones and pads and other IOT internet of things, devices.

Now, don't forget, if somebody is across the street, they can use binoculars and telescopes in a nearby building to see screens and keyboards. Another term to know for the exam is "Watering Hole". This is a type of social engineering attack basically where you leverage a compromised web server in order to target groups or associations in social networks. It's called a "Watering Hole" because only members of the association are attacked while other traffic is untouched.

Watering holes can be difficult to identify using traffic analysis since most traffic from the infected site can be benign. In general, all social networking sites can be a target of a reconnaissance attack and social engineering.