This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Social Engineering"
From OWASP
(→References) |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | |||
− | |||
==Definition == | ==Definition == | ||
− | An attack based on deceiving users or administrators at | + | An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application. |
− | |||
== Examples == | == Examples == | ||
− | Example #1: | + | '''Example #1:''' |
− | + | *An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.” | |
− | + | *The attacker then logs in as one of the users from over the network. | |
− | + | *System bugs are then exploited to gain complete control of the system. | |
== Countermeasures == | == Countermeasures == | ||
− | + | * Educate staff | |
− | + | * Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are | |
− | + | * Identify security-related transactions that must be done in person | |
+ | |||
+ | |||
+ | == Related Attacks == | ||
+ | |||
+ | |||
+ | |||
+ | == References == | ||
+ | Social Engineering [http://en.wikipedia.org/wiki/Social_engineering_(computer_security)#Quid_pro_quo] |
Latest revision as of 18:58, 19 April 2007
Definition
An attack based on deceiving end users or administrators at a target site. Social engineering attacks are are typically carried out by email or by contacting users by phone and impersonating an authorized user, in an attempt to gain unauthorized access to a system or application.
Examples
Example #1:
- An attacker, posing an a system administrator, sends an email to several users on a large network (like a college campus network) and asks them to, “Please change your password to ‘xyz123’ and then notify me when you've completed this.”
- The attacker then logs in as one of the users from over the network.
- System bugs are then exploited to gain complete control of the system.
Countermeasures
- Educate staff
- Establish mechanisms for problem reporting and handling and make sure users know what those mechanisms are
- Identify security-related transactions that must be done in person
Related Attacks
References
Social Engineering [1]