CSS 211 - Introduction to Network Security
Chapters 1 and 2, Introduction to Security, Malware and
Social Engineering Attacks
This lesson introduces the student to basic concepts about
the need for computer system security. Objectives important to this
- Securing information
- Definition of terms
- Types of attackers
- Formal structure of an attack
- Five classic defense methods
- Malware, definition and common types
- Social engineering: psychological and physical
Chapter 1 begins with some
anecdotes about security issues to impress the student with the need
for information system security. We might presume that someone who
signs up for this class has the idea that such needs exist already. The
author presents examples of several ways a computer system might be
attacked, compromised, or otherwise damaged. He makes the point that
information security is no longer a problem just for IT professionals.
All people living in an information rich society are subject to attacks
on their IT and financial assets.
- A virus or malware
program might be placed in some electronic device
that you would not normally consider a threat. Later, it could be used
USB sticks that accessed it, making the USB stick a carrier of the
virus for any computer it was plugged into later.
- The text discusses a classic "Nigerian email" scam,
also known as the Nigerian General or the Nigerian
Bank Manager scam. Current events being what they are (changes of
leadership in other countries, second half of 2011), I would expect
variations on this scam to include Libyan and Egyptian themes sooner or
- The text discusses booby trapped web pages;
These do not always wait for unwary web surfers, links to them are
often included in emails to potential marks (scam
victims). Web browsers and personal security programs are including
protection from such things, but they are a moving target.
- Specific web based scams use phishing
sites. The idea is to get an email recipient to go to a web page, or
use email to send sensitive information like login ID and password to
the scammer. The mark is supposed to believe that the scammer is
actually a trusted authority, like a bank, utility company, or other
service vendor. The web addresses used for these sites are often meant
to be temporary, so a definitive list must always be changing.
- Customer data is always at risk of being stolen by system
break ins. Watch the news for new developments.
- Identity theft is a common fear: you can get a rider for it
on your homeowner insurance.
- Theft of laptops holding secure information results in a
much worse loss than losing the hardware itself.
this version of the text, the author pauses to discuss some IT Security
related jobs. Larger companies and governmental agencies are likely to
employ people in each category, smaller companies are more likely to
consolidate security duties in fewer roles.
- Chief Information Security Officer - high level
administrator over the other roles, responsible for all security
- Security manager - runs one or more teams of security
- Security administrator - can be a person in charge of a
system, or a level of management as the text indicates
- Security technician - the actual worker-level position,
this role includes providing support to end users and to system
developers regarding security issues
The text also reviews security related certifications, and
reminds us that this book is specifically oriented toward the CompTIA
The text returns to the topic of attacks, and provides some
reasons it can be hard to defend against them:
- Speed of attack - interconnected computers pass viruses and
worms faster and faster
- Sophistication - attack traffic on a network can look like
any other traffic, the attack can morph (change) so it looks different
as time goes by
- Simple tools - attack tools are easily available and easy
to use: better tools means you don't have to be a good hacker to attack
a system well
- Vulnerabilities detected and acted upon - zero day attacks:
an attack on a system based on a newly discovered method or newly
Almost all viruses start out this way. Antivirus programs provide no
protection against new viruses until the analysts who write protection
and cleaning algorithms know about the virus.
- Lack of timely patching - Delays in patching known issues
software and firmware. Have you noticed that Microsoft, for example,
tends to put out patches and updates the 2nd Tuesday of every month?
How does that schedule strike you? Often enough, not often enough, or
- Distributed attacks - attacks that take place from many
computers at once, typically from already infected or compromised
- BYOD - companies frequently support the Bring Your Own
Device to work concept, which sounds like a money saver, but may
actually expose company data on an unsecured device
- User confusion - the average user does not have a clue
whether a security question on a screen is important, much less what
the right answer to it might be (The current process is trying to make
a change to your system. Do you want to permit this?)
The text turns to a series of definitions that may not seem to
apply to all cases. They are general definitions,
a starting point to consider what we are working with and working
- information security - the text starts by saying this means
guarding digital information. We should
remember that some information is also stored on paper, in photographs,
and in other media that also need to be protected. The focus of this
text seems to be digital information, but the author would surely agree
the other media should be secure as well.
- The text also says that security can be viewed as the
processes used to defend against attack or as the theoretical result of
those processes, the state of being secure.
- The text observes that the more
secure a system or device
is made, the less convenient
it is to use that system or device. This
is often seen when rules about passwords change. Users who are forced
to use more complex passwords often find some way to remember the
password that exposes it to theft (e.g. written on a post-it note).
The author discusses the idea that a security program cannot
guarantee freedom from attack. The goal is to eliminate or minimize
damage from attacks that take place. He provides a justification for
providing such protection: to maintain the value of information. He
says that there are three aspects of information that are typically
protected (CIA) and adds three more (AAA):
- confidentiality - information is accessed
only by those who are meant to access it
- integrity - information is correct, and
has not been altered except by authorized persons
- availability - information is accessible
- authentication -
proving the identity of a user/requester
- authorization -
providing access to specific assets and resources
- accounting -
providing an auditable trail of events
The text provides a rather long formal definition
information security, and adds
three more concepts, three entities that provide protection: products, people, and procedures are what provide
the protection. The Products
category refers to hardware and software such as
firewall devices and authentication software. People would primarily be
whoever installs and uses security products. Procedures means plans,
policies, and actual steps carried out by those who use information, as
well as by those who protect it. I think it is a bit of a reach to have
the formal definition include three attributes of information, three
ways it is used in a system, and three entities that protect it. This
is likely one of those certification question points that we just have
to accept as worded the way it is worded, and we aren't allowed to
The text moves on to discuss more vocabulary, illustrated by a
story about a woman who wants to put a new stereo system in her car.
The story is useful, but not necessary to understand the terms.
- asset - information that we care about
- threat - a potential form of loss or
damage; many threats are only potential threats
- threat agent - a vector for the threat, a
way for the threat to occur; could be caused by a person, an event, or
running an attack
- vulnerability - a weak spot where an
attack is possible or more likely to succeed
- exploit - a method of attack; the text
calls the act using an exploit to attack through a vulnerability using
a threat vector
- risk - the probability of a loss; risk can
be managed in five classic
ways: avoidance, acceptance, mitigation, deterrence, and transference
The next section of the text lists several goals
of information security that could also be considered as benefits
- preventing data theft - prevention of loss is an obvious
benefit of a working security system
- preventing identity theft - this is not necessarily
different from the first bullet, since identity information is one kind
of data; stolen identity information, however, has a more personal
effect on the victims than the simple theft of other corporate data,
and provides a means to defraud each victim multiple times
- avoiding legal consequences - those who do not protect
their data may be subject to legal charges; the text has a list of
several applicable state and federal acts in the US:
- HIPAA (Health Insurance Portability and Accountability
Act), prohibits disclosure of protected health data, with penalties up
to $250,000 and 10 years in prison for trying to sell it
- Sarbox (Sarbanes-Oxley Act of 2002), a reaction to
corporate fraud and corruption. It provides penalties up to $5,000,000
20 years in prison for officers who file false corporate reports.
- GLBA (Gramm-Leach-Bliley Act), protects consumer data
at banks and financial institutions, provides penalties up to $500,000
for unauthorized disclosure.
- USA Patriot Act of 2001, authorized law enforcement
agencies to obtain documents and data if they have a court order,
subpoena, or other authorization; provides several penalties for
- California Database Security Breach Act of 2003, the
first state law requiring that businesses notify state residents within
48 hours of experiencing a data breach of specific personal information
data (other states have enacted similar laws).
- COPPA (Children's Online Privacy Act of 1998), federal
act that requires entities to get parental permission before
collecting, using, disclosing, or displaying data about children under
13 (no penalties stated in the text).
- maintaining productivity - prevention saves the effort
(time and cost) that a successful attack would incur.
The text implies that in the case of an attack, you should estimate
that it will take about 1% of your total staff to combat the attack.
The cost of virus attacks includes cleaning cost, loss of productivity,
and loss of revenue. Follow this link to a list of ten famous
and expensive viruses.
- foiling cyberterrorism - the potential for terrorists to
disrupt a national infrastructure includes disruption of health and
emergency services, power, communications, and commerce.
The text discusses some categories used to
- One of the buzzwords of computer system geeks,
this one can mean anything; it is generally accepted to mean someone
with more skill than an average user, may be a white hat (good guy) or
black hat (bad guy). A hacker may break in to a system for a thrill, to
show off, or to cause some kind of damage. The text also throws in the
concept of a gray hat, a hacker who will find a vulnerability and
announce it to the public instead of telling the vulnerable institution.
- script kiddies - attackers who use hacking tools that they
don't really understand
- brokers - hackers who find vulnerabilities and sell the
information; the text says "to the highest bidder" but the information
may actually be sold multiple times
- spies - computer attackers who are looking for specific
data from specific systems
- employees/insiders - Computer security includes the concept
protecting data from people who aren't authorized to access it. What
about protecting it from authorized users who want to give or sell it
to someone else? What about authorized users who give out their
password because someone asks for it? What about users who are no good
at protecting their secrets?
- cybercriminals - The text has a longer discussion of this
category. The bottom line is that they are after some financial gain.
This could be data they can sell, actual fund transfers, or theft of
- cyberterrorists - A cyberterrorist is defined as a system
attacker whose motivations are ideological.
- hacktivists - hackers who disable or deface a web presence
to make a political point
- state sponsored attackers - government supported attackers
(who may work for an agency or an armed service of that government)
The text lists seven steps
that an attacker may follow in
preparing for and carrying out a computer system attack:
- Probe for information - look over the target and find
potential weak spots; for example, look for open ports on servers
- Weaponize - create an exploit based on what you found
- Delivery - penetrate defenses; actually stage the attack,
email, attempted login, or other means
- Exploitation - execute the element that was delivered to
- Installation - may mean to install a back door for future
entry, or to put code in place for execution
and control - optional step, the exploit code contacts the attacker to
begin a download or to provide a control interface
- Actions on objectives - the attack harvests data, does
damage, creates a zombie, or whatever the attacker wished to accomplish
Consider that not all attackers will follow all of these
steps. Some would damage a system without making a back door for later,
some would explore a system but never damage it, and others might steal
data to make public what the data owners would rather be secret.
The author also gives us five
defenses against attacks.
- layering - the author spends more time with metaphors than
with examples; the point is just that a security solution will have
multiple layers, requiring an attacker to get through several kinds of
protection before accessing data
- limiting - it is a standard feature of most databases that
the designer can restrict users to specific views of the data, letting
them see only what their role requires, letting only specific
authenticated users modify or add information to the data files;
network security can be like this as well, offering only role or user
specific views of data, only allowing limited changes by specific users
- diversity - diversity should be part of the layering
concept, but that would mean we would need another bullet; diversity
means that each layer of security is different in some way from the
other layers, so an attacker will not be able to use the same exploit
to get through all the layers
- obscurity - this means that the inner workings of the
system should not be described or stated where a potential attacker
could access that information; As a network system user, this is one of
the more irritating aspects to me. Consider passwords. The network
tells me my password will expire, and offers me a chance to change it
now. I offer it a new password, and it replies that the new password is
too short. I offer another one, and it tells me I haven't used enough
complexity (upper case, lower case, numbers, and symbols: use at least
one from at least three types). I offer another, and it tells me I
can't use a password I used as recently as 10 changes ago. You see the
pattern? Let there be rules for using the system, but the user is not
made aware of the rule until it is violated. In the case of securing
the system from attackers, the attacker is not told any of these rules
when they are trying to guess a password.
- simplicity - let the system be simple to administer, but
hard to hack
Chapter 2 is titled Malware and
Social Engineering Attacks. It begins with an article that describes
one sort of social engineering attack. The attackers (actually
researchers) created accounts on Facebook and LinkedIn for a
fictitious, attractive, female MIT graduate who supposedly worked in
the IT security industry. The key to this approach was to make the lure
believable, and to gain trust, and to ask for nothing at first.
Eventually, male employees at a targeted security agency clicked on a
link that loaded an executable to their computers, and the researchers
gained access to the targeted system. It is interesting that when the
project was tried in reverse, posting accounts with a fictitious male
lure in search of female responders, there was no success. Perhaps the
male lure should have been constructed by female researchers, or maybe
the male employees who were duped should learn some things about women?
The author explains that most successful attacks contain
elements of malware and social engineering. He states
that "tricking the users into performing a compromising action" is the
most cost effective approach to staging an attack. The story at the
start of the chapter is not just entertaining. It is a cautionary tale,
which should impress would-be professionals with the fact that they
should act like professionals.
The term malware is introduced in this
chapter. It means any
software that does something harmful to a system. The text breaks
malware into types by several methods. The author remarks that malware
is often detected by its signature, the way its files
are named, coded, or deployed. Malware authors know this, and have
taken three approaches to avoiding this kind of detection:
- oligomorphic - the program contains
several versions of its code, each a bit different from the others;
each time it executes, it can use one of these different versions of
itself, but it will eventually repeat a version
- polymorphic - the deployed version of the
malware contains code that is scrambled/encrypted/camouflaged, that
must be unscrambled before it is executed; in this way, the deployed
package does not resemble the actual attacking package
- metamorphic - the package rewrites its
code when it is executed, making a new version of itself each time that
will not be identical to known versions
The author then discusses malware at length, based on whether
it falls into one of three (four?) types, which are
based on the objectives the malware follows: circulating/infecting
a system, concealing its actions, or bringing profit
from its actions by its payload.
The text lists circulating and infecting as two types of
malware, but they are discussed as one. Infecting software is divided
into viruses, worms, and Trojans.
A virus typically
requires a carrier to infect a system, like an email, an instant
message, or a program that the user runs. A virus typically has two
tasks: replicate and damage. Some viruses have historically been rather
benign, just displaying a message to the user. The ones that cause
damage to a system are categorized by the method they use or the damage
- appender - an older type that writes its
malicious code to the end of an existing program (appends to it), and
places an instruction at the beginning of the program that skips all
the original program code, and executes the virus code instead of the
desired program code; this is also called a file infector
The text offers two variants on this type:
swiss cheese infection - the virus code is
encrypted until it is run, and the decryption engine (code)
is stored in several segments in the infected file
split infection - the virus code is
encrypted, like the version above, but the entire malware
program is broken into pieces, stored in various file
segments, and linked together when needed
Earlier versions of the text also listed these virus types:
- resident (aka terminate and stay resident)
virus - loads into RAM, then does its damage based on actions the user
takes through the operating system
- boot virus - infects the Master Boot
Record of a hard disk,
which means the virus will load and run the next time the hard drive is
used to boot the computer; typically the virus will trash the hard drive
- companion virus - found more on
pre-Windows systems, loads
a program with a name similar to that of a real program, but with a
preferred extension so the companion (malware) program is run when the
user tries to run the real program from a command line; this seems like
it might have a resurgence in Windows Server 8 which has more command
- macro virus - a script virus that is
typically placed in a
Microsoft Office file
Virus protection programs typically recognize viruses by signatures,
the way they look. This recognition method is complicated by metamorphic
viruses that change the way they look over time, and polymorphic
viruses that change their signature and their encryption methods.
Worms are described on page 57. The text
tells us a major difference between worms and
viruses: once it is
started, a worm can replicate itself across connected computer systems
without further human interaction. It does not need a carrier. A worm
can attack any running
computer that is connected to a network that an infected computer is
on: it does not require cooperation from the user. Worms are more
dangerous due to their self driven nature. Once a worm is detected in a
system, each device on the network must be scanned for it, cleaned if
necessary, and prevented from accessing the network until this is done.
Trojan horse programs are named for the myth of a wooden horse
that was used to smuggle Greek soldiers inside the walls of Troy. A
program of this sort has two aspects: what we are told
it does, and
what it actually does. In some cases, Trojans
what they say, but they also have a hidden malicious purpose which is
what puts them in this category. A classic ploy used by Trojans is to
pretend not to be a program at all. The text gives an example of a file
that has a .exe extension, but the characters .docx occur in the name
immediately before it. If a Windows computer is using the default
(idiotic!) configuration, the actual .exe extension will be hidden
from the user, and the user may think it is only a Word document.
The text discusses one type of malware whose first concern is
remaining hidden from the user and from security personnel:rootkits.
At first, a rootkit sounds like a resident virus that replaces
operating system files with its own. There are similarities, but one
difference is that a rootkit is much more extensive,
and another is that the rootkit obtains elevated privileges
to carry out its stealth actions. The resident virus
may replace one program on the computer, which will
then do some harm to the system. The rootkit opens a door for lots
of malware. How?
Have you ever seen a movie about a robbery in which the
robbers send false information to security staff
(like a video loop) that shows all is well, while the robbers proceed
to steal whatever they want? That's kind of what a rootkit does. The
rootkit assumes the role of a trustworthy part of the operating system.
It will stand between the user and security
software on one side, and other malware doing
whatever it wants on the other.
The intention of the rootkit programmer may not be
malicious. Of course, that is possible with any program, but our
concern here is about malware. The text discusses the example of Sony,
who in 2005
put a rootkit installer on several of their audio CDs. The rootkit had
the goal of
preventing computer users from copying those CDs. Sony's intent was not
malicious, but their rootkit changed a PC without the user's consent,
and it made
the PC vulnerable to security exploits. The first is just wrong, and
the second is worse. As the saying goes, the road to hell is paved with
Detection and removal of a rootkit can be difficult, but it is
worth trying before following the text's scenario of formatting
the hard drive and starting over. The Sophos
company, for example, has a free
download that is supposed to be good at finding
and removing these problems. Here is another
one from Kaspersky.
Students should do an internet search for tools from the vendor of
Privilege escalation is a technique, not a
type. The technique is commonly use by system administrators. They log
in to networks with an ID that has normal privileges on the system, but
they execute administrative tasks with an ID that has elevated
privileges. Of course, these are authorized users who are supposed to
do such things. When malware does this, it may do it
in one of two ways. It may use an exploit to escalate
its own privileges, or it may access the privileges
of another account which are greater than its own.
Malware for Profit: Malware Noted by Its Capabilities
The text discusses some major and minor types in this
category. The first is Spyware, described on page 60.
defined as software that violates a user's security.
More informatively, the text says that spyware typically has one of
four missions: to install other software without the
user's consent, collection of personal information
such as browsing history, changing configuration
settings, or collection of private information for sale
or for the commission of fraud. The text proposes
that if other software did what spyware
does with the user's permission, that software would not
be spyware. So the issue is not what it does, as much as the fact that
it is done in secret, without the user's "notice, consent, or control".
A subcategory of spyware is keyloggers. Keyloggers
can be implemented through hardware or software.
The idea is that the program (or device) captures every key press the
user makes, which can be analyzed later for by someone who reads the key
log. Obviously, capturing IDs and passwords would be one use
of such a product. Keeping a log of all activity on a computer would be
another. Some viruses contain a key logging function which sends its
log to the virus originator.
The chart on page 60 lists effects that spyware can have on a
computer. Several of these items seem to be less related to spying than
to leading the user to particular products and resources. As such, I
would consider "spyware" to be an inappropriate label for the category.
A better label is the next subcategory the text talks about, adware.
As its name suggests, adware
is concerned with presenting advertisements to the computer user.
Adware is universally disliked. At best, it presents an interruption or
a distraction to the user. At its worst, it can crash programs or the
On page 62, the author discusses ransomware,
which is described as software that disables or locks your computer
until you pay a ransom to the hacker who created or exploited your
computer with it.The infecting program may pretend to be from a
government agency, an anti-virus company, or some other recognized and
trusted source, which convinces a small percentage (3%) of computer
users that they should pay the requested fee to have their computers
cleaned of the "detected problem".
Deleting data is another common payload
capability. The text mentions logic
bombs on page 64, another type of concealed malware, as an
example of malware that will delete data. A logic bomb
is not a bomb. It is malware
that waits for a logical condition to occur before it
executes its mission. A classic case was the Michelangelo
virus that only executed on the birthday of Michelangelo Buonarroti
(which, as everyone knows, is March 6th). In other examples,
some act like "dead man switches", where the malware
engages if it is not regularly reset, or if a person's ID is removed
from a network. A logic bomb can be hidden in a much larger program,
making it difficult to find. It is also possible for a logic bomb to
take actions other than deleting files.
Another payload effect is modifying
system security. Disgruntled system
administrators have been known to leave logic bombs in their own
systems set to change security settings if they are not removed or
reset by an arbitrary date. The intention is to disable the system if
the administrator is not allowed to continue to manage the system. When
a modification program is placed on a system by an attacker, it is more likely being
done to open a back door, a
account that has elevated permissions which will give the attacker all
desired access to the system.
The text notes that program developers may install back door
access for themselves, to be used while the system is being developed
and debugged. This is not malicious. It is an efficient means to
access, repair, and improve the system. These back doors are not
commonly left in place in the deployed versions of the programs, but
they may be, which presents a vulnerability to attack.
The last payload category is one that will launch an attack. As a current
example, the text discusses the concept of a botnet.
been around for a while, but it is a refinement and step back from the
others at the same time. A botnet is a network of computers that have
been infected, turned into robots (aka zombies),
that can be used for any kind of attack.
The refinement is the creation of a network of infected machines on one
mission. The step back is the brute force aspect of the attacks. The
attacker (the bot herder) does not depend on finesse
or subtlety, he uses more points of attack to meet his goal. Four types
of botnet attacks are listed on page 66.
- spam - Botnets can follow a script to send spam faster than
an individual system can.
- spreading malware - When an infection is being spread by a
coordinated attack from a botnet it is much harder to stop.
- poll (election) manipulation - Each zombie pretends to be
one or many devices, changing the results of online voting.
- denial of service - Any network can be disabled by too many
requests, which is an easy attack for a botnet to stage.
Social Engineering Attacks
text returns to social engineering on page 66. It begins with another
story about people simply asking for access to a building and an
office, and making a request for a password change. A primary aspect of
social engineering is all about asking people for information they see
no reason to keep secret.
The table on page 67 lists six attitudes/approaches the
social engineer might take when making a request for a password change.
- authority - pretend to be someone who has the right to make
- intimidation - in an oppressive environment, it may be easy
to use fear of what would happen if the request is not granted
- consensus/social proof - tell a believable lie that others
have granted this request in the past
- scarcity - tell the victim that you are short on
time, or you have to get this before it can't be done
- urgency - tell the victim that you need this right
now, and that you will complete the red tape later
- familiarity/liking - act like one of the family, especially
one who appreciate the work the victim does for the company
- trust - use details about the organization to make it seem
like you are a part of it
Someone who is practiced in manipulating people may be able to
choose between these approaches easily, based on the attitude of the
person on the other end of the phone, email, or messaging application.
The text mentions that basic information about target or a
work site may be obtained from documents on a public facing website, a
Facebook site, unshredded trash, or a phone call to the right person.
More advice is offered on page 68:
- ask for a little information from each of several people,
building your required knowledge base without alerting the victims
- ask for what the victim is likely to be able to provide;
don't ask for something inconsistent with the victim's job or role
- be pleasant and flattering, but in moderation
- don't ask for so much that it raises suspicion about you
- asking for help often triggers sympathy, thanking the
victim helps them believe they have done something good
The text continues with a discussion of several other
approaches under this heading.
- impersonation - An attacker might impersonate anyone who
might seem to belong in the environment being surveilled or attacked.
It is common to impersonate a help desk employee when calling a victim.
It is also common to impersonate an employee, a delivery person, or a
repair person when the ploy calls for infiltrating a site.
- phishing - Phishing is the solicitation
of personal or company information, typically through an official
looking email. Some
variations on phishing:
- spear phishing -
sending the email to specific
people, customizing it to look
like a message sent to them by an entity with some of their personal
- whaling - This is spear phishing but it focuses on big (wealthy or data rich) targets.
- sending an email that takes the person dddirectly to a web site (the
phisher's site) instead of asking the reader to follow a link
- Google phishing
- the phisher sets up a fake search engineee that will send people to the
phishing web site on specific searches (presumably it returns real
search results on searches that would not lead to a page the phisher
- The section on spam, unsolicited email, seems out of place in this
discussion. Most spam may only be looking for a customer, but some spam
is sent with the intent to steal, abuse, and sell the payment
information that a person might volunteer to provide.
- hoaxes - In
the larger sense, all social engineering involves a hoax of some kind.
First the grifter finds a mark, then he tells the mark the tale, and
offers the deal. In the sense that the text means here, a hoax is
distraction from reality, such as when the attacker pretends that there
is a virus outbreak that is affecting the potential victim. It sets the
idea in the victim's mind that the attacker is trying to help and
should be assisted in his/her efforts.
- typo squatting
- Most people are not great typists. The tttext explains that this is why
other people (the bad ones) register domain names that are similar but
not identical to real domains. They are hoping that the bad typists
among us will misspell a URL and find ourselves on their site instead
of the one we wanted, where we might volunteer information by trying to
log in with credentials that can then be abused, sold, or ransomed.
This technique is also called URL hijacking by the text.
- watering hole attack - The attacker determines that
targets in the company/agency often visit a particular web site, called
the watering hole in this scenario. It may be easier to infect that site than to attack the individuals directly, and then to take advantage of the real target.
- dumpster diving
- Attackers doing research on a company caaan learn a lot from the trash
the company discards. The text provides a table on page 73 with seven
suggestions about things to look for in a target's trash.
- tailgating -
The concept behind tailgating is simple. Someone who does not have
authorization to pass through a secure entry point will gain access by
simply following an authorized person through it, or by waiting for the
door to open as someone exits through it. This might be done with or
without the knowledge or cooperation of the authorized person.