Social Engineering & Physical Security
1.Social Engineering (The Art of Deception)
Social engineering is about manipulating people into giving up confidential information or access. Attackers use psychology rather than software exploits.
Phishing: Sending fraudulent emails to steal credentials.
Spear Phishing: Targeted at a specific person or group.
Whaling: Targeted at high-level executives (the "big fish").
Vishing: Phishing over the phone (Voice Phishing).
Tailgating: Following an authorized person into a secure building without scanning a badge.
Dumpster Diving: Looking through trash for sensitive information (passwords on sticky notes, bank statements).
Shoulder Surfing: Looking over someone's shoulder while they type a password or PIN.
- Physical Security Controls
How we stop people from physically touching our servers or entering our offices.
Bollards: Short, sturdy vertical posts used to prevent vehicles from ramming into a building.
Mantraps: A small room with two doors. The first door must close before the second one opens, preventing unauthorized "tailgaters" from entering.
Faraday Cages: An enclosure used to block electromagnetic fields (preventing people from "sniffing" Wi-Fi or cellular signals from outside).
Biometrics: Using physical traits (fingerprints, retina scans) for access.
- Environmental Security
Protecting the hardware from nature and accidents.
HVAC: Heating, Ventilation, and Air Conditioning. Keeping servers cool is critical to prevent hardware failure.
Hot and Cold Aisles: A data center layout where server racks are arranged so that the front (air intake) and back (exhaust) faces are grouped together to manage airflow efficiently.
Fire Suppression: Systems like FM-200 or Halon-alternatives that put out fires without using water, which would destroy the electronics.
Detailed Breakdown
- Social Engineering: The Psychology of a Breach
Social engineering exploits human weaknesses like trust, fear, or the desire to be helpful.
Phishing & Its Variants: * Phishing: Mass-distributed emails.
Spear Phishing: Highly customized to a specific individual or organization.
Whaling: Aimed at "C-suite" executives (CEOs, CFOs) to authorize large wire transfers.
Vishing (Voice): Using phone calls to impersonate IT support or bank staff.
Smishing (SMS): Phishing via text message, often containing a "malicious link" regarding a package delivery or bank alert.
Influence Tactics:
Urgency: "Your account will be deleted in 2 hours!"
Authority: "I am the Director of IT and I need your password for an emergency audit."
Social Proof: "Everyone else in your department has already signed this form."
- Physical Security: The "Layers" Defense
Physical security uses the Defense in Depth strategy, moving from the perimeter to the internal assets.
The Perimeter: * Fencing: Deterrent and delay mechanism.
Bollards: Physical barriers to stop vehicles from reaching the building entrance.
Lighting: Reduces hiding spots for intruders.
Entry Points:
Mantraps: Prevents tailgating by locking one door until the other is closed.
Turnstiles: Often used with badge readers to ensure only one person enters at a time.
The Server Room:
Faraday Cages: Shields against electromagnetic interference (EMI) and prevents signal leakage.
Fire Suppression: Uses inert gases (like FM-200) to displace oxygen or heat without damaging electronics with water.