Footprinting and Social Engineering – Chapter 4

Footprinting is the process of finding information on a company’s network. An important concept is Footprinting is passive or nonintrusive it is not breaking the law. The sites listed below are available tools for Footprinting.

Competitive intelligence is discovering as much as possible about a business in a legal manner. As a security professional one needs to have a good understanding of what competitors are seeking and be able to communicate this to their client.

Network attackers often discover critical data about business in various ways. They analyze company web sites, use HTTP basics, and in some cases uses E-mail addresses that are listed in a DNS output. Some other techniques are detecting cookies, web bugs and using Domain Name System (DNS) zone transfers all explained in the chapter.

Social Engineering has been around for long time it is the skill of using knowledge of human nature to get information from people. There are several different techniques that are used they are: Urgency, Quid pro quo, Status quo, kindness, and Position. Two other methods that play off of social engineering  are phishing and spear phishing. Both means send e-mail requesting information. With phishing the individual does not know the sender whereas with spear phishing the recipient potential knows the sender. These approaches can be very effective in obtaining all kinds of data regarding a company’s network.

The art of Shoulder Surfing, Dumpster Diving and Piggybacking are somewhat more aggressive in their approach of gaining information about a business. Shoulder Surfing is basically looking over someone’s shoulder and watching what they are typing. Piggybacking is following somebody into an unauthorized area again with the intent of securing guarded information. Dumpster Diving is just what it states rummaging through the refuse to find pertinent data about a business.

The Security professional must have the where with all to stop these potential vulnerabilities from being exploited and jeopardizing his client’s security.