Security + Social Engineering and Secure Coding Concepts
Chugging along with my Security + studying, I’m a little under a month until the test day. To be honest I’ve slowed down a little, but I haven’t stopped. I took another practice exam and it was tougher than the last two that I took and I ended up with a 75%. Some of the questions were on things that I knew nothing about, and others were just silly mistakes. I’m still confident in my ability to get to that coveted 90% that I’d like to get to before exam day. It’s just a matter of persistence. On to the topics that I’ve been learning.
As a self proclaimed introvert, social engineering is a fascinating topic to me. Leveraging social interaction/ normality to gain access to systems and data is a clever trick indeed. Sometimes I listen to the podcast Darknet Diaries, and one of my favorite episodes is called ‘Jeremy From Marketing’ and it details a pen test where the tester was placed in the marketing department of a company and given basic access to the network as well as the facilities in order to test against insider threats. There were a couple of interesting things that he did in terms of social engineering that I thought were interesting. For instance, when he first got to the company he was testing, he walked around a lot and made his presence known and tried to talk to as many people as possible in order to familiarize himself around the office. This served the purpose of lowering the guard of the employees to not see him as a suspicious character, and allowed for easier movement around the office to get a better look at things like maybe where a server room is located or something along those lines.
Later in the episode he found himself in a situation where he needed to gain access to a server through Citrix, but it had multifactor authentication enabled on it. This means that he though he had harvested credentials for the user he needed to sign on as, he still needed the code that would be texted to them in order to logon. The tester did have access to the username, password, and the last four of their phone number. The tester was able to get the full phone number by searching for emails from them and seeing it in the digital signature signed at the bottom of emails. He mounted a social engineering attack where he called the person, claimed to be in IT and ‘migrating their Citrix account’, and needed them to read him the six digit pin that he sent to them. But the most brilliant thing that I think he did was at the end of call, reassure the user by saying ‘just so you know, we’ll never ask for your password‘. I think that’s a fantastic way to convince the user to trust you. After all, what’s this random 6 digit pin compared to my password? Anyway, the user told the tester her pin that was sent to her, and he was able to gain access to the Citrix instance. It’s a beautiful example of social engineering at work.
One of the other topics that I’m learning about is secure coding concepts. This one is a little tricky to me considering I’m not a dev, but as someone who’s written a few scripts that run as scheduled tasks some of them were things that I already knew. For instance, there was the obvious concept of not putting plain text passwords in your code, but then there's ideas like using source version control like git and having static code analysis. All in all I think that it won't be a huge portion of the exam. It's interesting to note that I've had the opportunity to do some fuzzing of web apps on platforms like hackthebox and tryhackme. :)