Social Engineering In Professional

 

Information Gathering:

Effective information gathering can be done by utilizing time more efficiently and effectively, developing critical thinking through the use of shifting/sorting techniques and broadening outlook and subject understanding through the exploration of more diverse sources. Further, the information gathering can be used for a variety of different reasons; however, the main benefit with regards to academic studies is that one will become aware of more diverse sources, opinions, and approaches which will enhance one’s academic work. Information Gathering:

It is the process of gathering information from a variety of sources for a variety of reasons. Learning to develop effective information-gathering strategies will help to study in a number of different ways.

Process of Gathering Information:

Whereas, Non – traditional sources are still legal but less obvious and often overlooked information sources such as dumpster diving. The lesson here is that all information, no matter how insignificant the employee believes it to be, may assist in identifying vulnerability for a company and an entrance for a social engineer.

Traditional sources are typically open, publicly available sources of information that don’t require any illegal activity to obtain. As you can imagine, this last category is touched on throughout the framework with care as we only support legal activities conducted within the context of a sanctioned penetration test. Process of Gathering Information:

There are many different ways to gain access to information on an organization or individual. It’s possible such sources can provide data that a corporate security awareness program wouldn’t or couldn’t take into account. Lastly, there are illegal ways to obtain information such as malware, theft, and impersonating law enforcement or government agencies. There are options that require no more equipment than a voice, options that only require a phone and still others that require sophisticated gadgets.

A social engineer can combine many small pieces of information gathered from different sources into a useful picture of the vulnerabilities of a system. Information can be important whether it comes from the janitor’s or the CEO’s office; each piece of paper, employee spoken to, or area visited by the social engineer can add up to enough information to access sensitive data or organizational resources. Some of these options require technical skills while others require the “soft skills” of human hacking. Some options can be used from any location with Internet access and some can only be done in-person at a specific location.

a) One-on-One Interviews:

There are many good ways to plan the interview, but generally you want to ask open-ended questions to get the interviewee to start talking and then ask probing questions to uncover requirements. The discussion should be planned out ahead of time based on the type of requirements you’re looking for. The most common technique for gathering information is to sit down with the clients and ask them what they need.

b) Group Interviews:

Group interviews are similar to the one-on-one interview, except that more than one person is being interviewed – usually two to four. Group interviews require more preparation and more formality to get the information you want from all the participants. You can uncover a richer set of requirements in a shorter period of time if you can keep the group focused. These interviews work well when everyone is at the same level or has the same role.

c)  Facilitated Sessions:

In a facilitated session, you bring a larger group (five or more) together for a common purpose. In this case, you are trying to gather a set of common requirements from the group in a faster manner than if you were to interview each of them separately.

d) Joint Application Development (JAD):

For a requirements JAD session, the participants stay in session until a complete set of requirements is documented and agreed to. However, the group typically stays in the session until the session objectives are completed. AD sessions are similar to general facilitated sessions.

e)   Questionnaires:

Questionnaires are much more informal, and they are good tools to gather requirements from stakeholders in remote locations or those who will have only minor input into the overall requirements. Questionnaires can also be used when you have to gather input from dozens, hundreds, or thousands of people.

 

f)   Prototyping:

In this approach, you gather preliminary requirements that you use to build an initial version of the solution a prototype. This repetitive process continues until the product meets the critical mass of business needs or for an agreed number of iterations. You change the application and cycle around with the client again. Prototyping is a relatively modern technique for gathering information. You show this to the client, who then gives you additional requirements.

g)  Use Cases:

Use cases are basically stories that describe how discrete processes work. The stories include people (actors) and describe how the solution works from a user perspective. Use cases may be easier for the users to articulate, although the use cases may need to be distilled later into the more specific detailed requirements.

h)  Following People Around:

In some cases, you might also want to participate in the actual work process to get a hands-on feel for how the business function works today. This Technique is especially helpful when gathering information on current processes. You may need to watch them perform their job before you can understand the entire picture. You may find, for instance, that some people have their work routine down to such a habit that they have a hard time explaining what they do or why.