Pass CompTIA Security+ Certification Exams in First Attempt Easily

CompTIA Security+ Certification Practice Test Questions, CompTIA Security+ Exam Practice Test Questions

Want to prepare by using CompTIA Security+ certification exam practice test questions efficiently. 100% actual CompTIA Security+ practice test questions and answers, study guide and training course from Exam-Labs provide a complete solution to pass. CompTIA Security+ exam practice test questions and answers in VCE Format make it convenient to experience the actual test before you take the real exam. Pass with CompTIA Security+ certification practice test questions and answers with Exam-Labs VCE files.

Social engineering techniques

2. Dumpster diving and Shoulder surfing

In this video, I'm going to be talking about shoulder surfing and dumpster diving. Let's get started. So shoulder surfing is pretty easy. It's something you've probably done yourself and are probably guilty of doing, and that's being a nosy person who looks over someone's shoulder and steals their private information, maybe off their phone or off their laptop. I do this to my wife a lot. When she's sitting on the chair and I'm walking by, I may just glance over and see what she's watching on the phone. Sometimes I'm on the train or I'm going somewhere. I remember taking the Amtrak, and this is a true story, okay. I was taking the Amtrak one day, and I was in business class, and I was going from New York to Washington, DC. one from New York to DC. Location? And this gentleman sitting next to me works for a big accounting company that I will not name. And he has his laptop, and he's working on accounts, and I can literally see everything that he's typing. big-screen laptop, nice and bright. He can see it. I can see it. This is a great thing. I didn't really look at it long, but I was telling myself, "Man, the people in the IT department really need to train this guy on security." Basically, shoulder surfing So shoulder surfing is looking over someone's shoulder in order to steal information from them. How do you solve this? The answer is using privacy screens and user training. users when they're looking at private information on theirdevices, they should be familiar with what's around them and they should be familiar in their environment, likewho's looking, what cameras are facing where, and ifthey specially look confidential information.

If they are going to be in a spot, you've got to get these really dark privacy screens. Privacy screens are advantageous because they conceal the laptop from them. Let's take a look at some privacy screens. Let's go get some privacy screens. So we're going to say laptop. Here we go, privacy screen. And now remember, I'm just doing this for a laptop, but you can actually click on the first one here from Amazon. And you can get privacy screens for your phone. You can get privacy screens for your desktop. It just doesn't have to be from the laptop, and some of them are going to be better than others. You should also read the review. There's one here for a bigger one. This one looks pretty dark. And if you are working in a cafe, you're always on the move with your laptop. You're working on confidential information. This is something you may want to look into. So for your exam, remember shouldersurfing, user training, and privacy screening. OK, the next thing here we're going to be talking about is dumpster diving—going through the trash and stealing people's information. You'd be surprised to know what people throw out, especially businesses and confidential information, whether it's bank statements, employees, or personnel records. I used to work in a cube farm. I had rented a little cubicle in Manhattan to work from a really long time ago.

And I remember going to the bin, and there was another guy who was an accountant. And in the bin, he threw away a whole bunch of employees and all the accounting records that he had for business, including payroll information, and it was all there. So how do you stop dumpster dive in? So the thing to do is remember: get a shredder. You can go online and buy a shredder and shred your documents, or some people incinerate the documents. Some government agencies can actually burn the documents in order to ensure they don't come back. You see, there are different shredders that make 20 cuts, 30 cuts, or whatever, and they really shred them very fine. But if the date is worth it—if the date is worth a million dollars on that paper, or $10 million, or a billion dollars—people will literally put it back together. It makes no difference how many pieces there are. So you burn it to ash. It would be another way. Okay, so for your exam, remember, shouldersurfing is looking over people's shoulder. It's fixed with privacy screens, user training,and then comes to dumpster, dive in. Make sure that you have shredded or burned the document if needed. That is the best way to fix these two problems.

3. Eliciting information and the principles of social engineering

You. In this video, I'm going to be talking about eliciting information. And the reasons are fundamental to why social engineering is so effective. So let's go through this. First of all, the main concept of social engineers is really just to steal your information and get data out of you in a variety of different ways. Eliciting information or gathering information from people is the main goal here. You're going to want to get information from people. The question is, how do you do it? So we've got some principles that we can take a look at that may show us why people are willing to give up confidential information. Let's take a look. So your exam objectives have a couple of these things here that we want to go through, seven in particular. The first one is going to be authority. People are willing to give information to certain authorities. They believe that person is who they claim to be. Imagine you work for an accounting department, and the accountant, the CFO of that business, or the head of the accounting department calls you up and says, Hey, let me have the account numbers or the banking login information need to rearrange or withdraw funds. And if you believe in that, that's the right person. You may just give them that information.

So Atari works well because people are willing to give information to the right figure. The other one here is going to be intimidation, or intimidating you. This is when you get a call from the IRS or from the Taxation Department. If you don't pay up, you're going to go to jail for a long period of time, or they're going to find the hell out of you. That's intimidation. They're intimidating you and scaring you into giving up the information. Send me your credit card information right away. If not, you're going to jail. The other one is called Consensus. This is when everybody I got youon the phone, everybody is buying thisproduct, and everybody likes this product. So you should be using this. So you're thinking everybody's going along with it. You're going along with it. The other one is scarcity. So scarcity occurs when the product okay this product. Let me have your credit card to buy this product because right now we are running very low on supplies. We only have ten units or five units left. Let me have your credit card information. Imagine if I saw this on car warranties. They'll call you up and say, "Well, your vehicle warranty has expired." And when you pick up the phone, they say, "Well, you only have three of these deals left." You have to buy it.

So if you want it, they say the best taste in food is the one you can't have, right? So this is what you want because now you feel like you can't have it due to scarcity. The other thing is being familiar. If you're familiar with that person, you're familiar with that email address. You're familiar with where it's coming from. You're probably going to click on a link because you know that person. If I call you and the caller ID changes to some number that you're familiar with, you're probably going to pick up the phone and talk to me, thinking it's your friend. If I sound like your friend or close enough, you may just give me the information. The other one is trust. The main thing about social engineering is building trust. If you want information from people, let them trust you. And I'm going to give you a pretty cool social engineering attack coming up after I cover the next ol social enSo urgency is when you have to do something right away because if you don't do it, you're going to lose it. So, for example, hey, let me have your password. I'm going to call you from the Help Desk and say I'm working at your company's Help Desk. Let me have your password. Click like, I've installed an update. If not, your computer is going to stop working, and I need it now. so you create an urgency for it. So, all right, I'm going to give you a quick hack that you can try in your organization. And this hack is pretty effective in terms of social engineering. And this hack is how you get someone's password. And it's going to use quite a lot of these principles. It's going to use the principle of an authority. It's going to use the principle of familiarity—of being familiar with that person. It's going to use the principle of trust and urgency. Let me explain. So let's say you work in an organisation, and I want your password. Now remember, a lot of companies have policies when they say something like, "Don't give out your password to anyone," right? The helpdesk will never ask for your password. Good. So that's the policy.

You see, social engineering will play within those policies to steal the data from the user by using some of these principles. So here's what I'm going to do. I'm a hacker. Your name is Bob. I'm going to call you up and I'm going to say, "Hey, Bob, my name is Andy, and I just started working at the help desk today." Nothing is wrong with your computer, Bob. I'm just introducing myself and letting everyone know that I'm here in case you have any issues. Here's a callback number if you have any issues. Now I'm hoping you don't have any issues, okay? If you do, I'm in trouble because I don't want any issues from you because I really don't know you. I'm not in the company. I'm outside, right? So I'm going to say, Bob, have a good day. It's nice talking to you. Two weeks later, I'll call you back, and I'm going to say, Hey, Bob, any problem with your computer? No, you don't have a problem. Well, we've been doing some updates on the Microsoft Office, and so far no one has really had any issues. I'm just checking on you. There's been a big, massive update to Microsoft Office. If you have any issues, I'm hoping you say no. Again. You're going to say no. My computer is all good. I'll e to MicrosVery good. Handle the phone. I'll call you another week later.

Now I'm his third phone call. So, Bob, how's that outlook working? We just did another update. Microsoft is releasing a lot of updates, and I've noticed that you use Outlook a lot. So now I'm creating this space where you can feel comfortable, and I know you'll enjoy it. I can see your computer. The question is, who doesn't use a lot of Outlook? Who doesn't use a lot of email in today's world? So you're going to say no, I'm good. Everything is working fine. I'm going to be like, well, I was monitoring your user traffic. I was monitoring your traffic. You use a lot of Outlook. I was just checking on you. By the way, do you have any children? Are you married? Where do you live? Do you have a dog? Whatever. I'm going to talk to you. Because you know what? You're going to talk to me. The more you talk to me, the more trust you build with me. The more you trust me, the more you think I'm on your side or on your team. We become familiar with each other. We become familiar with the technology. You're familiar with me. I'm familiar with you. You earn each other's trust. I'm at the help desk. I'm the authority because I know all this good stuff. I know how to fix your computer. I'll call you back one more time. And I'll say, Bob, in two weeks, we're going to be putting in an update, a major update, on your computer. Just to give you a heads up, by the way, how is your wife doing? How is your daughter doing? How is your son? By the time they sign everything about you, And you know everything about me because you trust me. But you shouldn't. The day of the hack, I'm going to call you and I'm going to say, "Hey, Bob, we're putting in the update today." But just to hear it, I want you to write this password down. Your new password is just made that up. I'm going to give you a password. Here's what I want you to do, Bob. When you're leaving today, reset your password to this password. If not, I can't push that update for weeks. I'm trying to get this updated. And then you leave. Then I hang up. and what you're going to do is change your password. Why would you change your password to the password I just gave you? because you trust me. because you're familiar with the process we're about to do. And I'm telling you, you know what I forgot to mention in that call? I'm going to tell you that if you don't do this, Bob, your outlook isn't going to work.

So you need to do it right away. So we create urgency. We create trust. You're familiar with me, and you will change your password. Now, I've given you the password. Now, think about this hack for a second. In this hack, something is different. Notice I never asked for the password. I gave you the password, which is withinthe company policy, because where users get passwordsif they need password reset from the helpdesk,and the helpdesk is given, bob the password. If this is effective and you work in an organisation today, try this hack. Call up a user as a helpdesk customer and give them their new password. time to change it, and more than likely they will. And ask them for the password; they won't give it to you, but tell them to change it to this and they will. It's a kind of reverse psychology trick, because they trust you because they're familiar with you, and because you have that authority, they believe this is the person who gives passwords. This is social engineering, and as you can see, it's highly effective. Try it on your users and you will be surprised to know how many people are caught and will change their password, allowing you to steal it very easily.

4. Pharming

In this video, we're going to be talking about farming. No, not the farming that you grow plants, vegetables, and fruits with. We're talking about "farming," which redirects people's traffic by manipulating the DNS servers or DNS caches on your machine. This lecture is going to take us pretty in-depth into DNS, and hopefully you have an understanding of it. Remember, you should have done your Network+ before coming to this class. How do you recommend that? I assume you have a little bit of knowledge of how DNS works. Remember, DNS basically translates domain names to IP addresses. So we're going to have some fun with this objective. Is this Farman with a P rather than an F? It plays on the concepts of farming and fishing. A form of fishing is getting a link in an email and clicking on it and not realising that it's a bad domain. Well, in farming, what we're going to be doing is manipulating the DNS cache of a computer and redirecting traffic.

Now, I'm not going to redirect it to a malicious site. I'm just going to show you how it's done and what the DNS cache looks like. So remember, farming is manipulating the DNS cache of a computer. So when you type Bank of America or Chase Bank or whatever bank you're going to, it's going to redirect you to a particular website that looks like Bank of America. But it's not because they're manipulating the DNS. So in other words, Bank of America is going to resolve to a bad IP address. There are a few ways to do this. You can do this by changing the DNS servers themselves. If you could get a hold of the servers by manipulating the cache on the computers, And I'll show you how to do it quickly and easily. Let's take a look. So in this video, I'm also going to show you guys how to check the DNS cache on a computer. We're also going to manipulate the host file in it. I want to go here to, you know, use the domain name Tia.edu, my company's domain name. And you'll notice that right now it just goes to our website, atia.edu, which is just our website. Nothing big. So what I'm going to do is manipulate the cache on this computer by just editing the host file. And I'm going to point this to Google. All right? So when people type in, Tia.edu is going to show up as Google. And then you have to understand what people say about cache. So every computer carries a DNS cache. Let's take a look at it. So if we open up our command prompt, I'm going to type IP config. If you did your A-plus, you probably learned this already. We'll do displayDNS. And by going to Display and DNS, you'll see all the providers that I've been to. Here are all the providers. Here's the Tia.edu and here'sthe website address of it. Here's Google's IP address. You know what? Let's copy this because we're going to point this out and highlight that. I'm going to copy this. Is that Google's IP address? Let's find out if I go there, and yes, it is. It's Google. Okay? So here's what I'm going to do. I am going to trick this computer. I'm going to poison this computer. And what I'm going to do is I'm goingto tell it that Tia.edu is Google's IP address. It's not that other Web server. The way to do this is by going to your host file.

So let's do Window E. Opening up a quick browser Here we'll go to C Drive. We're going to go down here to Windows. This is a long extension. You may want to make a note of this if you're following along. It's Windows. It's going to be System 32. We're going to go here now to meet the drivers. We're going to go to Etc. That's a long one. So you can see how long this is. Windows system 32-bit drive You see this file, called the host file. This file is what Windows checks first before checking the DNS server. So what I'm going to do is I'm going to open up this host file, and you're going to open this in Notepad. And it tells you that these are comments. They're basically they don't count. So I'm going to go here and I'm going to add an entry to this file. And you can actually do this at home if you want to trick someone; we're going to say that that IP address Remember, I copied that from Google. I'm going to tap; this is actually www.tia.edu. And I add another one just in case for tia.edu, depending on how the browser wants to see that it points to that IP address. All right, that's all there is to it. I'm going to close this. Watch this. We're going to close this. Save it. Yes, it's all good. And I'm going to go here, and we're going to flush the DNS because right now the DNS is pointing tia.edu to another domain name. So what we're going to do is we're going to say "Ipconfig plus hdns." And you'll notice that now the cache has nothing in it, right? It just has a few different things in there. If you notice, it's saying, "Tia, where am I here? Okay. So it should be, where is the flush here?

Okay, so it did flush. Okay. Display DNS. You'll notice tia.edu is pointing—that's right—to Google's IP address. Let's try it out. Let's have some fun with this. So we're going to go back, and we're going to take Tia.Edu. Let's see what happens here. So it's telling me it's not valid, right? Even if I put this in here and press Enter, you'll notice it takes me right back here. So what is happening here? What's happening here? Proceed to it. It's not safe. You'll notice it takes me to Google. So what's happening here? It's not going to show up like that because it's not a full URL. This, however, is an example of how they can poison. And notice this is an actual Google web page, but your browser is showing Tia.edu, even though it's not Ti. I mean, this really is Google here. This is a Google error page. Even if I try this on another browser, it will be the same concept. See, now this one goes right to Google. It's like, "Hey, it's a Google error page here," but it's not Google. So that's how you would poison the cash. So this is the concept of Farman. Farman is the concept of installing malware on your computer. And basically, what the malware does is redirect traffic via the DNS on the computer, or sometimes it does it on the server. You don't have to do it here. You can do it on the server. So it's going to be malware that's on your computer that's doing it. Farming is regarded as a farm efficient. It's a form of social engineering. The way to get it is just to not get infected with malware. The other way to fix this is if they're hacking the DNS service to ensure that you do the right things and protect the DNS service to ensure that no one can edit it. It's secured well. It has malware protection. It doesn't have a lot of services running to keep it up to date and so on. Okay, so that's farming. If you want to go have some fun with people, you can do this. You can try this out. Redirect people's domain names, and you could have some funds and poison in the host file. You type Facebook and they are directed to Google. Just tell them Google bought Facebook. really drive them crazy. But that's the concept of how to poison DNS and how to do farming.

5. Spam

In this video, I'm going to be talking about spam and spam over Internet Messenger. So what happens when you use email? You're going to get a lot of spam-solicited messages. Oh my god, I hate spam so bad. It just wastes my time to delete them. I'm pretty sure a lot of you guys have a few email accounts. You have one you give to all the companies that want it, and then you have one private one that you keep for your real personal stuff. Maybe you give to employers. I do. I'm pretty sure you guys, if you don't, should get one, right? Have this email just be given away to everybody. Because any almost website you always go, they alwayswant to have your email and then they spamyou by sending you unsolicited messages you don't want. Now, this has gotten better over the last couple of years. Companies are giving you the option to opt out even when you go register for their business. They're giving you the option to check out based on a guess. Or they're saying, "How often would you like for us to send you messages"? Because they don't want to be put on some kind of spam list and be blocked. What spam does is that it basically floods yourinbox, gives you advertising, and then you have realmalicious ones that may be trying to phish youor get information out of you.

Another thing that's mentioned on your exam is spam over Internet Messenger, or SPIM. And what this does is basically instant messenger spam, right? This is when people have gotten your username and are sending you messages over instant messaging, and you don't know where they're coming from. and it could be advertising and so on. So how do you prevent from getting spamor from getting spam over into messenger? So the way to do this would be to just not give out your email to people that you don't trust. Don't give out to companies you don't trust. Good companies, even if you opt in, will always have a way all the way at the bottom hidden in some secret fine print that you have to activate to get the Hubble telescope to zoom in. To find where it says "Click here to unsubscribe," There's always going to be a place there to unsubscribe. and good companies will do this. Of course, true spammers will not allow you to do this because they do not want you to unsubscribe. They're going to keep sending it. And in situations like that, what you're going to have to do is use something like this. So this is Barracuda's block-spam, virus, and malware protection. This year would be for enterprise accounts. And according to them, they're saying that spam accounts for 48% of all email traffic. Imagine that means half. That means one out of every two emails in your inbox is probably spam. So what this does is that this here will try to remove it.

There are numerous methods for accomplishing this. First of all, these types of email filtering software could be on the email servers, getting rid of it before it even hits you. Sometimes you have them installed on your machine. It depends how you set that up. But a lot of big businesses and enterprises would have been installed on the server. Sometimes the service they subscribe to goes further because this is going to save the company time and not waste the users' time or flood their inbox with unnecessary emails. But the best way to avoid spam, whether through instant messaging or email, is simply not to give out your email address to organisations or people you don't trust. Some people have two email accounts. Perhaps you have one that you use for both personal and shopping purposes. Maybe you have one use for personal and private information, like giving it to employers or really important things. I know I do. I have an email account that I don't give to anybody unless that person is really important. And if they send something, I want to read it. And then I have what I give to every store that I've ever been to. because every store you go to wants your email address. So I have different emails. One gets a whole lot of spam. One gets only important email with no spam because I don't give out that email to anyone else. Alright, so just some tips there on how to prevent all these unsolicited messages called "spam."

6. Tailgating

In this video, I'm going to be talking about tailgating and how to solve it. So tailgating is this. Let's say there's a door to a secure space that needs key card access or some kind of biometric or authentication to get in. Assume I'm going up the stairs. Let's say there's a door right here. So I walk up to the door, I swipe my card, it authenticates me, and I walk right in. I just keep on going, right? Bob the hacker is coming behind me, and he catches the door right before the door locks. Now I'm already in there. I don't even notice. The door was never locked.

Now Bob, the hacker, has gotten into the space without anyone noticing. This is bad news because now people could be letting people in without them knowing. Something similar to tailgating is another word you should be familiar with, called piggy back in. There is a difference. Another example is when I'm walking up to the door and swiping the card, and I look back and see Bob approaching. And then what I do is hold the door for Bob. I walk in, and I hold the door for Bob. You see, "tailgated" means generally I'm not going to give consent. I didn't even know about it. Piggyback is when you hold the door for someone. The solution to both issues is that in both cases, unauthorized people could have gained access to that secure space. The way to solve this would be to use something like I have here.

This is called a man trap. And in this particular one, this is a circular cylinder mantra. So basically, you walk in, one door opens up, and they have to authenticate. Somewhere in here there's an authentication, and it could be either a security guard verifying an ID or a biometric sensor; it could be a card swipe in there. And there are a variety of these different mantras. All I did was I went to Google and looked for mantra images and there's a variety of this is just a cylinder one. So once you authenticate, then the second door will open up. And I'll show you another picture of this thing that I saw. Here it is. Here's another one with two doors. Maybe you've got to authenticate somewhere in here before the other one opens up. So there are many of these types of mantras available, but you must know which mantra to use.

It's a double door. So I walk in, I authenticate myself, I walk in, and I open the door. This door has to lock so nobody can get in. So then I'm putting a quote-unquote lock between these two doors. And then I authenticate, whether it's a security guard verifying me or a card I'm going to swipe a card.And then the door in front of me opens up, and I keep going. This is generally the function of a mantra. All right? So these are very good for data centers. These are very good for high-secure areas of buildings that need extra security. Certain regulations make them pretty much mandatory. All right, so know what "tailgating" is for your test.

7. Other types Social Engineer techniques

In this video, we're going to be going over quite a lot of different terms that you should be familiar with for your exam. Let's get started. So the terms we're going to be goingover with is going to be something calledPrep and Identity Entity Fraud Invoice Scams CredentialHarvesting Reconnaissance Hoax Impersonation Water and Hall Attack Typosquatin Pretext and Influence Campaign. quite a lot of things. and a lot of these things you're probably familiar with. So I'm going to go through that pretty quickly. And then at the end of it, we'll talk about things you can do as I go through each one to fix it or help solve it. So let's get started. The first thing up is something called prepending. So you guys have probably heard of theterm append to append something, append something meansthat generally add something to the end. prepended means adding something at the beginning. So let me show you guys what I mean by this. So if I go here, it's chrome. So, if I go here and type Tia, edu So this year, if I go in here and actually put a slash and put in the index page that I want to go to, it'll take me there. This is more of an append to that slash. Prepending would be something generally added to the beginning of something. So maybe they can send you a link.

And this is going to be some type of social engineering attack, but they're going to send you a link and, when you click on it, it pre-appends more information to it. Sometimes it can append what is known as a data field into the URL, turning it into a type of data attack. As a result, something as simple as www. Or you can go in there and preappend https; you just add things to the beginning of it. Why do attackers use this? Attackers use this to add information to the beginning. Generally, URLs are where they're going to add this in some kind of phishing email that you shouldn't be clicking on. Okay, the next thing we're going to be talking about is a big one, and it's something that you guys are probably familiar with. It's called identity fraud. Now, identity fraud happens when people steal your identity and pretend to be you. Although different texts you've read will say that there is a difference between identity theft and identity fraud, Identity theft is more whenthey steal your identity bearing. Identity fraud occurs when someone uses a stolen identity to accomplish something. For example, let's say you get a link to click on a phishing link and click on that. You think it's a bank account or credit application. You click on it, and you give them your Social Security number because you're 100% sure it was a bank even though it wasn't. That's identity theft. Then what they would do is use those credentials to open up a credit card with your name on it and buy things on it.

That becomes identity fraud. Identity theft and fraud are currently a major issue all over the world. There were some statistics I was reading before doing this video on how prominent this particular thing is. It was like one out of ten in 2016, which was the year I was reading about. Folks over the age of 16 have experienced some form of identity theft. So when they're going to steal your information, your private information, there are things you can do to prevent identity theft. Open up credit cards to buy cars, bank accounts, and so on with your information. How do you protect against it? Well, simple things Don't give out your information. The people who monitor your credit score are very important because if they steal your Social Security number or whatever number it is that your country is using to identify you, if they're doing that and running those numbers, you'll be alerted to it. There are a lot of different services out there that could monitor your identity information once it's used to alert you. Here in the United States, it's called LifeLock and is an example of that. Okay, another one that's pretty importantto know, something called invoice scams. And I'm seeing this all right here, working at Ti; I have personally seen invoice scams. So we own many domains, and we register them with the domain registrar, and we know who that registrar is. And then sometimes we get invoices from people saying that we have to pay them $100 to keep the domain registered. And I'm like, really paying, like, $15 to keep her domain registered. This is an invoice fraud. This is an invoice scam where they're sending you invoices from companies that look legitimate but are not. All they're doing is trying to get you to pay an invoice that you shouldn't be paying. And this works really well. You know what? I'll tell you guys another story ofwhen this happened here at Tia. I had the billing person, and she was going to pay an invoice for toner cartridges to a company that says they were from Canon Printer at this time. And we actually don't pay for toner. It actually comes with a printer in our lease that we have. And she got a bill that she was going to pay, and she asked me, Do I pay this? And I'm like, Why are you paying that?

That's a fraudulent invoice. They're charging you money for no reason. That toner fraud is actually a scam like that, too. These are fake invoices. Invoice scams are really just fake invoices. The best way you can fix this is to have companies have a list of vendors that they use, knowing what the invoice looks like and verifying with others before the billing person just pays out the invoices. Next term, credential harvesting, also known as password harvesting, This is when phishing attacks, over time, gather lots and lots of usernames and passwords. This is when they have a website that looks like PayPal and send a bunch of emails to people that say to click here to reset their passwords. And people do, and before you know it, they've stolen everybody's password. People go there to change their passwords or to reset their passwords. So credential harvesting is a pretty common thing. What do they do with these credentials? They may use it for identity theft. They might use it to, for example, open up things like people's bank accounts. Okay, so remember, credential harvesting is basically gathering lots of credentials. The other word here is called reconnaissance. Now, "reconnaissance" is a term that means to do research. When you want to do something like we talked about earlier, something called spearefficient, you have to do your research.

Reconnaissance needs to go out and scope out the organization, learn about the organization, check out the social media, and check out his website. It can even be as good as calling the organisation and talking to salespeople there to find out more about that. Reconnaissance is an important step in penetration testing, which we'll get to later on in this class. We'll talk more about reconnaissance. Hoax. Something is fraudulent. A hoax is basically something that they want you to believe in, and it's fraud. Hoax emails were popular many years ago when they would say, "This is happening, but it's not." You click on the link, and before you know it, they will steal your information or infect your computer with malware. Impersonation. One of the concepts of social engineering is impersonation. Impersonating an IT person, impersonating a boss, impersonating a taxation authority, such as calling from the IRS and asking people for their information, With impersonation, a good social engineer will do a lot of homework or reconnaissance and find out the identity of someone else that they can impersonate in order to get someone to give them information. So, for example, I would do a lot of homework and learn about how your company works, how your department works, and then I would impersonate an IT person working in that company to get the credentials from your users. And then I can harvest those credentials so you can see how I'm putting all these terms together.

Because, really, a lot of times you're going to use multiples of these if you're trying to socially engineer someone. Here's a famous one: a watering hole attack. a watering hole attack. Notice one for your exam. Well, so here's the idea behind this. First of all, you've got to target a group of people. So a water and hole attack comes from the actual water and hole that animals go to and drink water from. Imagine there's a water hole where animals are going—Zebras are going to drink water, and a crocodile comes out and bites one of them. The concept here is basically the same thing. So here's what you do. You find a website; let's say you target an organisation to steal some of their information. You find a website where a lot of these employees go to gather data or to browse. And you find a vulnerability in that website, and you exploit that vulnerability to inject code onto the website. Now when that company's employees go to that website, this is the watering hole that they're all coming into. When you attack the water and hold it by injecting codes into their applications or into their computers, this is a really effective way to target a very specific group of people.

Okay, how do you fix this? Well, the best thing to do is, of course, to train the users and tell them not to click on links. Okay? Something that's really interesting that I've seen is typosquatin. When they register domain names that look very similar to a popular domain name, this is known as typosquadden. Imagine Facebook with a popular misspelling. Imagine you're typing the word "Facebook." Facebook is a very popular website. So you type "F-A-C-E-B-O-O-K. Do you know what would be a good way to text us across Facebook? Put 10. So it'd be fine on Facebook, right? People would mistype it. And typosquatron is when they try to register domain names and get domains that are very similar to the actual domain that people go to. Google. G-O-O-G-L-E. Try G-O-G-G-L-E. I'll show you guys this one: Mattes, I read about this year on Wikipedia I was reading about.You see, it's not Google, but I don't know what this is. I'm not going to click on this, so we're not going to click on this. But this is here, and you notice this is very similar to Google. So, if you look up typosquatin in Wikipedia, the one there is a type of typosquatin. The best thing companies can do here is actually register or get as many variants of their domain names as possible, so people can't fake their domain names. Because, hey, if I send people the domain name goggle.com, a lot of people might mistake it for Google at first glance. People are not going to analyse it.

Okay, the next one is called pretexting. Pretexting is trying to lie to someone. It's pretext, meaning to lie to someone to get information out of them or to steal information from them. Pretexting can mean lying to them. Saying you're an it person when you're not, or that you're the boss of the company when you're not. The more you do reconnaissance and gather information, the more your pretexting will work. So pretexting really falls into this whole random field of social engineering. As you're doing social engineering, you're going to be making up pretexts. And as you impersonate people, Lying to anyone about any situation is a form of pretext. And also, the last thing we're talking about here is something called influence campaigns, and particularly hybrid warfare. A social media influence campaign is done to influence the public or a set of people on something very particular, and they do this by pushing it out through social media posts.

So let's say there may be a particular election in a country that's happening somewhere around the world, and one campaign wants to influence the public in this way. So they started influencing campaigns. This is generally done on social media to actually influence large numbers of people—that this candidate is better than that candidate, and so on and so forth. The other thing here is something called hybrid warfare. Warfare in general means fighting with tanks and guns. Hybrid warfare brings it in, and basically it's what's called cyber warfare.So an influencing campaign, of course, is a type of hybrid warfare, in which case I should say hybrid warfare is a type of influence campaign because what it's doing is using information to influence people in order to think a certain way. Now the only way to solve this is to educate the users and let them know the facts in general. Okay? And how is this done? Social media. All right, in this video we covered a lot of stuff, right? We talked about prependent, identity fraud,invoice scams, credential harvesting, reconnaissance hoax,impersonations, water and hole attack, typosquatting,pretext influence campaigns. Quite a lot of terms here was covered. I do want to finish this off by saying that with all these things here, these are all going to be good social engineering techniques. And when you're doing social engineering, you're going to be combining many of the different techniques here. We did the video on the principles of social engineering, and whether it's using your authority or intimidation or scarcity or gaining the trust of people, it's also about getting people's information and stealing people's information without going down a technical path most of the time. All right, hopefully you will have some fun with this video. Let's keep going.

So when looking for preparing, you need CompTIA Security+ certification practice test questions and answers, study guide and complete training course to study. Open in Avanset VCE Player & study in real exam environment. However, CompTIA Security+ exam practice test questions in VCE format are updated and checked by experts so that you can download CompTIA Security+ certification exam practice test questions and answers files in VCE format.