4.2 Summarize various types of attacks and their impact
Social Engineering
📘CompTIA Network+ (N10-009)
Definition
Shoulder surfing is a social engineering attack where an attacker watches someone’s screen, keyboard, or input device to steal confidential information. This can include:
- Passwords
- PINs
- Personal identification information
- Other sensitive data
It is called “shoulder surfing” because the attacker may literally look over your shoulder while you are entering information.
How Shoulder Surfing Happens
Shoulder surfing is not a technical attack (like hacking software or networks). Instead, it relies on observing a person. In an IT environment, this can happen in various ways:
- Physical observation:
- Watching a colleague type their password at a workstation.
- Looking at someone’s screen to see sensitive emails or files.
- Remote observation using cameras:
- Using hidden cameras in offices to capture screens or keyboards.
- Compromised webcams can also be exploited to observe users.
- Digital shoulder surfing:
- Recording screens via spyware or keyloggers.
- Observing sensitive information displayed on shared monitors in open offices.
Why It Matters
- Shoulder surfing can lead to unauthorized access to systems, applications, and sensitive data.
- It can compromise user accounts, corporate secrets, and client information.
- Attackers often use this as a first step before performing further attacks like phishing or network intrusions.
Common IT Examples
- Logging into a VPN or server:
- An attacker watches a user type their VPN credentials to gain remote network access.
- Accessing a secure database:
- Observing a database admin enter database credentials or sensitive queries.
- Workstation login:
- Watching someone type their Windows or Linux login password on a corporate laptop.
- Cloud services:
- Observing users access cloud dashboards (like Azure, AWS, or Google Workspace) to steal admin credentials.
Prevention Techniques
Preventing shoulder surfing is part of physical and digital security:
- Physical measures:
- Privacy screens: Reduce the viewing angle of monitors so others cannot see the screen from the side.
- Positioning monitors: Place monitors away from public spaces or high-traffic areas.
- Secure entry points: Make sure offices or data centers require ID badges for access.
- Behavioral measures:
- Shield keyboards with your hand while typing passwords.
- Be aware of your surroundings when accessing sensitive information.
- Avoid entering sensitive information in public or shared spaces.
- Technical measures:
- Use multi-factor authentication (MFA): Even if a password is observed, attackers cannot access the account without the second factor.
- Regularly update and enforce strong password policies.
- Lock devices when not in use to prevent casual observation.
Exam Tips
- Shoulder surfing is always a social engineering attack, not a network attack.
- It is physical or visual in nature, but sometimes can be enhanced with technology (like cameras or spyware).
- Prevention involves both physical security and strong authentication.
- Remember, no hacking skills are required; the attack relies purely on observation.
Summary Table for Quick Review:
| Aspect | Details |
|---|---|
| Attack Type | Social engineering |
| Method | Observing screens, keyboards, or inputs physically or via cameras |
| Target Data | Passwords, PINs, confidential information |
| IT Examples | Logging into VPNs, cloud dashboards, workstations, databases |
| Prevention | Privacy screens, MFA, shielding keyboard, device lock, office security |
