Exam Essentials 97
I want to introduce some basic techniques that can prove useful at this stage of information
gathering:
Eavesdropping This is the practice of covertly listening in on the conversations of others.
It includes listening to conversations or just reading correspondence in the form of faxes or
memos. Under the right conditions, you can glean a good amount of insider information
using this technique.
Shoulder Surfing This is the act of standing behind a victim while they interact with a
computer system or other medium while they are working with secret information. Using
shoulder surfing allows you to gain passwords, account numbers, or other secrets.
Dumpster Diving This is one of the oldest means of social engineering, but it’s still an
effective one. Going through a victim’s trash can easily yield bank accounts, phone records,
source code, sticky notes, CDs, DVDs, and other similar items. All of this is potentially
damaging information in the wrong hands.
Summary
This chapter explored the process of gaining information about a target. As you saw, the
first step is to use search engines to gain initial information about a target with the goal of
seeing what was available and how the data you discover can guide your future efforts.
In the next phase you move on to gathering information from other sources such as
e-mail and financial resources. As you learned, e-mail tracking tools and notifications allow
you to build a profile of target organizations and see how they respond to messages (which
may assist in phishing efforts later).
Once you’ve gathered enough information, you try to refine the results to get to the
information you truly want or can act upon. Using techniques such as Google hacking and
social engineering, you can gain even more insight.
Exam Essentials
Understand the process of footprinting. Know how footprinting functions and what the
ultimate goals of the process are. Understand the various types of information that may be
obtained.
Know the different places and sources through which to gain information. Understand
that a complete profile of an organization cannot be built from one source and that you
must access and investigate many different sources to get a complete picture. You can use
websites, people, and other sources to fill out the picture of your target.
Know how to do competitive analysis. Understand that if you run into a “black hole”
and cannot get a complete picture from analyzing a target directly you can get information
from competitors. Competitors and outside sources may have done research for you in the
form of competitive analysis.