Cyber Security: Social Engineering and Techniques
Hi everyone, welcome back. Cyber security is an important area of focus. There is a whole lot of data that is being stored digitally, and this includes sensitive data that could potentially cause damage to someone or even a whole company.
Social engineering is a method in which someone, social engineer, gathers information over time by asking questions that seem unimportant and seem like small talk. Overtime, the social engineer will know more about a company and can use this knowledge to attempt to obtain sensitive information. Talking with the same person or group of people will also gain trust overtime.
Phishing is a technique used to obtain sensitive information by attempting to trick a user to enter their own info into a fake website. With social engineering, the social engineer can pretend to be from a company or a friend. As a social engineer, you learn how a company communicates with employees, such as structure of text, common words being used, type of communication and so on. This can be used to attempt to trick someone to entering their own data.
Types of Phishing
- Spear Phishing: The victim or target is researched more in depth to make the phishing campaign look more realistic.
- Whaling: Employees or founders within a company with high level position are targeted due to having more access and control over sensitive data.
- Smishing: Phishing campaigns that take place over SMS. Text message will appear to come from someone of trust.
- Vishing: Phishing campaigns that take place over a voice communications channel. Phone call will appear to come from someone of trust.
Large quantities of unsolicited emails being sent. Spamming can also be done through text and social media. A method used to reach as many people as possible and hope for the best. May appear to look like advertising. Important for users to understand spam and to not click on any suspicious links.
Method used to retrieve information from trash or dumpsters that could contain sensitive data. This can be mitigated by shredding papers or having documents with sensitive data be transported to a separate location for shredding disposal.
Attempt to see what someone is typing in a computer by looking over their shoulder. As a social engineer, once trust is build, co-workers may become more open and have reduced defenses.
Following someone through a gated or a badged only area. When someone opens a door a sees you following behind them, they may want to hold the door open for you, especially if you’re carrying a lot of items. This is because people want to be helpful and social engineers make themselves look like they belong, by collecting knowledge of the company overtime and gaining trust overtime.
Redirecting a user to a fake website. This can be done by DNS cache poisoning or host file injection which are different types of cybersecurity attacks and threats. User is led to a fake website without their knowledge, the fake website can be built to look like the real and intended website, and can enter credentials that can now be accessed by the attacker.
Can be done through social engineering. Once company communications is understood, a social engineer can pretend to be someone of trust and importance to gain sensitive information.
A method used commonly in whaling where a fraudulent invoice is sent and appears to be of high importance. This can be more effective by appearing to be an executive and by saying the invoice must be paid in a timely manner.
These are some of the different types of techniques that can be used to retrieve sensitive information and just some of the things that a social engineer with bad intentions can do. It is important to understand these threats and how to avoid becoming a victim. Many companies now provide a security awareness training to their employees, but as victims and targets become smarter to mitigating threats, attackers also become smarter. I hope this helps. Thanks for reading.