Social Engineering

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Hello. Let's talk about Social Engineering.
00:00
This is a type of attack that is
00:00
geared at internal employees.
00:00
Social engineering attacks are by
00:00
far the most common direct confidentiality.
00:00
In Chapter 1, we actually already talked
00:00
about social engineering when we talked about phishing,
00:00
spear phishing, whaling, vishing.
00:00
I don't know if I mentioned smishing,
00:00
which is using SMS text messages.
00:00
The bottom line is, phishing,
00:00
is all about the impersonation of
00:00
someone that should have access to resources.
00:00
However, they really should not.
00:00
It's means showing up in
00:00
a brown uniform and saying I'm a TPS.
00:00
Can I get access to the backroom
00:00
so I can deliver this package?
00:00
Social engineers are really
00:00
talented and often successful.
00:00
People fall for them because they want to be
00:00
helpful and want to avoid conflict.
00:00
Social engineers rely on
00:00
a lot of principles to do what they do.
00:00
They use the principle of
00:00
authority by being confident and
00:00
giving the impression that they should have
00:00
access to something they shouldn't.
00:00
They use the principle of scarcity.
00:00
Like a salesperson at a car
00:00
dealership who suggests that you
00:00
better buy the car now
00:00
because it might not be there tomorrow.
00:00
Social engineers give the
00:00
victim the impression that they will get
00:00
something precious but they need to respond right away.
00:00
Like offering a low-interest loan
00:00
to the first 100 people who sign up.
00:00
They use the principle of intimidation,
00:00
where they are very confident and aggressive and
00:00
coerce someone into giving them what they want.
00:00
They use the principle of consensus
00:00
to convince someone that
00:00
everybody else is doing
00:00
a certain thing so they should do.
00:00
They use the principle of urgency,
00:00
where they emphasize that they need something right
00:00
away such as for
00:00
an important meeting that is about to start.
00:00
They rush you into making a decision
00:00
quickly without considering the risks.
00:00
They use the principle of familiarity,
00:00
claiming to know someone you know,
00:00
so you will trust them.
00:00
They use the principle of trust.
00:00
Similar to familiarity,
00:00
they use some play to suggest that you should trust them.
00:00
This is like someone dressing like a police officer.
00:00
You will trust what they say and do what they ask you to.
00:00
To mitigate threats with social engineering,
00:00
we normally think about training,
00:00
but training can't solve everything.
00:00
We need good policies in place,
00:00
such as separation of duties,
00:00
least privilege, and need to know.
00:00
We also need to conduct
00:00
social engineering pen tests from time
00:00
to time to see if employees are following the policies.
00:00
Social engineering today is our greatest threat.
00:00
It's important to note that also with social engineering,
00:00
it's more than just phishing.
00:00
An example of social engineering
00:00
that involves a person getting an access
00:00
to your workspace is called piggybacking or tailgating.
00:00
This is where you swipe your key card to get
00:00
into the building and a person slips in
00:00
behind you or ask you to hold
00:00
the door without using their own card to get in.
00:00
The best defense against that threat
00:00
is have a security guard and a man trap.
00:00
A man trap is an area of dead space where you go
00:00
in-between the building and where you enter
00:00
the rest of the organizational space.
00:00
The security guard can monitor
00:00
that man trap area to
00:00
catch people who are trying to slip in.
00:00
Dumpster diving also can
00:00
be considered social engineering.
00:00
It means someone going through the trash to find
00:00
valuable information that people have thrown
00:00
away instead of putting it in the shredder.
00:00
Another form of social engineering is shoulder surfing.
00:00
This is where someone stands
00:00
behind you and looks over your shoulder.
00:00
They may be looking at your computer screen or
00:00
an access pad that you were typing a passcode into.
00:00
Our best defense against social engineering is to
00:00
train our people so that they know what to watch out for.
00:00
Also, we need to implement
00:00
the policies of separation of duties.
00:00
Need to know and least privilege.
00:00
People only know the minimum that they need
00:00
to know and only have the access
00:00
to the minimum amount of systems and
00:00
information that they need the access to.
Up Next