Welcome the CyberRays video series in the Company of Security Plus 5 +01 Certification and Exam.
I'm your Instructor, Round Warner,
This video cover section 1.2 of security plus compare and Contrast type of attacks.
Because the length of this section have broken it into three parts,
this is part one on social engineering attacks.
Under screen are the many topics covered under attack types with security. Plus.
In this video, I'll be talking about the different social engineering attacks such as fishing, spear, phishing, whaling, fishing, tell gating
impersonation, dumpster diving
and shoulder surfing.
The other topics will be covered in the other videos. In this section,
humans are and always will be the weakest link in security.
Social engineering is a common mechanism to take advantage of humans and just human nature
under screen. You see a definition of social engineering, According to one of the experts, Chris had Maggie,
it's the process in which intruders gain access to facilities, network systems, data and employees by exploiting that generally trusting nature of people,
what's the use of deception and manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes?
We'll talk about many aspects of social engineering throughout this video.
Social engineering can occur online and offline.
Online includes fishing, dishing, spoofing, offline or physical attacks are tailgating, impersonation, dumpster diving and shoulder surfing.
Some attacks combined them.
Let's go into the details, and each
communication's moving. It's very common way fraudsters air, getting into organizations and taking advantage of their information.
Fishing is a common email spoof. It's sending emails purporting to be from a reputable company in order to induce individuals to reveal personal information.
Spearfishing is a variant of that going against a specific individual. While fishing is more like spam, phishing is against one person.
They both have similar characteristics.
Let me show you an example.
On your screen is a sample fishing
You can see the numerous problems associated with it.
The challenges, though it looks like it's from Bank of America, if you just quickly look at it.
But when you go into the details, you see misspelled words and other information that just doesn't sound right.
You have to familiarize yourself with fishing because it's a common mechanism in the computer systems,
and it may also be on the security plus exam
There are other variants of communications spoofing and fraud you should be aware of, including whaling, which is another type of phishing attack but going against a specific, usually high powered individual, an executive within the company
fishing is making phone calls or leaving voice messages.
Farming. Were you redirecting traffic toe a spoofed website?
There are variants of fishing. You should also be familiar with, for example, its mission. Sending fraudulent text messages.
Be aware fishing and other types of communications fraud within your email, text and environment.
Some other types of fraud will see involving communication. Include hoaxes,
malicious actors. Issuing false warnings to alarm users could be a false virus alert.
Swatting are fraudulent calls to the police against another individual. We see this within the gamer society, where one gamer will call the police on another gamer in order to beat them at the game.
Watering hole attack is a security exploit in which the attacker seeks to compromise a specific group of end users by infecting websites that members of the group are known to visit.
These are all form of communication spoofing and social engineering.
We also see a social engineering involved with the physical world. For example, tailgating
getting injury to Elektronik Lee lock systems to follow some by following someone through a door they just unlocked.
I also mentioned this in section 3.9 on Physical security.
Dumpster diving is kind of a gross form of social engineering, where you go into trash bins to find sensitive information.
Unfortunately, many organizations throw out files that may have sensitive data on them, like names, Social Security numbers, credit card numbers
throw it out through normal trash.
This is why cross cut shredders are such a great defense and having those shred bins within organizations as well
to defeat Dumpster diving,
another common form of physical social engineering. His shoulder surfing
watching someone over their shoulder when they enter sensitive data such as their user i D or password,
you see an example on your screen
when you're in a public area, watch around you and be careful of shoulder surfing. Someone may be trying to catch what your password is.
Why is social engineering so effective?
Well, Dr Roberts Seal Deanie wrote a book about it, even though it has nothing to do with cybersecurity reference influence.
The art and science of persuasion. He lists the reasons for effectiveness of authority like a police officer, someone in a suit,
intimidation kind of using power consensus, social proof proof. Well, everyone else is doing it.
Scarcity. There's only three tickets left. Better by now.
Familiarity and liking you like people who are like you
trust establishing and then taking advantage of trust
urgency. Better act now
and reciprocity fight. Give you something you feel like you need to give something back to me in return.
These are all based reasons why social engineering is so effective.
Be on the lookout for these in your environment.
I'm often asked, How do we stop social engineering? The art of human hacking,
first of all, is user education. That security awareness training some people like toe ignore could actually save them a lot of headaches. We need to continually educate our population about these attacks.
Trust, but verify Quote from Ronald Reagan.
When you see something, verify it. Don't just trust it. If it sounds too good to be true, it probably is.
Lastly, if you see something, say something.
If something doesn't seem right, asked somebody else or ask the bank if you think you got an email that might be fishing from your bank.
Call them up, don't reply to that email,
go to the bank or called them to find out. But if you see something, say something.
These are all very simple ways to prevent
and reduce the effects of social engineering.
Let's practice on a sample test question
user contacts. You suspecting that his computer is infected.
Yesterday he opened an email that looked like it was from a colleague.
When you later talk to that person, she said she never sent that email.
What type of attack is the most likely cause of the infection,
see spear phishing because it's a directed attack as opposed to fishing, which is a general type of spam attack
You observe a delivery person entering your building by following an employee through a locked door into a secure facility,
which term best describes this type of attack.
The enter is see tailgating, following someone into a secured facility.
If you have access to the Security plus lab, a recommend looking at the Social Engineering and reconnaissance lab.
This concludes the first part of section one dot to compare and contrast types of attacks
where I discussed different types of social engineering attacks