Social engineering

avatar
Created by
Caitlin Fallon

Cards (40)

  • In May 2021, fuel supplier Colonial Pipeline was crippled by a ransomware attack, with the attackers gaining access to an employee's password through a phishing email before planting malicious software
  • The DarkSide organization was behind the Colonial Pipeline hack, leaving more than 10,000 petrol stations without oil
  • Social engineering is a discipline in social science that refers to efforts to influence particular attitudes and social behaviors
  • Social engineering is defined as any act that influences a person to take an action that may or may not be in their best interest
  • Social engineering, often termed "hacking the human," is the manipulation of a person(s) through psychological or non-technical means to gain access to data, information, or physical assets
  • In a security context, social engineering is the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust
  • Human behavior and motives in social engineering attacks include curiosity, fear, thinking fast, greed, willingness to help, and trust
  • Personality traits in social engineering are based on the Five-Factor Model or the "Big 5": Openness to Experience, Conscientiousness, Extraversion, Agreeableness, and Neuroticism
  • The motivational system in social engineering depends on individuals' personality traits from the Five-Factor Model
  • The Six Principles of Persuasion in social engineering include Liking, Reciprocity, Social Proof, Consistency, Authority, and Scarcity
  • Cialdini's Six Principles of Influence are used in social engineering attacks, including Liking, Reciprocity, Commitment/Consistency, Social Proof, Authority, and Scarcity
  • An example of a social engineering attack scenario involves using the principles of Influence based on the victim's personality traits to increase susceptibility to the attack
  • Social engineering vectors include Phishing, Spear phishing, Smishing (SMS phishing), Vishing (voice phishing), Pretexting, Baiting, Physical access, Tailgating, and Shoulder surfing
  • Phishing is a common social engineering vector where attackers use deceptive emails to trick individuals into revealing sensitive information
  • Social Engineering vectors include: Phishing, Spear phishing, Smishing (SMS phishing), Vishing (voice phishing), Pretexting, Baiting, Physical access, Tailgating, Shoulder surfing
  • Phishing is when attackers attempt to trick users into doing 'the wrong thing', such as clicking a malicious link that will download malware or direct them to a dodgy website
  • Two levels of phishing: Whaling or whale phishing (inefficient, like the Nigerian king scam) and Spear Phishing (more informed and sophisticated, targeted and tailored to a specific target)
  • Phishing attacks are the 5th top cyber crime in 2021
  • Pretexting in social engineering involves using a fictitious scenario to establish trust and create a false motive for an unsuspecting individual to divulge information or do something they normally wouldn't do
  • Vishing combines voice calls with pretexting to induce individuals to reveal personal information or do something they wouldn't normally do, often pretending to be from a government agency or reputed organization
  • Spoofing is the act of disguising a communication or identity to appear associated with a trusted source, with forms like email spoofing, IP spoofing, DNS spoofing, and Caller ID spoofing
  • Quid Pro Quo in social engineering involves the attacker offering something in exchange for system access or executing a malicious command
  • Tailgating in social engineering aims to bypass physical security measures by following a person with legitimate access into a restricted area
  • Baiting involves leaving malware-infected USB drives in locations for people to find, enticing them to plug it in and get infected
  • Countermeasures against social engineering include raising awareness within staff, training employees in security protocols, scrutinizing sensitive information exposure, establishing security protocols, and deploying overall security policies
  • Phishing emails are malicious emails sent to users to gain sensitive information or install malware.
  • <S>:Phishing attacks involve sending emails designed to trick recipients into providing sensitive information, downloading malware, or installing rogue software.
  • Social engineering is the art of manipulating people into performing actions or divulging confidential information.
  • Phishing emails often mimic legitimate companies or well-known websites to gain the trust of recipients.
  • The goal of social engineering attacks is to trick users into revealing sensitive data, such as passwords, credit card numbers, or other personal information.
  • Keylogging malware and trojan horses are commonly used by social engineers to record keystrokes and gain access to user passwords.
  • Social engineers use various techniques to gain access to systems or networks, including phishing emails, pretexting (creating fake scenarios), baiting (leaving USB drives with malware on them), tailgating (following someone through an unsecured door), and quid pro quo (offering something valuable in exchange for information).
  • Spear phishing targets specific individuals or organizations using personalized messages that seem trustworthy.
  • Spear phishing is a targeted form of phishing that uses personalized messages to increase credibility and deceive victims.
  • Pretexting is when an attacker creates a false scenario to obtain personal data from individuals.
  • Smishing uses SMS messaging instead of email to trick victims into providing sensitive information or downloading malware.
  • Whaling refers to spear phishing aimed at high-profile individuals such as CEOs, CFOs, and other senior management personnel.
  • Spear phishing targets specific individuals or organizations with personalized messages that appear more credible than generic phishing attempts.
  • Quid pro quo is where an attacker offers something valuable in exchange for sensitive information.
  • Spear phishing involves targeting specific individuals or organizations with tailored messages that appear more credible and urgent than generic phishing attempts.