Lecture 2

avatar
Created by
Cayenne pepper

Cards (20)

  • Security in User Domain
    Lecture on Cyber Security Fundamentals for Diploma in CSF/IT/FI/IM & CICTP Programme, Year 1 (2024/25), Semester 1
  • Topics
    • Human Errors
    • Human Errors Mitigation
    • Social Engineering
    • Social Engineering Mitigation
  • An End-User is a person who use a product
  • End-Users typically do not possess the technical understanding of the product they are using
  • Kevin Mitnick: '"The weakest link in the security chain is the human element."'
  • Human Errors
    Unintentional actions - or lack of action - by employees and users that cause, spread or allow a security breach to take place
  • According to a study by IBM, human error is the main cause of 95% of cyber security breaches
  • Human Error Case - Password
    • 123456 remains the most popular password in the world
    • 45% of people reuse the password of their main email account on other services
    • Writing down passwords on post-it notes
    • Sharing passwords with colleagues
  • Human Error Case - Data Handling
    • Accidentally deleting essential files with sensitive data
    • Sending emails with sensitive data to the wrong recipients
    • Accidently making changes in documents due to carelessness
    • Sharing sensitive data with colleagues using unsecured messengers
    • Using unsecured email attachments when sending sensitive data
    • Not backing up critical data
  • Human Error Mitigation
    1. Update your corporate security policy
    2. Educate your employees
    3. Monitor your employees
  • Social Engineering
    The manipulation of individuals in order to induce them to carry out specific actions or to divulge information that can be of use to an attacker
  • Social Engineering Attacks
    • Shoulder Surfing
    • Tailgating
    • Dumpster Diving
    • Phishing
    • Spear Phishing
  • Shoulder Surfing
    Stealing a password or PIN by watching the user type it
  • Tailgating
    Entering a secure area without authorization by following close behind the person that has been allowed to open the door or checkpoint
  • Dumpster Diving
    • Combing through an organization's (or individual's) refuse to try to find useful documents (or even files stored on discarded removable media)
  • Phishing
    The fraudulent attempt to steal personal or sensitive information by masquerading as a well-known or trusted contact
  • Phishing Email Example
    • Very generic "user" in email
    • URL is not from one of your recognized service providers, e.g. "microsoft.com"
    • Message has sense of urgency - "24 hours"
  • Spear Phishing
    A phishing scam where the attacker has some information that makes the target more likely to be fooled by the attack
  • There is no effective way to fully protect against Social Engineering attacks
  • Social Engineering Mitigation
    1. Implement a sound security policy
    2. Provide education and awareness training
    3. Limit data leakage