Recognizing and Addressing Social Engineering Attacks

Question 1

What is Social Engineering?

Answer 1

Social engineering is the act of tricking people into giving away confidential or sensitive information, often by pretending to be someone trustworthy. Social engineering works by exploiting human vulnerabilities and can be used to steal personal information, gain unauthorized access to computer systems, or carry out other malicious activities.

Question 2

What are some examples of Social Engineering goals?

Answer 2

• Data theft
• Data destruction
• Financial gain
• Financial harm
• Political gain
• Reputation/recognition
• Revenge

Question 3

What is Data theft?

Answer 3

Data theft is the unauthorized or illegal taking of electronic data.

Question 4

What is Data destruction?

Answer 4

Data destruction is the process of securely and permanently erasing electronic data to prevent unauthorized access.

Can also be used to punish/cripple a victim, often targeting infrastructure records.

Question 5

What is Financial gain?

Answer 5

Financial gain refers to the increase in money or other assets that an individual or organization obtains through legitimate or illegitimate means. It can include profits from business activities, investments, or the proceeds from criminal activities such as fraud or theft.

Question 6

What is Financial harm?

Answer 6

Financial harm refers to the negative impact on an individual or organization’s financial situation, often resulting from loss or damage to assets. This can include monetary losses, decreased profitability, reputational damage, legal costs, or other financial burdens.

Question 7

What is Political Gain?

Answer 7

Political gain refers to the use of manipulative tactics to influence individuals or groups in order to achieve political objectives. This can include spreading false information or propaganda, exploiting existing biases or prejudices, or using emotional appeals to sway public opinion. Social engineering for political gain can have serious implications for democracy, as it can be used to undermine trust in institutions, distort the truth, and manipulate public discourse.

Question 8

Use of Social Engineering for Reputation/Recognition

Answer 8

To gain the recognition of their peers

Question 9

Use of Social Engineering for Revenge

Answer 9

Social engineering for revenge refers to the use of manipulative tactics to harm or damage an individual or organization as a form of retaliation or vengeance.

Question 10

Define Attack Vectors

Answer 10

Attack vectors are the methods or pathways that cybercriminals or hackers use to gain unauthorized access to a system or network.

Question 11

List some Attack Vectors

Answer 11

User name and password
Organizational and personnel information
End-user personal information
Email
Mobile device
Physical access

Question 12

Define High-Value Targets and give examples

Answer 12

Someone whose knowledge, access, or possessions can enhance the impact of a successful attack.

Examples:
* C-suite officials
* Accounting personnel
* HR personnel
* IT personnel

Question 13

C-Suite Officials

Answer 13

C-Suite officials are the highest-ranking executives within an organization, including CEOs, COOs, CFOs, CIOs, and CSOs. They are responsible for managing the company and making critical decisions that impact its success. Due to their important positions, they are often targeted by attackers seeking to gain access to sensitive data or compromise the organization’s systems.

Question 14

Accounting Personnel

Answer 14

Accounting personnel are responsible for managing an organization’s financial transactions and reporting. They handle sensitive financial information and are often targeted by attackers seeking to gain access to financial data or steal money through fraudulent activities.

Question 15

HR (Human Resources) Personnel

Answer 15

HR personnel manage an organization’s human resources and may be involved in recruiting, benefits administration, and ensuring labour law compliance. They handle sensitive employee information and may be targeted by attackers seeking to steal personal data or engage in identity theft.

Question 16

IT (Information Technology) Personnel

Answer 16

IT personnel manage an organization’s technology infrastructure and systems, including tasks such as network administration, software development, technical support, and information security. Due to their involvement in critical systems and data, they may be targeted by attackers seeking to exploit vulnerabilities or gain unauthorized access to sensitive information.

Question 17

Give examples of common Social Engineering Attacks

Answer 17

Common Social Engineering Attacks can include:

• Impersonation
• Pretexting
• Quid pro quo
• Phishing, SMiShing, and vishing
• Spear phishing and whaling
• Pharming
• Baiting
• Shoulder surfing
• Dumpster diving
• Tailgating
• Piggybacking

Question 18

Impersonation

Answer 18

A social engineering attack where an attacker pretends to be someone they are not.

Question 19

Pretexting

Answer 19

Fabricating a fictional scenario in order to gain someone’s trust and sympathy and then obtain personal or sensitive information from them.

Simple terms: Lying to get information. An attack plays as a character to get information.

Question 20

Quid pro quo

Answer 20

Promising some sort of benefit in exchange for something.
(Promising to provide a service for information).

Question 21

Phishing

Answer 21

Misrepresenting oneself via email to obtain sensitive information from authorized personnel, such as by claiming to be from the support desk or the government. Phishing is usually attempted against a broad audience with no specific target to see who responds.
(Attempt to gain sensitive information via email)

Question 22

SMiShing

Answer 22

Similar to Phishing but done through the use of SMS
(Attempt to gain sensitive information via SMS)

Question 23

Vishing

Answer 23

(Voice Phishing) A tactic of social engineering in which an attacker engages in a phishing attack performed by phone rather than by email.
(Attempt to gain sensitive information with voice. Most likely a phone call).

Question 24

Spear Phishing

Answer 24

An attempt to fraudulently obtain information from a targeted individual or organisation user via Email. (Same as phishing but targeted).

Question 25

Whaling

Answer 25

Similar to spear phishing but, targeting high-profile individual, such as a C-level officer.

Question 26

Pharming

Answer 26

Redirecting web traffic to a fraudulent website without the user’s knowledge or consent.

Question 27

Baiting

Answer 27

Enticing a potential victim with the promise of a desirable item such as free music, tablets, or movie downloads. Can also be done when a malicious individual leaves malware-infected removable media such as a USB drive or optical disc lying around in hope that an individual will plug it into their computer.

Question 28

Shoulder Surfing

Answer 28

Looking over someone’s shoulder as they log in to a computer or mobile device to capture their login information.

Question 29

Dumpster Diving

Answer 29

Going through someone’s trash in hopes of finding sensitive or useful information

Question 30

Tailgating

Answer 30

Following an authorized individual into a secure area. The employee does not know the attacker is even behind them.

Question 31

Piggybacking

Answer 31

Similar to tailgating, but the primary difference is that the authorized individual actually knows that the attacker is following behind them. The individual being followed might know the attacker or they might not know the attacker and could be ignorant of the attacker’s intentions and lack of authorization.

Question 32

Typosquatting

Answer 32

Typosquatting is a form of cybercrime that involves hackers registering domains with deliberately misspelled names of well-known websites.

Question 33

Resources to Defend - How would you defend:

Organisational hardware and devices

Answer 33

Physically and logically secure devices so that an unauthorized person who gains access to the device cannot further exploit it.

Question 34

Resources to Defend - How would you defend:

Organisation Data

Answer 34

Don’t leave papers or digital media containing sensitive information laying around for attackers to snoop.

Question 35

Resources to Defend - How would you defend:

Network Access

Answer 35

The end target of the social engineer might not be the organization’s network itself, but something else, such as a bank account, reputation, or political power. Ensure that your use of the network is secure so that it cannot be used to gain information.

Question 36

Resources to Defend - How would you defend:

Premises Access

Answer 36

Physical access by a bogus repair technician or cleaning person can reveal considerable information just from the tops of people’s desks, the trash, or even nameplates.

Question 37

Resources to Defend - How would you defend:

User Credentials

Answer 37

Protect your passwords, radio-frequency identification (RFID) badge, tokens and smart cards, and other authentication mechanisms so that an imposter cannot use your credentials to gain access.

Question 38

Guidelines to defending against social engineering attacks

General Awareness

Answer 38

• Determine which of your assets are valuable to criminals.
• Be aware of the information you’re releasing to others.
• Be aware that long-time connections on social media may be faked.
• Understand what data and resources you can access with your credentials. You’re responsible for their security.
• Attackers can plant malware in pirated software so make sure you’re acquiring software through official channels.
• Recognize that social engineers try to gain your trust through deception.
• Stay up to date on the latest social engineering techniques and keep others updated.

Question 39

Guidelines to defending against social engineering attacks

Recognise Warning Signs

Answer 39

• Be suspicious of anyone asking for data or resources, whether in person, over the phone, or by email.
• Determine if the person asking for information actually deserves to have that information.
• Be suspicious of questions that don’t fit the person you’re talking to.
• When someone requests something of you, always verify that person’s identity. Ask them for a number or email address.
• Be suspicious of a sudden sense of pressure or urgency; do not allow yourself to be threatened, hurried, badgered, or confused into bypassing established organizational protocols, procedures, and security checks.
• Be wary of CDs, DVDs, USB flash drives, websites, and emails that try to install anything

Question 40

Guidelines to defending against social engineering attacks

Physical Surroundings

Answer 40

• Be aware of your surroundings and the people around you.
• When entering a building or restricted area, do not let anyone tailgate or piggyback after you.
• When you pass through a locked door, always close it behind you.
• Be mindful of strangers in your facility. Many organizations employ a visitor badging system or have employees escort visitors while in the facility.
• Be mindful of others looking over your shoulder as you enter passwords. Consider installing a privacy screen/filter.

Question 41

Guidelines to defending against social engineering attacks

Emails

Answer 41

• Don’t open emails from untrusted sources.
• Don’t open unexpected attachments or click unexpected links.
• Be suspicious of free offers.
• Contact the sender direct if a suspicious email comes from their contact.

Question 42

Guidelines to defending against social engineering attacks

Operational Practises

Answer 42

• Watch for attacks in real time and contribute to a cybersecurity culture.
• Ensure employees undergo end-user cybersecurity training.
• Communicate with other team members about threats.
• Follow secure deletion/disposal procedures.
• Help compliance audits go smoothly.
  *Also follow additional policies and procedures:
  Data privacy policies
  Security policies
  Facility policies