So, before you think I'm about to embark down some dark path of political rants, I can assure you I have no interest nor desire to do so. Instead, as 2019 comes to an end, I thought it best to embark instead down a path of education as it pertains to a very real, and very prominent cyber security threat: Social Engineering.
Needless to say, we are all creatures of habit. And collectively as a global society we are used to habits, social cues, and everyday common interactions that for the most part govern our days. This is where the concept of Social Engineering rears its ugly head—a collection of tricks and tools that the bad guys use to take advantage of good people and companies.
As a primary example, there is Quid Pro Quo. And again, though that phrase seems to have been made popular in US news cycles of late, this is altogether different. In a Quid Pro Quo scenario, the scam involves a trade of some sort—one that appears as something mutually beneficial.
The best example is that of receiving a call for tech support. By now, I'm sure you have received at least one call from the "Microsoft Support Team" claiming your PC is infected and must be fixed. The Quid Pro Quo here is the handing over of controls to the stranger on the phone in hopes that person will fix the supposed issue. The best advice here: tech support, unless it’s someone calling from within your own organization, usually does not reach out to anyone. Ignore these scams by hanging up.
Another example of Social Engineering is something referred to as Vishing (the voice version of Phishing). With Vishing, bad guys will pose as a coworker by calling a target to ask for login credentials or something else that could be potentially shared.
Vishing can come in two types: first, there are one-off scams known has Hunting, where a perpetrator will try to get as much information as possible in one shot. Second, there are the scams that take place over several interactions, referred to as Farming. In either case, it’s safe to say that one should never give away any details to strangers, either on the phone or otherwise.
Another prime example is that of Pretexting. This one is simple but, unfortunately, effective. It's simply a ploy that gets you to interact with an email, usually in the form of a beneficiary scenario, etc. The victim, to receive what has been left to them, must give personal information to "verify" the transaction.
An all too common Social Engineering scam is Email Hacking and Contact Spamming. This one is extremely common in that hackers will simply break into and commandeer someone’s email account to then spam that person’s contacts. Because the email is familiar, the chances of people falling for that scam increases exponentially.
The best way to avoid these is to be critical of things such as grammar, sentence style, and so on—if it sounds like your friend has partaken in too much holiday cheer, then it's probably a scam. Additionally, look at links or attachments that may be out of the ordinary. If it's not something your contact would usually send, pick up the phone and call them directly at the number you have in your files to ask if it's really them.
And, as a last example, there is a great scam called Baiting. The best example of this one is that a hacker will place some nefarious code on a USB drive and leave it in a public place (usually outside an office building on a bench, table, etc.). To use the USB drive as bait, they will label it with something like “bonuses," or CEO Salary Files, or something that will get a person’s curiosity peaked. Of course, the moment it's plugged in, the code downloads and infects that device and network. The best advice here, if curiosity killed the proverbial cat, don't be a curious cat.
Social Engineering is a terrible thing—a way for the bad guys to prey on the trusting nature of good people. The best defense is to educate yourself, use common sense, and channel your inner Sherlock Holmes’ qualities and find a sidekick to help you identify the crime before it happens.[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]
janvier 26, 2021 | Vanessa Howard
How do you perform an AAR that doesn't collect dust on a shelf?
An after-action review (AAR) is a tool that supports organizational continual learning and improvement. Like any tool, it is only as good as its application, so a careful evaluation process and comprehensive data collection and analysis is critical. The AAR has been...
Calian Cyber Security Podcast: The IoT Attack Surface copy
Chances are you or someone you know has an IoT device from a smart home speaker, to a smart thermostat, or even a video doorbell. These and devices like them are also making their way into the corporate environment—creating an entirely new...
Calian Cyber Security eBook - The worst passwords of 2020
How to Avoid Becoming the Next Cyber Crime Victim