Social Engineering (OBJ 2.2 & 5.6)

Introduction to Social Engineering

  • Definition of Social Engineering
    • Social engineering is a manipulative strategy that exploits human psychology to gain unauthorized access to systems, data, or physical spaces.
    • Techniques involve both written communication and face-to-face interaction, targeting the human element rather than just technical hacking.
  • Importance of Security Awareness Training
    • Regular training for users to recognize and respond to social engineering attacks is crucial for maintaining security in digital and physical environments.

Course Objectives

  • Coverage of Objectives in Domain 2 and Domain 5
    • Focus on Objective 2.2: "Explain common threat vectors and attack services."
    • Emphasis on social engineering and human-based attack vectors:
      • Phishing
      • Vishing
      • Smishing
      • Misinformation and disinformation
      • Impersonation
      • Business email compromise
      • Pretexting
      • Water-holing
      • Brand impersonation
      • Typosquatting
    • Focus on Objective 5.6: "Given a scenario, you must be able to implement security awareness practices."
    • Implement practices such as conducting anti-phishing campaigns and training.

Motivational Triggers Used by Social Engineers

  • Familiarity
  • Likability
  • Consensus and Social Proof
  • Authority and Intimidation
  • Scarcity and Urgency

Forms of Social Engineering Techniques

Impersonation

  • Definition
    • Acting as someone else to deceive individuals, essential in general impersonation attacks, brand impersonation, typosquatting, and waterhole attacks.

Pretexting

  • Definition
    • A deceptive tactic where attackers create a convincing scenario to manipulate targets into divulging sensitive information.
    • Common impersonations include trusted individuals or authority figures such as:
    • Bank Officials
    • IT Support
    • Law Enforcement Officers

Phishing Attacks

  • Types of Phishing Attacks
    • Phishing
    • Vishing (Voice phishing)
    • Smishing (SMS phishing)
    • Spear Phishing
    • Whaling (targeting high-profile individuals)
    • Business Email Compromise (BEC)

Prevention of Phishing Attacks

  • Conduct end-user training to enhance security awareness among employees.

Understanding Frauds and Scams

  • Definition of Frauds and Scams
    • Deceptive practices designed to trick individuals into giving away money or valuable information.
  • Training users to identify and be vigilant against such attacks.

Influence Campaigns

  • Definition
    • Psychological attacks spreading misinformation and disinformation.
    • Potential effects on politics, economics, and other essential aspects of life.

Other Social Engineering Attacks

  • Overview of Various Attacks
    • Diversion Theft
    • Hoaxes
    • Shoulder Surfing
    • Dumpster Diving
    • Eavesdropping
    • Baiting
    • Piggybacking
    • Tailgating

Quiz and Conclusion

  • Quiz to test knowledge retention of the learned material.
  • Review of quiz questions to clarify right answers and understanding of concepts.

Summary

  • The course will cover everything from the basics of social engineering to the various tactics used by social engineers, prevention strategies, and practical exercises in recognizing and responding to such threats.