Discussion Requirements You are provided a handout to complete this assignment.
ID: 3742189 • Letter: D
Question
Discussion Requirements
You are provided a handout to complete this assignment.
Tasks
In this discussion:
Discuss social engineering attacks based on the provided techniques.
Identify and discuss appropriate security awareness training that will offset the identified attacks.
Discuss why social engineering attacks are particularly difficult to prevent.
Begin the discussion by describing why the techniques on the handout are successful and identifying types of attacks that use those techniques. Continue by discussing the following:
What social engineering attacks are you familiar with based on prior work experience?
Have you found any particular type of training particularly effective or ineffective?
Summarize your thoughts in a Microsoft Word document checking for spelling and grammar, then submit it directly (cut & paste) into the discussion thread. Respond to at least two other students’ views to engage in a meaningful debate regarding their posts or to defend your post.
Required Resources
Textbook and Internet
Handouts:
Social Engineering Defense Issues
Attacker Motivations
Submission Requirements
Format: Please enter directly into the Discussion Question window
Citation Style: Follow APA
At least 300 words
Spelling and Grammar count so I suggest you first type your post into MS Word and check for spelling and grammar. You can then cut & Paste into the Discussion Question thread.
Self-Assessment Checklist
I identified at least one social engineering attack for each technique.
I identified at least one security awareness training solution to offset each attack.
Explanation / Answer
WHAT IS SOCIAL ENGINEERING
Social engineering is the term used for a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
Social engineering attacks happen in one or more steps. A perpetrator first investigates the intended victim to gather necessary background information, such as potential points of entry and weak security protocols, needed to proceed with the attack. Then, the attacker moves to gain the victim’s trust and provide stimuli for subsequent actions that break security practices, such as revealing sensitive information or granting access to critical resources.
SOCIAL ENGINEERING ATTACK TECHNIQUES
Social engineering attacks come in many different forms and can be performed anywhere where human interaction is involved. The following are the five most common forms of digital social engineering assaults.
Baiting
As its name implies, baiting attacks use a false promise to pique a victim’s greed or curiosity. They lure users into a trap that steals their personal information or inflicts their systems with malware.
The most reviled form of baiting uses physical media to disperse malware. For example, attackers leave the bait—typically malware-infected flash drives—in conspicuous areas where potential victims are certain to see them (e.g., bathrooms, elevators, the parking lot of a targeted company). The bait has an authentic look to it, such as a label presenting it as the company’s payroll list.
Victims pick up the bait out of curiosity and insert it into a work or home computer, resulting in automatic malware installation on the system.
Baiting scams don’t necessarily have to be carried out in the physical world. Online forms of baiting consist of enticing ads that lead to malicious sites or that encourage users to download a malware-infected application.
Scareware
Scareware involves victims being bombarded with false alarms and fictitious threats. Users are deceived to think their system is infected with malware, prompting them to install software that has no real benefit (other than for the perpetrator) or is malware itself. Scareware is also referred to as deception software, rogue scanner software and fraudware.
A common scareware example is the legitimate-looking popup banners appearing in your browser while surfing the web, displaying such text such as, “Your computer may be infected with harmful spyware programs.” It either offers to install the tool (often malware-infected) for you, or will direct you to a malicious site where your computer becomes infected.
Scareware is also distributed via spam email that doles out bogus warnings, or makes offers for users to buy worthless/harmful services.
Pretexting
Here an attacker obtains information through a series of cleverly crafted lies. The scam is often initiated by a perpetrator pretending to need sensitive information from a victim so as to perform a critical task.
The attacker usually starts by establishing trust with their victim by impersonating co-workers, police, bank and tax officials, or other persons who have right-to-know authority. The pretexter asks questions that are ostensibly required to confirm the victim’s identity, through which they gather important personal data.
All sorts of pertinent information and records is gathered using this scam, such as social security numbers, personal addresses and phone numbers, phone records, staff vacation dates, bank records and even security information related to a physical plant.
Phishing
As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims. It then prods them into revealing sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
An example is an email sent to users of an online service that alerts them of a policy violation requiring immediate action on their part, such as a required password change. It includes a link to an illegitimate website—nearly identical in appearance to its legitimate version—prompting the unsuspecting user to enter their current credentials and new password. Upon form submittal the information is sent to the attacker.
Given that identical, or near-identical, messages are sent to all users in phishing campaigns, detecting and blocking them are much easier for mail servers having access to threat sharing platforms.
Spear phishing
This is a more targeted version of the phishing scam whereby an attacker chooses specific individuals or enterprises. They then tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attack less conspicuous. Spear phishing requires much more effort on behalf of the perpetrator and may take weeks and months to pull off. They’re much harder to detect and have better success rates if done skillfully.
A spear phishing scenario might involve an attacker who, in impersonating an organization’s IT consultant, sends an email to one or more employees. It’s worded and signed exactly as the consultant normally does, thereby deceiving recipients into thinking it’s an authentic message. The message prompts recipients to change their password and provides them with a link that redirects them to a malicious page where the attacker now captures their credentials.
The Need of Security Awareness and Education
While reading about these social engineering tricks, you might think: Why would a cyber criminal waste time attempting to come up with a sophisticated high-tech scam when he knows that the same result (and even such that surpasses his boldest expectations) can be achieved with a much simpler offline swindle?
Presumably, the weakest links in the chain of cyber security is not technological – it is human. And human beings are susceptible to psychological manipulation. Social engineering is not a new occurrence. It has been around under one form or another since the beginning of time .
One of the greatest threats to information security could actually come from within your company or organization. Uninformed users can do harm to your network by visiting websites infected with malware, responding to phishing e-mails, storing login information in an unsecured location or even giving out sensitive information when exposed to social engineering.
Security awareness training is a must to protect a network against ransomware, phishing and other social engineering attacks. Employees are constantly exposed to sophisticated phishing attacks and they need to be able to spot red flags related to suspicious emails. A good security awareness program should educate employees about procedures for working with information technology.
Today, employees are frequently exposed to sophisticated phishing attacks. Employees are part of an organization’s attack surface and ensuring that they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. An organization’s leaders should understand what goes into building an effective security awareness training program, get involved and offer feedback throughout the process. Protecting your company or organization online begins with ensuring your employees are prepared to assist in keeping computers and networks safe.
Information security is a process that moves through phases, building and strengthening itself along the way. Security awareness can be grouped into three distinct phases: prevention, detection and response. The ultimate goal of an effective security awareness program is to protect three unique attributes of information:
• Confidentiality | Proprietary information should only be seen by those
persons authorized to see it.
• Integrity | Measures must be taken to insulate information from accidental
and/or deliberate change.
• Availability | Information must be available to only authorized persons when
needed.
Information security protects these attributes by:
• Protecting confidentiality
• Ensuring integrity
• Maintaining availability
The best security awareness training program can’t help a company or organization unless all of the employees understand their roles and responsibilities in safeguarding sensitive data and protecting company resources. Practices and policies must be put in place that promote security awareness. An effective security awareness program should include education on specific threat types:
• Phishing
• Social Engineering
• Malware
• Trojans
• Viruses
The most common security attacks that I have seen in my organization is Phising.
And, security training awareness has hepled the IT administrators a lot to prevent phising. The basic things covered as part of the training are: