Introduction ⭐
>Who are these adversaries?
- They may be competitors, criminals, spies, unhappy employees, terrorists, or troublemakers. They may be motivated by money, revenge, or political beliefs, to name a few.
- There are numerous ways adversaries collect information. Some of the more common methods include social engineering, phishing, accidental disclosure, googling, and dumpster diving. These methods are described over the next few pages followed by some basic countermeasures.
Social Engineering👪
- Social engineering is a collection of techniques used to manipulate people into revealing sensitive or other critical information. Those who engage in social engineering rely on the humans’ natural tendency to trust. In fact, it’s often easier for an adversary to obtain information by simply asking the right questions than using technical hacking methods.
- Social engineering is sometimes conducted by phone. The caller may pretend to be someone in a position of authority or a telephone or computer technician, gradually pulling information out of the targeted person. Often the adversary will call several employees and piece together enough information to launch an attack. Help desk employees are often targeted by an adversary because they’re trained to be friendly and provide information.
- Social engineering can also occur through online social forums, at professional conferences, and at non-work social events, to name a few examples.
- The first objective of an adversary attempting social engineering is to convince you that they are in fact a person that you can trust with critical information.
Phishing
Phishing scams may be the most common types of social engineering attacks used today. Most phishing scams demonstrate the following characteristics:
- Seek to obtain personal information, such as names, addresses, and social security numbers.
- Use link shorteners or embed links that redirect users to suspicious websites in URLs that appear legitimate.
- Incorporate threats, fear, and a sense of urgency in an attempt to manipulate the user into acting promptly.
Some phishing emails are more poorly crafted than others, to the extent that their messages often exhibit spelling and grammar errors; but these emails are no less focused on directing victims to a fake website or form where attackers can steal user login credentials and other personal information.
A recent scam sent phishing emails to users after they installed cracked APK files from Google Play Books that were pre-loaded with malware. This specific phishing campaign demonstrates how attackers commonly pair malware with phishing attacks in an effort to steal users’ information." – from Tripwire
If you receive a suspicious email, normally the best defense is to ignore and delete the message. Your organization may have specific procedures to deal with suspicious email and web pop-ups.
Spot the Clues
This email may seem legitimate. However, a closer look reveals this is a clever attempt to gather private information and compromise the recipient’s security.
Read through the email and see if you can identify all the clues that tip off this phishing attempt. When you think you’ve found them all,
All clues are highlighted in yellow color
Do’s👍 & Don’ts👎
Dumpster Diving
- Dumpster diving is the act of rummaging through commercial or residential trash and recycle bins to find useful items (including information) that have been discarded.
- At your workplace, adversaries may search for proposal drafts, financial data, architectural designs, and personnel data, both on paper and media such as thumb drives. Bear in mind that dumpster divers aren’t just looking for formal documents—Post-it
- Notes, and scraps of notebook paper often contain phone numbers, passwords, and other critical information.
- Take care with information that is no longer valuable to you because it may have tremendous value to someone else. Follow your organization’s policies and procedures on proper disposal of information and equipment when they are no longer needed. The following are some common practices:
- Shared paper documents, using a cross-shredder if possible.
- Whenever possible, sanitize or physically destroy hard drives and other electronic devices that store information (this is discussed in more detail in the “Information Protection” lesson).
- For devices that cannot be sanitized, physically destroy them.
Social media Cybersecurity
While some of the personal pitfalls with social media use are widely known, there are also many risks for businesses that are less understood. Decide if the following are fact or fiction.
What your employees do on their personal social media poses little to no risk to your organization.
FACT or FICTION
FICTION:
Social media is a place where people let their guard down. It’s what your employees check on their lunch break; it’s what they do when they arrive home from work and before they go to sleep at night. On social media sites, where the atmosphere is casual, the tendency to let certain information slip is greater, which brings risk.
The information your employees freely post to social media can (and probably will) be used against them. Many times, attackers will use social media as a reconnaissance tool to socially engineer their targets. Suddenly, the fact you publicly tweeted that you went to a leadership conference can be used to craft a targeted phishing email containing a malicious link. While the Nigerian princes of yesteryear might instantly raise eyebrows, if an email is customized to the recipient, the likelihood of the intended response increases.
Solving the Problem:
First, be pragmatic and realize that social media will always be attractive to attackers. But there are ways you can reduce the attack surface. Educate your employees on how much they should expose on social media as well as how to make the best use of available privacy settings.
It’s best to have one person tasked with maintaining, monitoring, and acting as an administrator for your various social media accounts.
FACT or FICTION
FICTION:
In theory, this is a best practice – especially for smaller organizations that may lack a dedicated social staff. However, there are security risks with having one person with all the social media tribal knowledge. This risk is amplified when the social media manager mixes personal with professional.
For example, if your sole administrator has their personal account attached to your corporate accounts, and their personal account is hacked, you will land in some hot water by extension. Not only does this threaten security, but it also has the potential to threaten your brand image as well. If even a few incendiary tweets come from your corporate account, it could push clients away and lead to negative media attention.
Solving the Problem: Designate one person as the “main administrator,” but make sure that other employees – key executives, human resources, or the marketing department – have access to the social media information available. Furthermore, store the passwords to all your corporate accounts in a shared password manager. No employee should be able to easily rattle off any password, and none of your corporate social media passwords should be simple. A password manager can keep your passwords secure as well as help generate stronger ones.
Social media is keeping pace with advancements in security.
FACT OR FICTION
FACT:
It is, but don’t let this lull you into a false sense of safety. The responsibility for security does not rest with the social media sites. At the end of the day it’s your problem to own. The controls only work as well as they are used.
Solving the Problem: You can stay ahead of the threat by implementing (and enforcing) a social media policy at your organization. While social media policies traditionally are often concerned with how employees should conduct themselves and how they should associate themselves with the organization, security needs to be part of the equation as well. A robust social media policy will incorporate security concerns – password guidelines as well as who can access the account – alongside more guidelines that are geared toward brand standards.
“Social media may not be at the forefront of your organization’s security radar, but there are certain aspects – your employees’ willingness to possibly overshare, access to corporate accounts and security controls – that demand a level of scrutiny. A social media policy (and training) will be the best tools in your arsenal as these platforms become even more of a cornerstone of our modern existence.” – Fiction and facts were taken from “What You Need To Know Now About Cybersecurity And Social Media” Christie Terrill, Forbes.
Wireless Security
This day and age, countless devices exist with built in wireless technology. Devices such as refrigerators, TVs, coffee makers, etc. now have the ability to connect to the Internet, play music, send pictures, alert you of problems, etc. With the inception of these devices, life has never been more convenient. However, these modern-day conveniences can pose some security issues if left unprotected.
Incorporating wireless security practices such as password protection and Wi-Fi encryption can prevent unauthorized access or damage to devices through wireless networks.
Examples of encryption types include:
Section Summary
- Social engineering is a collection of techniques used to manipulate people into revealing critical information.
- Phishing is the act of sending an email or web pop-up that falsely claims to be a legitimate enterprise in an attempt to scam the user into surrendering private information such as credit card numbers and passwords.
- Dumpster diving is the act of rummaging through commercial or residential trash and recycle bins to find useful items (including information such as work schedules and network diagrams).
- A rigorous social media policy (and training) will be one of the best tools in your arsenal as these platforms become even more of a cornerstone of our modern existence.
- Incorporating wireless security practices can prevent unauthorized access or damage to devices through wireless networks.