This week I want to provide you with more information about the nontechnical methods that attackers will use to obtain your valuable information. In addition to technical methods, attackers will utilize psychological manipulation and physical acts to obtain valuable information. These nontechnical methods are more commonly referred to as social engineering attacks in the information security field.
Psychological manipulation is a method that attempts to persuade you to do something through the use of flattery, conformity, empathy, urgency, or friendliness. Attackers will employ a variety of psychological manipulation tactics that include but are not limited to: impersonation, phishing, spam, and hoaxes (Ciampa, 2012, p. 58). Impersonation is the act of making others believe that you are some that you really are not. According to Ciampa (2012) attackers will often take on the fictitious role of a repair person, an employee, a law enforcement official, a manager, or a trusted third party (p. 59). So in other words, attackers can just about impersonate anyone; their imagination is their only limit.I discussed phishing in previous post about 5 weeks ago. It is one of the more preferred methods of attackers because it is very effective. An area I failed to talk about in my post on phishing was various types of phishing attacks. Some of the types of phishing attacks are as follows:
Pharming: when attackers alter a sever on the Internet to redirect users to a fake Web site. Users often don't even know they are visiting a fake Web site.
Spear phishing: a customized phishing attack that is tailored for a certain recipient.
Whaling: similar to spear phishing but targets recipients in upper management or that have a lot of money.
Vishing: when an attacker launches their attack by calling a victim instead of e-mailing them.
Spam is those unwelcome emails you may receive that. Like phishing, spamming is very effective and can net the person responsible for sending them thousands if not millions of dollars. They normally appear as an advertisement that tries to get you to purchase a product. However, they are commonly used by attackers to deliver viruses or other malicious code.
Hoaxes are normally delivered via email too. They attempt to get you to do something by warning you about a false event. In the end the event did not or will not occur and the directions may be a list of computer configurations that an attacker may need completed in order to gain access to a system.
As mentioned earlier, attackers also employ physical acts in order to obtain information. Some attackers will even go through the trash looking for any information that may be of value to them. Attackers are known to find documents in the trash that contain valuable information. So double check that piece of paper for any information of value before you go to throw it away.
Another common physical act is known as tailgating. Tailgating is when an attacker waits outside of a secured door that has an automated access control system and follows someone that has access in. An easy way to defend against tailgating is to make sure that no one follows you in after you enter and that the door secures behind you. Additionally, you should report any one hanging out by a secured entry point to your organization's security personnel.
Don't fall victim to a social engineering attack. Educate yourself, employees, and family members on the methods attackers employ in an attempt to obtain your valuable information. Also, follow the security measures your organization has hopefully implemented. And, in this instance, common sense goes a long way. Do not comply with the demands in an email, phone call, or face to face visit if there is any doubt as to the validity of it.
References:
Ciampa, M. (2012). Security+ guide to network security fundamentals (4th ed.). Boston, MA: Course Technology.
No comments:
Post a Comment