B 15: PEOPLE HACKING: INDICATORS OF SOCIAL ENGINEERING ATTACKS

 

INDICATORS OF SOCIAL ENGINEERING ATTACKS
In the context of social engineering, there are several indicators that can help identify potential attacks.
Here are some key aspects
Unexpected Communication:	Social engineering attacks often start with unexpected messages. The recipient is usually not expecting the message from the sender, especially not about the involved subject
Urgency:	Attackers often create a sense of urgency to make the victim act quickly without thinking. For example, an email could say, “give us your details, and you get a £500 voucher card.” If a message heightens an emotion making you rush to respond, it may be a social engineering attack
Request for Private Information:	If an unknown person asks for your private information or for you to do a task, it could be a sign of a social engineering attack
Pressure to Keep Secrets:	Attackers may pressure you to respond quickly and not tell anyone else about the communication
Fake or Suspicious Contact Information:	Attackers may use fake contact information or impersonate someone you know
Intrusive Questions:	The questions asked by an attacker can sometimes be a dead giveaway that it’s a social engineering attack. This can be either through the number of questions asked or the type of questions
Vague Identification:	A clear sign is an absence of specific and reliable information on who makes the request
Out of the Ordinary Requests:	In most cases, social engineering requests ask the potential victim to do something they have never done before
Potentially Harmful Actions:	If the requested action is performed, could it be potentially harmful to the recipient or their organization? Being asked to open documents, execute programs, send information or put in passwords, are all examples of potentially harmful actions
Suspicious Sender’s Address:	The sender’s address may imitate a legitimate business. Cybercriminals often use an email address that closely resembles one from a reputable company by altering or omitting a few characters.
By understanding these indicators, individuals and organizations can better protect themselves against social engineering attacks

 

 

B 14: PEOPLE HACKING: TARGET ANALYSIS: HOW ATTACKERS CHOOSE THEIR VICTIMS

 

TARGET ANALYSIS: HOW ATTACKERS CHOOSE THEIR VICTIMS
In the context of social engineering, attackers often use a methodical approach to choose their victims.
Here are some key aspects of target analysis:
Data Gathering:	Attackers gather as much data as possible about the intended victim. This could include personal information, work details, habits, and interests
Identifying Vulnerabilities:	Based on the collected data, attackers identify potential vulnerabilities. These could be anything from a lack of cybersecurity awareness to certain personality traits, or even specific life circumstances
Choosing the Medium and Message:	Once the attacker knows the intended victim, they choose the appropriate medium (e.g., email, phone call, personal contact) and the appropriate message. Both the medium and message are equally important to the success of the attack
Exploiting Human Motivations:	Attackers attempt to manipulate human motivations, including the need to help, an impulse to respond to urgent requests, and our sense of self-interest
Creating a Condition of “False Trust”:	The goal of a social engineer is to carefully create a condition of “false trust,” where an individual reveals information or otherwise takes an action that leads to a security breach
Manipulating the Human Element:	Social engineers try to put victims in a mindset that makes them highly suggestible and willing to take actions that they would otherwise find questionable
Using the Right Technology:	Attackers know that the right message delivered using the wrong technology will lead to failure
By understanding these aspects of target analysis, individuals and organizations can better protect themselves against social engineering attacks

 

B13: PEOPLE HACKING: PERSONALITY TYPES AND SOCIAL ENGINEERING

PERSONALITY TYPES AND SOCIAL ENGINEERING
In the context of social engineering, understanding personality types can be crucial as it can influence an individual’s susceptibility to different types of attacks.
Here are some key aspects:
Extraversion:	Individuals who are extroverted may be more susceptible to social engineering attacks that involve direct human interaction, such as pretexting or baiting
Agreeableness:	People who are agreeable are typically cooperative and like to maintain positive social interactions. They might be more susceptible to attacks that involve a perceived authority figure or a request for help.
Conscientiousness:	Highly conscientious people are organized and dependable. They might be less likely to fall for attacks due to their careful nature, but they could be targeted with attacks that exploit their sense of duty and responsibility.
Neuroticism:	Individuals with high levels of neuroticism are more likely to experience emotions such as anxiety and fear. They might be more susceptible to attacks that create a sense of urgency or fear
Openness to Experience:	People who are open to experience are curious and have a wide range of interests. They might be more susceptible to attacks that involve new or unusual requests
Trust:	Individuals who are trusting may be more vulnerable to social engineering attacks, as they are more likely to believe the attacker’s lies or deceptions
Social Responsibility:	Individuals who feel a strong sense of social responsibility may be more susceptible to social engineering attacks that involve a request for help or a cause
Risk-taking:	Individuals who are more willing to take risks may be more susceptible to social engineering attacks, as they may engage in behaviours that put them at risk
Impulsivity:	Impulsive individuals may be more susceptible to social engineering attacks that create a sense of urgency, as they may act without fully considering the consequences
Compliance:	Individuals who are compliant are more likely to follow rules and instructions, which could make them targets for attacks that involve a perceived authority figure
Understanding these personality traits can help in developing strategies to prevent social engineering attacks.

B 12 : PEOPLE HACKING: UNDERSTANDING HUMAN VULNERABILITIES

 

UNDERSTANDING HUMAN VULNERABILITIES
In the context of social engineering, understanding human vulnerabilities involves recognizing how our inherent traits and behaviors can be exploited by attackers
Here are some key aspects:
Trust:	Humans are inherently trusting, especially of those they consider part of their in-group. This can be exploited in social engineering attacks where the attacker poses as a trusted individual or entity
Curiosity:	Our natural curiosity can lead us to click on links or open files that we shouldn’t, especially if they’re presented in a compelling or intriguing way
Ignorance:	Not everyone is well-versed in the tactics used by social engineers, making them more susceptible to these types of attacks
Desire to Help:	Many people have a strong desire to help others, especially if they believe the person is in distress. Attackers can exploit this by posing as someone in need
Authority:	People tend to comply with requests from authority figures without question. Social engineers often impersonate bosses, law enforcement, or other figures of authority to trick their targets into complying with their requests
Reciprocity:	People tend to want to return a favour when someone helps them, which can be exploited in a social engineering attack
Social Validation	People often look to others for cues on how to behave. Attackers can use this tendency to manipulate individuals into taking actions they might not otherwise take.
Scarcity:	When something is scarce or time-limited, people are often compelled to act quickly without fully considering the consequences.
Fear:	Fear is a powerful motivator. Attackers often use scare tactics to rush individuals into providing sensitive information or granting access to systems
Laziness:	People often seek the path of least resistance, which can sometimes lead to lax security habits
By understanding these vulnerabilities, we can better protect ourselves and our organizations from social engineering attacks

 

B 11: PEOPLE HACKING: THE PSYCHOLOGY OF SOCIAL ENGINEERING.

THE PSYCHOLOGY OF SOCIAL ENGINEERING
You Can’t Force Compliance: Social engineering is not mind control. You can never guarantee compliance, even threats of death are not persuasive enough in all situations
Social Engineering Increases The Likelihood Of Compliance:	Despite the fact that you can’t force compliance, social engineering is still highly effective. This is because social engineering tactics increase the likelihood of compliance.
Emotions Motivate Behaviour:	Emotion is the key to increasing the likelihood of compliance (i.e., performing a desired behaviour). Emotions are the motivating force behind behaviour, and provide the goals that shape and direct our decisions.
Emotions Are Based on Physical States	The experience and label of an emotion is based upon how we interpret our core affective state, using our knowledge and understanding of the emotion.
Affect Emotions, Affect behaviour:	If you can affect the source of a behaviour, then you can affect the behaviour itself
Principle of Reciprocity	People are inclined to be fair. If someone does something for us, we naturally want to do something for them. In social engineering, an attacker might give something to the target (like a small gift or favour) to induce a sense of obligation to give something back
Principle of Authority:	People tend to obey authority figures. Attackers often pose as bosses, law enforcement, or other figures of authority to trick their targets into complying with their requests
Principle of Consistency:	People like to be consistent with things they have previously said or done. Attackers can exploit this by getting their targets to agree to a small, innocuous request before hitting them with a larger, more damaging one
Principle of Liking:	People are more likely to comply with requests from people they like. Attackers can exploit this by building rapport with their targets or by pretending to have common interests
Principle of Scarcity:	Opportunities seem more valuable to us when they are less available. Attackers can create a sense of urgency or exclusivity to pressure their targets into making hasty decisions
Understanding these principles can help individuals and organizations build defences against social engineering attacks. By being aware of these tactics, we can be better prepared to recognize and resist social engineering attempts

 

 

 

B 10: PEOPLE HACKING: UNDERSTANDING THE SOCIAL ENGINEERING THREAT LANDSCAPE

 

SOCIAL ENGINEERING THREAT LANDSCAPE
In the context of social engineering, understanding the threat landscape involves recognizing the various tactics and techniques used by attackers to manipulate human behaviour and exploit vulnerabilities.
Here are some key aspects:
Human Error:	A significant number of security incidents (40% by conservative estimates) are caused by human behaviour, such as clicking on a phishing link
Social Engineering Techniques:	Social engineering is a broad term used for malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information
Phishing:	The most dominant form of social engineering attacks are phishing attacks. Phishing is a form of fraud where an attacker pretends to be a person or company known to the target and sends them a message asking for access to a secure system in the hope of exploiting that access for financial gain.
Spear Phishing:	Spear phishing messages are targeted, personalized attacks aimed at a specific individual. These attacks are typically designed to appear to come from someone the user already trusts, with the goal of tricking the target into clicking a malicious link in the message
Whale-phishing or Whaling:	Whaling is a form of spear phishing aimed at high-profile, high-value targets like celebrities, company executives, board members, and government official.
AI’s Role in Social Engineering:	AI supercharges the threat of social engineering by offering tools to execute these deceptive strategies with both precision and scale
Understanding these aspects of the social engineering threat landscape can help individuals and organizations recognize, defend against, and mitigate the risks these attacks pose.

 

 

PEOPLE HACKING AWARENESS (SOCIAL ENGINEERING): 9: UNDERSTANDING THE HACKING THREAT LANDSCAPE

 

UNDERSTANDING THE HACKING THREAT LANDSCAPE
The term “Threat Landscape” refers to the entirety of potential and identified cyber threats that affect a particular sector, group of users, or a specific time period Here are some key aspects of understanding the threat landscape:
Vulnerabilities	These are weaknesses in a system that can be exploited by attackers. They are a key part of the threat landscape as they represent potential entry points for an attack.
Malware:	This refers to malicious software designed to cause harm to a system or network. Examples include viruses, worms, trojans, ransomware, and spyware.
Attackers and Their Techniques:	The threat landscape also includes the specific groups of attackers and the techniques they use. This could range from individual hackers to organized cybercrime groups, and their methods could include phishing, denial of service attacks, and more
Context-Specific Threats:	The threat landscape is also defined by the specifics of a particular sector, organization, or even individual. This includes factors such as the possession of information of value to attackers, security level, and geopolitical factors
Evolving Nature of Threats:	The threat landscape is not static. It changes over time and as a result of events with a significant impact on the organization, group of people, or sector for which the threat landscape is defined
Understanding the current threat landscape is important as it allows for the identification of potential information security problems facing a specific entity — a company, an individual, or a whole sector — and to take preventive measures by adopting a proactive approach to information security.

PEOPLE HACKING AWARENESS (SOCIAL ENGINEERING): 8 SOCIAL ENGINEERING PROCESS METHODOLOGY

 

 Most social engineering attacks rely on actual communication between attackers and victims.

The attacker tends to motivate the user into compromising themselves, rather than using brute force methods to breach your data.

The attack cycle gives these criminals a reliable process for deceiving you.

This process can take place in a single email or over months in a series of social media chats. It could even be a face-to-face interaction. But it ultimately concludes with an action you take, like sharing your information or exposing yourself to malware.

It's important to be aware of social engineering as a means of confusion. Many employees and consumers don't realize that just a few pieces of information can give hackers access to multiple networks and accounts.

By masquerading as legitimate users to IT support personnel, they grab your private details — like name, date of birth or address. From there, it's a simple matter to reset passwords and gain almost unlimited access.

Steps for the social engineering attack cycle are usually as follows:

Steps for the social engineering attack cycle are usually as follows:
Gathering Information	The first step for social engineers is researching and gathering extensive information about their targets. This can include details about the company structure, employees, vendors, processes, tools, and organizational culture. Social media, websites, public records, and casual conversations provide key intelligence.
Identifying Vulnerabilities	Next, social engineers analyse the information to identify human vulnerabilities to exploit, like tendencies, emotions, incentives and weak compliance procedures. They uncover pressure points that give them influence over targets.
Developing a Relationship	Many social engineers now try to build rapport with targets by posing as familiar contacts or trustworthy authorities. Phishing emails may have an informal tone and requests often involve helping behaviour. The goal is to develop targets' trust.
Exploiting Trust	With a relationship established, social engineers leverage trust to deceive targets through manipulation tactics like pretexting, phishing or baiting. They exploit fear, obedience to authority, sense of duty, or greed to achieve their objectives.
Executing the Attack	With enough rapport built and information gathered, social engineers execute their attack by fully exploiting vulnerabilities. This may be through a fraudulent phone call, email, or even a visit to the workplace if they can get access.
Completing the Objective	Finally, the social engineer uses the ill-gotten data, money, or access attained from the manipulated target to complete their main objective, which is often stealing data, infiltrating systems, or financial fraud.
This methodology depends heavily on human factors - something technology alone cannot always defend against. Awareness and vigilance are needed to guard against those who exploit trust.