Social Engineering

Quick links

3.6

Cyber
Security

3.6.1

Cyber security
threats

3.6.1.1.

Social
engineering

3.6.1.2

Malicious
code

3.6.2

Methods to detect and prevent
cyber security threats

3.6.3

Questions on
cyber security

 

Useful
links

Syllabus content

Content   Additional Information

Understand and be able to explain the following cyber security threats:

  • social engineering techniques
  • malicious code
  • weak and default passwords
  • misconfigured access rights
  • removable media
  • unpatched and/or outdated software.
   
     
Explain what penetration testing is and what it is used for.  

Penetration testing is the process of attempting to gain access to resources without knowledge of usernames, passwords and other normal means of access. Students should understand that the aim of a white-box penetration test is to simulate a malicious insider who has knowledge of and possibly basic credentials for the target system. Students should understand that the aim of a black-box penetration test is to simulate an external hacking or cyber warfare attack. (more..)

 

 


Social engineering


What Is Spear Phishing?

Unlike consumer phishing email campaigns (high volume, broad in scope), spear phishing attacks are highly targeted. These attacks use carefully crafted emails combined with social engineering tactics to convince the victim to open and engage with the email.
Spear phishers will often leverage data from breaches and social network sites, as well as public data about an organization and its employees. Their emails appear to come from a trusted sender, and ask the recipient to perform an action, which typically is to open a webpage and enter a password.
Once this action is taken, the cybercriminal is able to steal confidential information from the victim and the enterprise. According to a recent Gartner report, spear phishing is the most common targeted method of cyberattack. A recent example is the spear phishing attack on the DNC.


What Is Consumer Phishing?

In a phishing attack, a criminal sends a large number of consumers a deceptive email appearing to come from a respected brand — typically a financial service provider or an email service provider.
The email uses social engineering techniques to attempt to mislead the recipients to visit a web page appearing to belong to the impersonated brand, where the user will be asked to enter her username and password — and sometimes other information as well. Having stolen this information, the criminal now controls the victim’s account.
A good example of a large scale consumer phishing attack is the recent attack targeting customers of GoDaddy


What Is Business Email Compromise?

Business Email Compromise (BEC), also known as CEO fraud, is a sophisticated email attack in which a criminal sends targeted emails to an organization’s employees. These emails, which appear to come from a key figure, ask the recipients to transfer funds or send information. The last few years have seen a dramatic upswing in BEC attacks, fueled by the tremendous profits these attacks generate. In fact, according to the FBI, losses from BEC attacks have spiraled out of control, increasing by 2,300% in the two years preceding December 2016. Examples of companies that have fallen for BEC attacks include FACC, Mattel, Snapchat and Ubiquity.


What Is Ransomware?

Ransomware is a form of malware that infects victims’ computers, encrypts their content, and issues a demand that the victim pay a ransom to the attacker in order to regain access to their content.
Most ransomware attacks are based on computer trojans, which rely on tricking a victim to install the malware. Attackers use social engineering methods to coerce their intended victims to expose themselves to ransomware, often impersonating a trusted contact to entice the victim to take action, e.g., opening an attachment.
Ransomware attacks have been steadily rising, with criminals targeting specific industries, such as hospitals and healthcare organizations.


What Is a Data Breach?

A data breach is an incident where sensitive, protected, or confidential data is stolen, viewed, or used by an unauthorized party. Data breaches have been in the news frequently in the last year, and many wonder what the reason is for their dramatic rise. This is probably best explained by the value the stolen data has to attackers wishing to mount targeted attacks on large numbers of people.
It is believed that much of the data stolen in breaches is sold and resold, thereby broadly enabling more sophisticated attacks — some of which may be years in the making. Many breaches are the result of intrusions caused by credential theft or malware installation, which in turn is fueled by social engineering and identity deception — and the value of being able to mount targeted attacks.
An example of a data breach is that of Yahoo! where 1 billion Yahoo! credentials were stolen.


Examples

Social engineering makes use of the users' greed, curiosity or limited credulity to enable the payload to find its target. Some of the "greatest" social engineering hackers such as Mitnick never actually used a computer really.

The current WannaCrypt attack exploits out of data software as discovered by the NSA of all people and apparently re-discovered when the NSA was hacked and their research distributed. Apparently if Windws Defender is up-to-date it is sufficient to prevent the exploit's success. The main exploit is a weakness in a 30 year old protocol called SMBv1 (Sever Message Block version 1) found in all Windows systems but regarded as active in Windows 7 and XP. Windows 10 is unaffected.

3.1 Fundamentals of algorithms

3.2 Programming

3.3 Fundamentals of data representation

3.4 Computer systems

3.5 Fundamentals of computer networks

3.6 Fundamentals of cyber security

3.7 Ethical, legal and environmental impacts of digital technology on wider society, including issues of privacy

3.8 Aspects of software development

Glossary and other links

Glossary of computing terms.

AQA 8520: The 2016 syllabus

General content

Keep cyber Threats from destroying your clients business

10 ways to secure your digital content

Flashpoint - Business risk intelligence report

Email secirity risk assessment inforgraphic

MimeCast email report

Cost of data breach study 2016

The cyber threat to UK businesses

Biggest cybersecurity threats in 2016

Social Engineering Report ISMG

How Identity Deception Increases the Success of Ransomware

5 Social Engineering Attacks to Watch Out For

Top 5 Social Engineering Exploit Techniques

Top 10 Social Engineering Tactics

Social Engineering Attacks: Common Techniques & How to Prevent an Attack

Hacking the mind

Understanding Social Engineering Attacks

Social Engineering - Definition

Infoseceye (Read the blog entries!)

NCSC Managing Information Risk

The cyber advisory service

NCSC_glossary

Malicious code and malware.

What is Malicious Code?

Program Security

Finding the kill switch to stop the spread of ransomware

Common Malware Types: Cybersecurity 101

Rogue Sheep

Encryption

The Story of Bob, Alice, and Eve: A Love Triangle Gone Bad (or, How I Came to Love PKI)

The Alice and Bob After Dinner Speech

History of Encryption

Past, present, and future methods of cryptography and data encryption

The Alternative History of Public-Key Cryptography

How PGP works

Beginners guide to PGP

Passwords

Identity and passwords blog

Even Jedi can't achieve Password Perfection

NCSC Password Security

63% of data breaches involve weak, default or stolen passwords

Password meter

How secure is my password?

Cyber security

NCSC 10 Steps To Cyber Security NCSC

NCSC Bring Your Own Device

NCSC Cyber Attacks

Active Cyber Defence

How Every Cyber Attack Works – A Full List

Misconfigured access rights

Lesson Plan Misconfigured Access Rights

Wireless threats

Risks of portable devices

Risks Of Portable Devices

Advert of sorts

AQA: New computer science gcse arms students with cyber security knowledge

https://cybersecuritychallenge.org.uk/novice-toolkit


The Story of Alice and Bob

(Short extract from after-dinner speech by John Gordon at The Zurich Seminar April 1984) I go to lots of conferences on Coding Theory in which complicated protocols get discussed. You know the sort of thing:

"A communicates with someone who claims to be B. So to be sure, A tests that B knows a secret number K. So A sends to B a random number X. B then forms Y by encrypting X under key K and sends Y back to A." and so on.

Because this sort of thing is is quite hard to follow, a few years ago theorists stopped using the letters A and B to represent the main players, and started calling them Alice and Bob.

So now we say "Alice communicates with someone claiming to be Bob. So to be sure, Alice tests that Bob knows a secret number K. Alice sends to Bob a random number X. Bob then forms Y by encrypting X under key K and sends Y back to Alice."

It's supposed to make it easier to understand. Now there are hundreds and hundreds of papers written about Alice and Bob. Alice and Bob have been used to illustrate all sorts of protocols and bits of coding theory in scientific papers. Over the years Alice and Bob have tried to defraud insurance companies, they've exchanged secret messages over a tapped line, and the've played poker for high stakes by mail. Now if we put together all the little details from lots of papers - a snippet from here, a snippet from there - we get a facinating picture of their lives.

This may be the first time in the history of coding theory that a definitive biography of Alice and Bob has been given.

Take Bob. Bob is often selling securities to speculators so we can be pretty sure he's a stockbroker. But from his concern about eavesdropping he is probably into something subersive on the side too.

Take Alice. From the number of times Alice tries to buy stock from him we can say she is probably a speculator. And she's also worried that her husband doesn't get to find out about her financial dealings.

So Bob is a subversive stockbroker and Alice is a two-timing speculator. But Alice has a number of serious problems. She and Bob only get to talk by telephone or by email. And in the country where they live the phone service is very expensive. And Alice and Bob are cheapskates.

So the first thing Alice must do is MINIMISE THE COST OF THE PHONE CALL.

The telephone in their country is also pretty lousy. The interference is so bad that Alice and Bob can hardly hear each other. So the second thing Alice must do is to PROTECT HER MESSAGES AGAINST ERRORS in transmission. On top of that Alice and Bob have very powerful enemies. One of their enemies the is the Tax Authority. Another is the Secret Police.

These enemies have almost unlimited resources. They always listen in to telephone conversations between Alice and Bob. This is a pity since Bob and Alice are always plotting tax frauds and overthrowing the government.

So the third thing ALICE must do is PROTECT HER COMMUNICATIONS FROM EAVESDROPPING. And these enemies are very sneaky. One of their favourite tricks is to telephone Alice and pretend to be Bob. So the fourth thing Alice has to do is to BE SURE SHE IS COMMUNICATING WITH WHOM SHE THINKS SHE IS. Well, you think, so all Alice has to do is listen very carefully to be sure she recognises Bob's voice. But no. You see Alice has never met Bob. She has no idea what his voice sounds like.

All in all Alice has a whole bunch of problems. Oh yes, and there is one more thing I forgot so say - Alice doesn't trust Bob.

Now most people in Alice's position would give up. Not Alice.She has courage which can only be described as awesome. Against all odds, over a noisy telephone line, tapped by the tax authorities and the secret police, Alice will happily attempt, with someone she doesn't trust, whom she can't hear clearly, and who is probably someone else, to fiddle her tax return and to organise a cout d'etat, while at the same time minimising the cost of the phone call.

A coding theorist is someone who doesn't think Alice is crazy. (C) John Gordon 1984