[UPDATED in 2023]
++ instant access to FREE eBook ++
This course will teach you the most common social engineering threats. At the end of the course you will understand why people are the weakest link in your organisations security posture. In other words, increase human intelligence (HUMINT) by updating your mental firewall and reduce the chance of Ransomware! After following this course you will understand:
1) what the most common social engineering threats and are,
2) the impact per threat for your business,
3) how these threats can be executed and / or mitigated.
You will able to understand the above-mentioned points without having to understand technical stuff (e.g. source code) within ONE HOUR!
- Testimonial from Guido: A great election, very nice content and explications
How is that possible?
Social engineering / human intelligence is closely related to psychology. Social engineering can be defined as the art of manipulating people in order to achieve a goal. Therefore, this course is created for managers rather than developers. Managers must train their employees to strengthen their personal firewall (i.e. being less likely to fall victim to manipulation), because collectively all employees make up your organisation’s firewall!
- Testimonial from Gaston: Very well explained!
So, after following this course am I a full-fledged security/HUMINT expert?
No. This course will teach you the most common social engineering threats so that you can critically question and discuss the impact of these security issues with your employees and management. By following this course you’ll become an expert in recognising social engineering attacks. Form the perspective of HUMINT you can use these attacks to collect data.
What!?! Why should I enroll?
Only enroll when you want to strengthen your personal firewall, are new social engineering and want a complete beginners’ perspective. Social engineering is often the first step of a Ransomware attach, thus this course is mandatory for all employees! CISO’s need to protect their cyber security resources, thus course is specifically developed for:
– All employees, no prerequisite knowledge needed;
– (Project) managers that lead in an organisation that depends on IT and have no clue how social engineering could harm their organisation;
– Security managers tasked to deliver basic security awareness training;
– Anyone interested in the basics of social engineering, explained in layman’s terms
Ok, but there is already a lot of information on available on the web. So, what’s in it for me?
I thought you would never ask! This course differentiate itself from existing available information because:
– This course is not solely based on my opinion, but substantiated with scientific evidence. This means you not only get my opinion and experience but it is also backed by science;
– Unlike most other courses, you may actually claim 1 Continuing Professional Education (CPE) after finishing this course completely
– I’ve included lots of links to websites that provide comprehensive background information, should you be interested in more detail;
– That’s not it, there is more…
BONUS Material:
– You will get a FREE eBook of the entire course!
– Attacks that are not considered social engineering (e.g. shoulder surfing) are also included;
– Frequently asked questions. Ask a social engineering question and I’ll answer it with a video.
Why include bonus material, is the main course not exciting enough?
– Getting organisational security right goes well beyond instructing employees. With the bonus material, I would like to inform you about the complementary measures that should be taken into account.
– The course also includes (though) quiz questions. These quizes will solidify your learning.
- Testimonial from Arjuna: The sound quite low, but its fine. Soerin explain everything in a simple way. Thanks! Great Course
I’m fully convinced of the benefits, but I don’t see why I should learn all this from you.
True, let me explain by giving you an overview of my experience:
– Chief Information Security Officer (CISO) and have managed Security, Privacy and Quality professionals. Often I’m responsible for implementing and maintaining a well balanced organisational risk posture;
– Security and privacy operations manager (2 years). Acting as a security liaison on strategic accounts, I monitor the security of 2500+ workstations, 500+ servers and 10+ firewalls and routers, report on the operational security status of European and Dutch law and integrate intelligence results from AVDS, Check Point, Nagios, Nessus, Palo Alto Traps, SCCM, SCEP, SEP, SCOM and SIEM;
– Parttime PhD Candidate (9 years – present). I read the science, you’ll get the knowledge! What more do you want?
– Software quality consultant (6,5 years). I’ve advised many managers of large / small IT projects on various software related aspects;
– IT auditor (1 year). I have closely worked with accountants and audited large governmental IT projects;
– Quality assurance engineer (3 years). I have implemented large IT systems for large companies.
Besides experience as an IT consultant I hold the following certifications:
- International Software Testing Qualifications Board (ISTQB)
- Certified Secure Software Lifecycle professional (CSSLP)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Information Privacy Professional (CIPP / Europe)
- Certified SCRUM Master
- Togaf Foundation
- ISO 27001 Lead Auditor
- ISO 27001 Lead Implementer
- Leading Scaled Agile Framework
- Azure Fundamentals (AZ-900)
- PRINCE 2 foundation
Go ahead click the enrol button, acclaim your FREE eBook and I’ll see you in lesson 1!
Keep learning about Cyber Security, increase HUMINT to prevent Ransomware thought by a CISO!
Cheers,
Soerin
The social engineering attacks
-
1Introduction: What is social engineering?
Social engineering has many definitions one of which relates to the art of human hacking. This type of hacking is undetectable by security systems (e.g. firewalls and antivirus software). Social engineering relies on human faults to gain access to sensitive spaces or data. Empower your employees by sharing these social engineering techniques to enhance your human firewall!
Keep learning about Cyber Security, increase HUMINT to prevent Ransomware thought by a CISO!
-
2Security basics: a brief history….
We briefly touched upon the evolution of security and ended with policies and procedures. The art of deception, written by Kevin Mitnick, contains a comprehensive social engineering policy. This means you could directly start drafting your internal social engineering policy and start educating your colleagues right now! I highly recommend this book.
Title: The art of deception
Author: Kevin MitnickKeep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
3Who is responsible for implementing security?
Note: this question stretches the knowledge provided in the video. However, be believe this information is relevant and will greatly improve your effectiveness inside your organisation.
-
4A classic (and real) a social engineering attack
Social engineering is still a hot item for hackers. Check out the 2023-data-breach-investigations-report page 31 for more details.
Social Engineering attacks often result in the loss of Credentials. Hackers use these credentials as a stepping stone to (1) circumvent traditional security systems (e.g. Firewall) and (2) escalate privileges. The latter action is taken to get even more rights on the system or network. Often their goal is to find and copy your organisation's crown jewels without getting noticed.
Mitigation: the number one mitigation for social engineering is verification in person. When the stakes are high enough (e.g. access to TOP SECRET data) don't allow remote access. Make sure you actually see the person that is trying to access that data. This action stops at least 95% of the hackers.What about the other 5%? Well, a state sponsored actor could bribe your employee(s) who can already access to TOP SECRET data. Consequently, that actor demands the digital pictures. That type of attack is called the insider threat and is very, very, difficult to recognise or stop. Advanced training regarding security awareness is one step you could take.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO! -
5Security basics: what are security risks?
You'll understand the relation between threats, assets and vulnerabilities. Typically, security risks can be grouped into one of three categories: (1) confidentiality (2) integrity and (3) availability.
1) Confidentiality: [example] you are the only consumer that should see your bank account.
2) Integrity: [example] when you pay 9,99 dollar for a course, only 9,99 dollar should be subtracted from your bank account, no more or less.
3) Availability: [example] when you access your bank account to view your balance, it should be available for you to view.Collectively these categories are called the CIA-triad of security. Remember that because it is an important concept.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
6CIA-traid
Read the description of lecture 4.
-
7Security basics: types of “hackers”
There are several websites that basically offer hackers the option to report their findings in order to collect a fee. Organisations also encourage hackers to report their findings with a so called 'bug bounty' program. In this program the hacker can claim a fee when they report a bug (e.g. security flaw). The latter is also called 'responsible disclosure'.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
8Types of hackers
Can you differentiate between hacker colours?
-
9The weakest link
It is tempting to think of cyber defence primarily as a technical challenge, but the actions of people also play a critical part in the success or failure of an enterprise. People fulfil important functions at every stage of system design, implementation, operation, use, and oversight.
How to remediate:
1) Perform a skills gap analysis to understand the skills and behaviours workforce members are not adhering to and use this information to build a baseline education roadmap.
2) Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams and impersonation calls.
When you want to develop a security awareness program I recommend the following book:
- Transformational Security Awareness: What Neuroscientists, Storytellers, and Marketers Can Teach Us About Driving Secure Behaviours.Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
10The weakest link
Who is the weakest link in your organisational security posture?
Bonus section!
-
11Authority
Three resources:
1) The paper that explains most of the social engineering attacks. In order to provide you with the most value possible, I've also included another paper that introduces a taxonomy of social engineering.
2) The persuasion and security awareness experiment: reducing the success of social engineering attacks.pdf. I've also included another paper to explain the impact of authority with example. Conclusions Awareness-raising about the dangers, characteristics, and countermeasures associated with social engineering proved to have a significant positive effect on neutralising the attacker.
3) Reflections_on_the_Stanford_Prison_Experiment_Gene.pdf. A short synopsis of the Zimbardo research is described starts on page 5.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
12Authority
How do you remediate the following social engineering attack?
-
13Deceptive Relationships
Two resources:
1) Social phishing document in the attachment gives you an example of how easy a hacker can collect information about you in order to start an effective deceptive relationship. Check out page 1 and 2 (the rest of the paper you may skip). Again, "people can become less vulnerable by a heightened awareness of the dangers of phishing (page 8)".
Your are on the right path. Keep on watching these videos.
2) Social Engineering Attack Examples, Templates and Scenarios. The paper presents a template for social engineering and forming a deceptive relationship (page 9).Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
14Deceptive relations
How do you remediate the following social engineering attack?
-
15Third-party relationships (suppliers)
How do you remediate the following social engineering attack?
-
16Overloading
This attack is very common in digital realm. For instance, a hacker typically distracts your organisation's security operation centre (SOC) by overloading the SOC with a bunch of fake attacks. The capacity of the SOC will be drained to try to understand all these different attacks. However, somewhere in between the hacker will launch his/her real attack.
Remediation: You need to continuously improve your organisation's ability to reduce noise from a real signal. Regularly execute red teaming exercises (i.e. hire external or train internal hackers that attack your organisation in order to learn and improve your security posture). Practice different real life scenarios and continuously improve your organisational processes as a result of these exercises.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
17Overloading
How do you remediate the following social engineering attack?
-
18Scarcity
To understand how scarcity works for the social engineer, let’s first look at the concept in social psychology. It is described as people’s tendency to place a higher value on resources that are not in great supply. Marketing often tries to exploit this phenomenon by promoting the idea of scarcity in their sales and specials and a good example of this is the frenzy that is called: Black Friday.
Since scarcity can be applied to anything that people value, it is an effective influencing tool. Even if there is not actually any shortage or limit to a certain resource, if you can make someone believe that there is, you can create a situation favorable to your aims. The anxiety and hope created by the impending acquisition can cloud the reason and behavior of individuals that want what you have.How to remediate:
– Slow down and Research the facts > don't quickly, take a step back and try to understand the request in context (Why does this requests comes to you? Why now? etc.)
– Reject email requests for help or offers of help > call or send text message to verify request for help.
– Don’t let a link in control of where you land > type the URL yourself!
– Do not reveal sensitive data (e.g. passwords) > Nobody should be asking you for your password.
– Do not avoid policies and procedures > Typically there are policy and (incident) procedures that can handle different types of requests
– Report any suspicious activity > Inform your security departmentSource: see presentation in attachments slide 25.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
19Scarcity
How do you recognise an scarcity attack?
-
20Social validation
The attached 'BlackHat USA ... v1.0.pdf' document is a must read to gain more understanding of people’s haphazard and unquestioned trust. Thank me later ;-)
Remediate this attack:
– Slow down and Research the facts > don't quickly, take a step back and try to understand the request in context (Why does this requests comes to you? Why now? etc.)
– Reject email requests for help or offers of help > call or send text message to verify request for help.
– Don’t let a link in control of where you land > type the URL yourself!
– Do not reveal sensitive data (e.g. passwords) > Nobody should be asking you for your password.
– Do not avoid policies and procedures > Typically there are policy and (incident) procedures that can handle different types of requests
– Report any suspicious activity > Inform your security department
For more on remediation see presentation on Social Engineering.pdf > slide: 25
The latter source that follows this video is related to the quiz: 'A room with a viewpoint: Using social norms to motivate environmental conservation in hotels.'Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
21Social validation
Can you spot the social validation attack?
-
22Phishing
2020 was a year of seismic shifts for organisations everywhere. A global pandemic and accelerated digital transformation paved the way for more remote workforces and a “new normal” that’s anything but. Those shifts also led to an overall increase in information security risk levels as cyber criminals worldwide took advantage of this widespread volatility with targeted phishing attacks. [Source: Phishing Benchmark Global Report.]
Several resources that help you with spotting and remediate phishing:
1) In the attachment you can find more background and examples of phishing (e.g. page 25, 27-28).
The document also provides best practices (search on "best practices" through the document), but is biased toward Symantec products.2) US-CERT - Technical Trends in Phishing Attacks.pdf. Recommendations and remediation can be found on page 13.
3) Phishing Benchmark Global Report.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
23Phishing
CEO FRAUD: CEO fraud is a sophisticated email scam that cyber criminals use to trick employees into transferring money or providing them with confidential company information. CEO fraud is a social engineering technique that relies on winning the trust of the email recipient. Cyber criminals use email to impersonate the company CEO or other company executives and ask employees, typically in HR or accounting, to help them out by sending a wire transfer, updating account information, or providing account details.
-
24Baiting
Baiting can come in many forms. Baiting is a form of social engineering that relies on the greed or curiosity of the victim. It’s similar to phishing attacks in many ways. However, what makes it different from other forms of social engineering is the promise of a good or service by hackers to entice the victim. For instance, a baiter often offers free movie or music download, in exchange of login credentials of a particular site. Moreover, unlike many other online threats, baiting is not only restricted to online schemes. Rather, an attacker may use physical media for exploiting a victim.
How to remediate?
Cybercriminals know well how to play with our emotions and fears. If you receive that email that is too tempting to be true, don’t act hastily. Stay calm and think of the possibilities and consequences. The strongest defense is to educate yourself and strive to create a strong security culture within your surroundings, whether it’s office or home. As an organisation, conduct regular social engineering awareness and training sessions, and likewise carry out social engineering assessments either with specialised staff or by getting help of information security department.
In the video I discussed research related to baiting, that research can be found in the attachment.Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
25Baiting
How can you remediate the following social engineering attack?
-
26Pharming
Pharming often operates in conjunction with phishing to steal victims’ personal information. Pharming involves redirecting the victim’s web traffic from a legitimate web site to a fake destination designed to spoof the intended destination. Victims caught unaware by the fake web site risk getting infected by malware or giving their sensitive information to the attacker.
Here’s what you can do if you’ve become a victim of pharming. Obviously, you can also use these mitigations preemptively by running your antivirus software and clearing your cache.
Run your antivirus software. Make sure there’s no more malware on your computer.
Clear your DNS cache. Simply deleting malicious programs won’t stop your traffic being redirected. But clearing your DNS cache will.
Contact your ISP. If you suspect you’re a victim of DNS poisoning you should let whoever is responsible for your DNS server know. In most cases, that’s your ISP.
Contact your financial institution. Explain the situation and request they protect your accounts from further intrusion. And if you have become a victim of identity theft, then report the crime to the police.
Note: the attached a paper is technical and offers a technical remediation to pharming. Name of the paper: A dual approach to detect pharming attacks at the client-side.pdf
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
27Pharming
How do you remediate the following social engineering attack?
-
28IVR or Phone Phishing
The attached paper is technical and not meant for a manager, but intended for the network engineer that may remediate this issue. The name of the paper is: Voice Pharming Attack and the Trust of VoIP.pdf
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
29Phone Phishing
How can you remediate phone phishing?
-
30Quid Pro Quo
Quid pro quo, in the context of social engineering and cyber security, this attack is commonly presented to the target as a fake technical service that conveniently requires sensitive information to be successful. The attacker, impersonating as an IT support technician, aims to infect a targeted system by offering assistance to a victim experiencing technical difficulties.
Source: See attachment - Breda, F., Barbosa, H., & Morais, T. (2017, March). Social engineering and cyber security. In International Technology, Education and Development Conference (Vol. 3, No. 3, pp. 106-108).
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
31Quid pro quo
How to do you remediate this social engineering attack?
-
32Tailgating
Tailgating (also known as piggybacking) refers to when a person tags along with another person who is authorised to gain entry into a restricted area, or pass a certain checkpoint.
Remediations use a combination of the following:
Smart cards house multiple credentials on one card.
Security guards can visually confirm a badge matches the holder.
Turnstiles serve as a physical barrier and are good for high-volume traffic.
Laser sensors can detect multiple people.
Biometrics deter employees from sharing credentials.
Long-range readers can be used in parking lots and garages.
PIN numbers can be added to card readers.
Camera analytics enable remote facial recognition.
Visitor badges ensure temporary guests are documented.
Man traps or air locks require a double set of identification.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
33Tailgating
How can you remediate the social engineering attack?
Social engineering: general remediation actions
-
34Shoulder surfing
Shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder.
Remediation: Always be aware of your surroundings when working with sensitive data. Look for camera's or people that can view your screen or printed paper.Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
35Shoulder surfing
How do you remediate the following social engineering attack?
-
36Unclean desk
A clean desk policy ensures that all important documents, confidential letters, binders, books, etc are removed from a desk and locked away when the items are not in use or an employee leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches.
Keep learning about Cyber Security to prevent Ransomware from the perspective of a CISO!
-
37Unclean desk
What could be the impact of an unclear desk?