5 Tricking our way in: Social engineering

 

This chapter covers

  • Learning how to spot and challenge potential social engineering
  • Spotting and stopping phishing attacks
  • Defending against complex attacks
  • Using multi-factor authentication to protect against password and ID theft
  • Using Operational Security (OPSEC) principles to spot and address security flaws

Social engineering is the psychological manipulation of someone, with the goal of getting them to do what we want. In this chapter, we will explore how attackers use various types of social engineering to plant malware and steal credentials. We’ll also learn how to stop them.

You’ll need to have read chapter 4 to get the most out of this chapter; social engineering builds on the common attacks we covered there. As we explore social engineering, the focus will be on our personal behavior—how social engineering affects and exploits us—to extend this new understanding (and best practices to combat it) to our employees and colleagues.

5.1 The weakest link: People

A lot of people who work in security come from an IT, technology-focused background, which makes sense, because you need to have a really broad understanding of IT to do well in security. The downside, of course, is that this means people tend to lean toward technology solutions first.

5.2 Malicious USB

5.2.1 USB devices with malware

5.2.2 BadUSB: USB devices that attack your laptop and phone

5.2.3 Evil maid attacks

5.3 Targeted attacks: Phishing

5.4 Credential theft and passwords

5.4.1 Store passwords more securely

5.4.2 Make it easier to use unique, complex passwords

5.4.3 Stop relying on just a password to protect your accounts

5.5 Building access cards

Summary

sitemap