Avoiding Social Engineering

(OBJ 5.6)

Social Engineering

• Involves deception to manipulate individuals into breaching security procedures
• Attacks exploit human psychology and often appear innocent
• Awareness and vigilance serve as the first line of defense against social engineering attacks

Maintaining Situational Awareness

• Situational Awareness
  • Mindfulness about surroundings and actions
  • Understanding potential consequences of one's actions
• Essential to avoid social engineering attacks
• Examples of social engineering threats
  • Shoulder surfing
    • An attacker may peak over one's shoulder to try to view any sensitive data on one's screen
    • Especially in public spaces
  • Eavesdropping
    • An attacker tries to listen to private conversations or meetings to breach security
• Measures to counter threats
  • Privacy screen protectors
  • Secure discussions
    • Sound secure areas

Piggybacking and Tailgating

• Social engineers may try to enter secured premises by closely following authorized personnel
• An unauthorized individual closely follows someone with legitimate access to slip into secure premises
• Use access control vestibules to restrict entry to one person at a time
• Maintain situational awareness to prevent unauthorized access

Dumpster Diving

• Attackers sift through garbage for discarded information to build a comprehensive profile of confidential information
• Employees with situational awareness can spot such activities
• Dispose of sensitive data securely to avoid being a victim of this attack

Operational Security (OPSEC)

• Stresses data protection against social engineers for business aspects such as routines, project details, and internal procedures
• Protects critical information from being used by adversaries
• Safeguard sensitive data, daily routines, and internal procedures
• Discourage sharing seemingly innocuous details on social media or during personal interactions

Technological Social Engineering Attacks

• Baiting attacks use removable media devices (e.g., USB thumb drives) and charging cables
• Picking up or connecting found devices can infect workstations or networks with malware
• Carry your own charging cables and chargers to avoid untrusted ones
  • Cables such as charging cables in public areas may also be used as bait to attempt to infect a device

Pressure Tactics

• Social engineers may use a sense of urgency or fear to manipulate individuals
  • "Using cons"
• Urgent requests aim to bypass normal security protocols
• People are more likely to make mistakes when rushed into action, so this techniques are often effective

Proactive Culture of Security

• Train employees on cybersecurity regardless of their position in the company
• Educate on recognizing phishing attempts, data privacy, and safe online behavior
• Encourage employees to report suspicious activities
• Conduct practical exercises, like simulated phishing attacks, to test and remediate employees' responses
• Remediate individuals who fall for simulated attacks