Scribd
Upload
22 views5 pages

Unit 4 Cyber Security

Social engineering exploits human psychology to gain unauthorized access to sensitive information, often through tactics like phishing, baiting, and pretexting. Insider attacks, which can be malicious or accidental, pose significant risks as they involve individuals with authorized access to company data. Effective defense strategies include regular security training, multi-factor authentication, and fostering a culture of skepticism among employees.

Uploaded by

bhavishyeah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
22 views5 pages

Unit 4 Cyber Security

Social engineering exploits human psychology to gain unauthorized access to sensitive information, often through tactics like phishing, baiting, and pretexting. Insider attacks, which can be malicious or accidental, pose significant risks as they involve individuals with authorized access to company data. Effective defense strategies include regular security training, multi-factor authentication, and fostering a culture of skepticism among employees.

Uploaded by

bhavishyeah
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

Social Engineering

Social engineering uses human weakness or psychology to gain access to the


system, data, personal information, etc. It is the art of manipulating people. It
doesn’t involve the use of technical hacking techniques. Attackers use new social
engineering practices because it is usually easier to exploit the victim’s natural
inclination to trust. For example, it is much easier to fool someone to give their
password instead of hacking their password. Sharing too much information on
social media can enable attackers to get a password or extracts a company’s
confidential information using the posts by the employees. This confidential
information helped attackers to get the password of victim accounts.
How do Social Engineering Attacks Take Place?

Phishing scams are the most common type of Social Engineering attacks these
days. Tools such as SET(Social Engineering Toolkit) also make it easier to create
a phishing page but luckily many companies are now able to detect phishing such
as Facebook. But it does not mean that you cannot become a victim of phishing
because nowadays attackers are using iframe to manipulate detection techniques.
An example of such hidden codes in phishing pages is cross-site-request-forgery
“CSRF” which is an attack that forces an end user to execute unwanted actions on
a web application. Example: In 2018 we have seen a great rise in the use of
ransomware which has been delivered alongside Phishing Emails. What an
attacker does is usually deliver an attachment with a subject like “Account
Information” with the common file extension say .pdf/.docx/.rar etc. The user
generally clicks and the attacker’s job gets done here. This attack often encrypts
the entire Disk or the documents and then to decrypt these files it requires
cryptocurrency payment which is said to be “Ransom(money)”. They usually
accept Bitcoin/Ethereum as the virtual currency because of its non-traceable
feature. Here are a few examples of social engineering attacks that are used to be
executed via phishing:

 Banking Links Scams


 Social Media Link Scams
 Lottery Mail Scams
 Job Scams

Types Of Social Engineering


There are many different types of social engineering attacks, each of which uses a
unique approach to exploit human weaknesses and gain access to sensitive
information. Here are some of the types of attacks, include:
 Phishing: Phishing is a type of social engineering attack that involves sending
an email or message that appears to be from a legitimate source, such as a
bank, in an attempt to trick the recipient into revealing their login credentials
or other sensitive information.

 Baiting: Baiting is a type of social engineering attack that involves leaving a


tempting item, such as a USB drive, in a public place in the hope that someone
will pick it up and plug it into their computer. The USB drive is then used to
infect the computer with malware.

 Tailgating: Tailgating is a type of social engineering attack that involves


following an authorized individual into a secure area, such as a building or
data center, without proper authorization.

 Pretexting: Pretexting is a type of social engineering attack that involves


creating a false identity or situation in order to trick an individual into
revealing sensitive information. For example, an attacker might pretend to be a
customer service representative in order to trick an individual into giving them
their login credentials.

 Vishing: Vishing is a type of social engineering attack that involves using


voice phishing, or “vishing,” to trick individuals into revealing sensitive
information over the phone.

 Smishing: Smishing is a type of social engineering attack that involves using


SMS messages to trick individuals into revealing sensitive information or
downloading malware.

Insider Attack
Cyber attacks are attacks on Cyber networks involving the internet carried out by
professional cyber-hacking experts. The main motivation, which drives the
growing cyber crimes, is the ever-growing internet dependency. Over the years,
the use of computer networks making use of the internet has increased
enormously. Cyber criminals have taken advantage of this increasing demand for
internet-related services to exploit the privacy of users and organisations that use
computer networks to store their private information for ease among many other
advantages of using the internet.
Here, in this article, we will discuss a very risky form of cyber attack – Insider
Attacks in detail.

Insider Attack:
 Insider Attack gets their name as these are the attacks that people having
inside access to information cause.
 The inside people may be current or former employees, business partners,
contractors, or security admins who had access to the confidential information
previously.
 Insider Attacks are carried out by people who are familiar with the computer
network system and hold authorised access to all the information.
 This form of cyber attack is extremely dangerous as the attack is led by the
system employees, which makes the entire process extremely vulnerable.
 Computer organisations , most likely focus on external cyber attack protection
and rarely have their attention focused on internal cyber-attacks.

Insider Types:

 Malicious Insider: Someone who maliciously and intentionally misuses


legitimate credentials, usually stealing information for financial or personal
incentives. For example, someone who has a score against a former employer
or an opportunistic employee who sells sensitive information to competitors.

 Careless Insider: An instrument that unknowingly exposes your system to


external threats. This is the most common type of internal threat caused by a
bug. If the device remains unprotected or becomes a victim of fraud. For
example, a harmless employee could click on an insecure link to infect a
system with malware.
 Mole: A scammer who is technically an outsider but has gained insider access
to a privileged network.

Prevent Insider Threats

Insider threats are the types of security risk. It happens when in a company the
past employees or the current employees misuse your company's sensitive data
and those who have more knowledge about the company fundamentals. These
threats damage the company's reputation.

Insider threat as the name suggests insider means someone in your company or
organization steals the sensitive data or harms the organization. In this article,
we will cover a brief explanation of insider threats and their types. Also, we
will cover how to prevent insider threats.

Types of Insider Threats

Below are the types of Insider threats-

 Malicious Insider:- In malicious insider, the person in the organization or


company is stealing sensitive data and misusing the data to damage the
company's reputation and violates the company policies because the person in
the organization already has priveledges to access all the information so they
easily steal the sensitive information and misuse the data.

 Accidental Insider:- In accidental insider, as the name suggests "accidental"


means mistake or we can say that the people in the organization release the
company's sensitive information by mistake. for ex- people click the malicious
link and enter the company credentials and the hacker steals their sensitive
information. Two persons were present in an accidental Insider threat. The
first is an unwitting person that does not aware while performing malicious
activity and the second is a careless person who ignores the security policy
and leaks the data.

 Third-party Insider:-Third parties such as vendors, and partners who have


access to the company's data have stolen sensitive information and misused
the data.
 Disgruntled Employee:- Disgruntled employees are unhappy employees or
employees who leave the company and aren't happy with the job and the work
environment and have to leak the company's sensitive information.

Social Engineering Target

Social engineering targets are typically individuals or groups within an


organization who have access to valuable information or systems. These targets
often include employees in positions such as administrative staff, IT support,
customer service representatives, and even executives—anyone who can be
manipulated into revealing confidential information or performing actions that
compromise security. Attackers usually focus on people who are more likely to
respond to urgent requests or follow instructions without question, making
human psychology the main point of exploitation. By identifying and
manipulating these vulnerable targets, cybercriminals can bypass technical
security measures and gain unauthorized access to systems or data.

Defence Strategies

Defence strategies against social engineering focus on strengthening the human


element of cybersecurity through education, awareness, and proactive security
measures. One of the most effective strategies is regular security awareness
training, which teaches employees how to recognize and respond to social
engineering tactics such as phishing, pretexting, or baiting. Organizations should
also implement multi-factor authentication (MFA) and role-based access controls
to limit access to sensitive information. Encouraging a culture of skepticism—
where employees feel comfortable questioning unusual requests or verifying
identities—can significantly reduce risk. Additionally, conducting simulated social
engineering attacks can help assess and improve employee readiness. Overall,
combining technical safeguards with continuous employee education forms a
strong defense against social engineering threats.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy