We are back with Part 2. This blog will contain terms and definitions covered in the study session with the Black Cybersecurity Association. I know personally for me I will utilize this as a study guide and a reference.
Overall goal of the Cybersecurity Industry
The CIA Triad : Where does it fit?
Confidentiality -How do I protect confidential data?
Integrity- How do I make sure nothing has changed?
Availability- making sure services are up and running. Ex: redundancy
(Non-repudiation)- if I send you data you know I sent it to you. Digital signatures
Impersonation is a tactic of social engineering.
Dominate or charm targets into revealing or providing access
Exploit weak authentication over telephone / IM / email
Reasons for effectiveness:
Familiarity / liking
Consensus / social proof
Authority and intimidation
Scarcity and urgency
Trust and Surveillance
Which is also part of Reconnaissance.
Reconnaissance is a preliminary survey to gain information.
Dumpster diving is part of reconnaissance because you must build that trust. When you Dump things in the trash, and someone will have to piece it all together.
Shoulder surfing for password observation
Lunchtime attack can be big for government employees because the employees normally take lunch around the same time so it’s like oh yes let’s go ahead and perform a brute force attack, or gain access a user login etc.
Tailgating and piggybacking to gain entry
We went over a the MITRE ATT&CK Matrix. The MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. This is really a great resource to utilize.
Phishing / Whaling
Using spoofed electronic communications to trick a user into providing confidential information
Spoof emails or faked/hacked websites
Spear phishing/whaling
Target attacks
Targeting senior
Management/executive/board members
Phishing is initial access on the MITRE attack
How Spear Phishing Works!
An attacker distributes emails
User clicks on attachment
Malware is installed-BOOM- the target system is exploited
Worm spreads-EXPLOITS other systems on the LAN
DATA IS STOLEN
DATA EXFILTRATION BEGINS
Vishing
Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, (bank, credit card numbers)
Vishing Scams:
Bank Impersonation
Tech Support Fraud
Extended car warranty scams
Common Vishing Techniques
Wardialing
The cybercriminal uses software to call specific area codes, using a message that involves a local bank, business, police department, or other local organization.
Example: An attacker can make it seem as though the police department is calling you
VoIP
VoIP makes it very easy for cybercriminals to create fake numbers and to hide behind these. These numbers are hard to track and appear to be local.
Caller ID Spoofing
The cybercriminal hides behind a fake phone number/caller ID
Smishing
Uses text messages to steal information and commit further cybercrimes
Pharming
The fraudulent practice of directing internet users to a bogus website that mimics the appearance of a legitimate one, to obtain personal information
Pharming Techniques
Pharming Malware
(DNS changers/hijackers)
Infect a victim’s computer and stealthily make changes to the victim’s hosts file.
Blocks access to cybersecurity sites, preventing victims from downloading software to remove the DNS changer malware
DNS Poisoning
(DNS spoofing)
Takes advantage of exploits in the software that controls DNS servers to hijack the servers and reroute web traffic
Goes after the companies that run and maintain internal DNS servers
5 Tips for Avoiding a Whaling Attack
Educate employees about whaling attacks and how to identify phishing emails
Flag all emails that come from outside of the organization
Discuss use of social media with the executive team as it relates to whale phishing
Establish a multi-step verification process for all requests for sensitive data or wire transfers
Exercise data protection and data security policies
We did a few phishing: real world scenario where we had to pick out the fake in the email
We also did a social engineering attack performance- based question.
I told you it was a great study session! We covered so much information!
Hope you all enjoyed!