We are back with Part 2. This blog will contain terms and definitions covered in the study session with the Black Cybersecurity Association. I know personally for me I will utilize this as a study guide and a reference.

Overall goal of the Cybersecurity Industry

The CIA Triad : Where does it fit?

Confidentiality -How do I protect confidential data?

Integrity- How do I make sure nothing has changed?

Availability- making sure services are up and running. Ex: redundancy 

(Non-repudiation)- if I send you data you know I sent it to you. Digital signatures

Impersonation is a tactic of social engineering.

Dominate or charm targets into revealing or providing access

Exploit weak authentication over telephone / IM / email

Reasons for effectiveness:

  • Familiarity / liking

  • Consensus / social proof

  • Authority and intimidation

  • Scarcity and urgency

Trust and Surveillance

Which is also part of Reconnaissance.

Reconnaissance is a preliminary survey to gain information.

Dumpster diving is part of reconnaissance because you must build that trust. When you Dump things in the trash, and someone will have to piece it all together.

Shoulder surfing for password observation

Lunchtime attack can be big for government employees because the employees normally take lunch around the same time so it’s like oh yes let’s go ahead and perform a brute force attack, or gain access a user login etc.

Tailgating and piggybacking to gain entry

We went over a the MITRE ATT&CK Matrix. The MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. This is really a great resource to utilize.

Phishing / Whaling

Using spoofed electronic communications to trick a user into providing confidential information

Spoof emails or faked/hacked websites

Spear phishing/whaling

  • Target attacks

  • Targeting senior

  • Management/executive/board members

Phishing is initial access on the MITRE attack

How Spear Phishing Works!

An attacker distributes emails

User clicks on attachment

Malware is installed-BOOM- the target system is exploited

Worm spreads-EXPLOITS other systems on the LAN

DATA IS STOLEN

DATA EXFILTRATION BEGINS

Vishing

Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, (bank, credit card numbers)

Vishing Scams:

  • Bank Impersonation

  • Tech Support Fraud

  • Extended car warranty scams

Common Vishing Techniques

Wardialing 

The cybercriminal uses software to call specific area codes, using a message that involves a local bank, business, police department, or other local organization.

Example:  An attacker can make it seem as though the police department is calling you

VoIP

VoIP makes it very easy for cybercriminals to create fake numbers and to hide behind these. These numbers are hard to track and appear to be local.

Caller ID Spoofing

The cybercriminal hides behind a fake phone number/caller ID

Smishing

Uses text messages to steal information and commit further cybercrimes

Pharming

The fraudulent practice of directing internet users to a bogus website that mimics the appearance of a legitimate one, to obtain personal information

Pharming Techniques

Pharming Malware

(DNS changers/hijackers)

  • Infect a victim’s computer and stealthily make changes to the victim’s hosts file.

  • Blocks access to cybersecurity sites, preventing victims from downloading software to remove the DNS changer malware

DNS Poisoning

(DNS spoofing)

  • Takes advantage of exploits in the software that controls DNS servers to hijack the servers and reroute web traffic

  • Goes after the companies that run and maintain internal DNS servers

5 Tips for Avoiding a Whaling Attack

  1. Educate employees about whaling attacks and how to identify phishing emails

  2. Flag all emails that come from outside of the organization

  3. Discuss use of social media with the executive team as it relates to whale phishing

  4. Establish a multi-step verification process for all requests for sensitive data or wire transfers

  5. Exercise data protection and data security policies

We did a few phishing: real world scenario where we had to pick out the fake in the email

We also did a social engineering attack performance- based question.

I told you it was a great study session! We covered so much information! 

Hope you all enjoyed!