.jpg)
Technology Tap
Technology Tap
Cybersecurity Fundamentals : Hacking Humans: The Art of Social Engineering Chapter 2 Part 2
Cybersecurity isn't just about firewalls and antivirus software—it's about understanding the complex interplay between technical systems and human psychology. In this continuation of our Security+ series, we explore the multifaceted world of attack surfaces, threat vectors, and social engineering techniques that cybercriminals employ.
We start by breaking down what constitutes an attack surface—those vulnerable points where unauthorized users might attempt to breach your systems. From physical hardware and network components to applications and human elements, each represents a potential entry point for attackers. We then explore the pathways attackers use to exploit these vulnerabilities, from vulnerable software and network vectors to more devious approaches like lure-based and message-based vectors.
The episode takes a deep dive into social engineering—the art of manipulating human behavior rather than exploiting technical flaws. Through real-world examples, including my own experience with an attempted password reset scam, we demonstrate how attackers use techniques like impersonation, pretexting, phishing, and business email compromise to bypass even the most sophisticated security systems. One of my students shared how his sister's company lost $10,000 when an attacker impersonated the vacationing CEO and requested a wire transfer—a stark reminder that human vulnerabilities often pose the greatest security risk.
Whether you're studying for Security+ certification or simply want to better protect yourself and your organization, this episode provides essential insights into the psychological aspects of cybersecurity. Understanding these concepts is crucial not just for IT professionals, but for everyone who uses digital technology. Have you ever encountered a social engineering attempt? How did you recognize and respond to it?
If you want to help me with my research please e-mail me.
Professorjrod@gmail.com
If you want to join my question/answer zoom class e-mail me at
Professorjrod@gmail.com
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Music To TechnologyTap. I'm Professor J-Rod and this episode is Chapter 2, part 2 of our continuing series on Security+. Let's get into it All right. So we're at Chapter 2, part 2 of our series on Security+. So when we left off, we are at what is an attack surface? The attack surface is a total set of points where an unauthorized user or an attacker could attempt to enter or extract data from a system or network. Type of attack surface physical hardware ports, usb workstations. Two network open ports, unsecured Wi-Fi routers. Three applications API web apps, code vulnerabilities. Four human social engineering, phishing, manipulation of staff. Five supply chain third-party software hardware vulnerabilities.
Speaker 1:What are threat vectors? Threat vectors is the method or pathways an attacker uses to exploit a vulnerability in the attack surface. Common attack vectors by categories vulnerable software unpatched systems, zero-day vulnerabilities, unsupported legacy software, poor code quality or insecure design, agentless versus client-based configurations. Two network vectors unsecured network, lack of encryption, segmentation, open service ports, remote access, default credentials, wireless cloud or Bluetooth exports. Number three lured-based vectors baiting targets with malicious content, removable media, trojan horse programs, infected documents, explodable image files or PDF. Four message-based vectors phishing, vishing, smishing, instant message, social media messages with malicious link and chatbot exploitations. And last is supply chain vectors. Compromised third-party vendors. Tamper software updates or hardware. Infected open source packages, mismanaged service providers. Mitigation strategies. Implement a defense in depth, perform regular vulnerability assessments, apply patches and updates promptly. Use network segmentation and firewalls. Educate users on social media tactics. Vet third-party vendors and supply chains.
Speaker 1:Vulnerable software vectors are one of the most common and dangerous threat vectors used by attackers. These vulnerabilities exist in design, code or configurations of software and are often exploited when systems are not properly secure or updated. What are software vulnerabilities? Well, it's a weakness or flaw in a program that can be exploited to cause unintended behavior, including data breach, privilege escalations or system compromise. Common types of vulnerable software vectors coding flaws, including buffer overflows, integer overflows, improper input validations and hard-coded credentials. Design weakness. Weak authentication methods. Lack of encryption for sensitive data. Poor session management and insecure default settings. Unpatched or outdated software. No vulnerabilities in software not yet updated, exploited using public exploit kits, a common attack vector in ransomware. Botnets For unsupported or end-of-life software no longer receive security updates from the vendors. Example Windows XP Still don't use industrial systems, even though there's no updating for it. Client-based versus agentless systems Client-based are more tightly integrated but may create local vulnerabilities. Agentless rely on remote access protocol and can be misconfigured. Mitigation best practice regularly patch and update secure coding practice, vulnerability management programs, penetration testing and software inventory and control.
Speaker 1:Next we go to network vectors. Network vectors are attack pathways that exploit vulnerabilities within a network or infrastructure. These types can organize locally or remotely and often target misconfigurations, weak encryption or unsecure protocols, configurations weak encryption or unsecure protocols. Key concept network vector is a method through which attackers gain access to system or data by exploiting network-level vulnerabilities. Common network attack vector remote versus local. Remote exploit a system over a network, either internet facing service and local. Require access to the internal network or physical machine. Unsecure network lack of confidentiality, integrity, availability, for example, open Wi-Fi. Poorly segmented internal networks. Mitigation best practice disabled unused ports and protocols. Used firewalls and segmentation enable strong authentication or multi-factor authentication, encrypt communications, monitor network traffic and conduct regular scans.
Speaker 1:Then there's lower base vectors or attack vectors that rely on social engineering or temptation to trick a user into initiating an exploit. These vectors often involve malicious files, devices or web content that appear trustworthy. A lore-based vector is an attack strategy with a threat actor using enticing content or objects to provoke user interaction that leads to system compromise. Common types of lore removable devices, usb drop drop attacks placing infected media in a visible public space, executable files, a game app, a game or an app or installer that secretly contains malware. Document files Word, Excel, pdf files with malicious macros or embedded script, trojan horse, malware programs that appear useful but contain malicious code, microrobase lures, office documents prompting users to enable content. Image files, image that exploit vulnerabilities in a viewer application. And scripting files like Java, powershell or VBScript executing malicious code. An example that they use is the USB drive. A threat actor leaves a USB drive in an employee's break room labeled payroll record quarter. Two Curious employees insert them into the workstation, executing an embedded malware payload that installs a remote access tool. Mitigation educate staff, block USB port and use device control management.
Speaker 1:Next, we have message-based vectors, which are attacks that exploit communication platforms to deliver malicious content or links, relying heavily on social engineering and user interaction. A message-based vector uses messages sent via digital communication channels email, sms, instant messages to deceive a user into opening malicious attachments, clicking a hard-phone link or revealing sensitive information. Common message-based channels emails, sms, instant message, social media and voice calls. Characteristics is impersonation. Message may mimic trusted sources. Urgency immediate action is required. It's a classic trigger Obfuscation, use of shortened URLs by typosquatting domains or spoof email address.
Speaker 1:A multi-stage attack. A message leads to a fake site that installs malware and collects credentials. Examples Phishing email A user receives a message appearing to be from Microsoft 365. Saying their password is expiring. The link leads to a fake login page Smashing text your package is delayed. Click here to reschedule the link. Installs spyware on the phone delayed. Click here to reschedule the links. Install spyware on the phone. Slack message an attacker posing as a colleague sends a fake pdf file containing ransomware and vision. Call an it help desk. Calls asking for multi-factor authentication, reset codes or remote access. Defense measures, email email filtering, ur URL filtering, user training, mfa implementation that's, multi-factor mobile security solutions and monitoring and reporting tools.
Speaker 1:Next, we have a supply chain attack surface, which encompass all the systems, vendors and processes involved in designing, developing, manufacturing and delivering products or services, and represents a growing area of cyber risk. A supply chain attack occurs when an attacker compromises a third-party service provider, vendor or partner to gain unauthorized access to a target organization. Instead of attacking the primary organization directly, the attacker infiltrates a trusted link in the chain. Common attack vectors software updates, inserting malware into legitimate updates, compromise bills, injecting malicious code during application build or release cycles. Counterfeit hardware, distributing tainted network devices, usb drives or Internet of Things components. Credential theft, attacks on vendor's credentials used for remote access or maintenance. Api exploits. Exploiting insecure API between partners or services. And data exfiltration. An attacker uses third-party access to quickly siphon off sensitive data. A real-world example of this is the SolarWinds attack in 2020. Threat actors compromised SolarWinds, orion software update processes, inserting a backdoor that was downloaded by 18,000 organizations, including the US government. Even well-established vendors can become unintentional conduits for attack.
Speaker 1:Next is social engineering. Social engineering is the art of manipulating, influencing or deceiving individuals to gain unauthorized access to information systems or a physical location, hacking the human instead of the technology. Core objects of social engineering reconnaissance, unauthorized access, malware, execution and physical access. Common techniques is impersonation, pretexting, phishing, vishing, smishing, farming, waterhole attacks and tailgating. Psychological principle exploited authority urgency, trust scarcity and fear. Social engineering prevention tactics security awareness training. Teach users to recognize manipulation tactics. Phishing simulation. Test employees' response to fake attack attempts. Verification procedures always confirm requests through trusted channels. Email caller filtering, flag suspicious domain, block spoof phone numbers. Report mechanisms. Easy process to report suspected social engineering attempts.
Speaker 1:Example an attacker calls the front desk claiming to be from IT department and urgently requesting remote access to a VP machine due to critical vulnerability, the receptionist wanting to help and unaware of verification protocols give access, leading to network vulnerability. The receptionist wanting to help and unaware of verification protocols give access, leading to network breach. That happened to me. They called me once asking to change somebody's password. The guy called me and said hey, I'm Frank in the Chicago office, can you change my password? And the procedure is for me to call him back. I said all right, I'll call him back. I said all right, I'll call you back at the office and he said he was in at the office, that he was home. So I said I'll call you at home and I hung up on him, looked at the company directory, found his name, his number at home, called him at home. He didn't pick up. I didn't change the password, turns out that they were auditing us and I actually did a good job.
Speaker 1:Human vectors Human vectors are cybersecurity vulnerabilities that exploit human behavior rather than technical flaws. Attackers manipulate individuals to gain access to a system, data or physical location, often the weakest link in security. Human vectors refer to an exploitation path that rely on people, not software or hardware. That are often involved in social engineering attacks and insider threats. The human vector techniques include phishing, vishing, smishing, pretexting, impersonation, tailgating, shoulder surfing and dumpster diving. Why human vector works? Attacker takes advantage of lack of awareness or training. Human vector works attacker takes advantage of lack of awareness or training, trust in authority or colleagues, desire to be helpful, stress or urgency, and routine behavior and predictability. You have three examples Help desk scam a caller pretends to be an executive, locked out of their account.
Speaker 1:The help desk resets the password without verifying identity. That's what happened to me. Often intrusion an attacker tailgates an employee through a locked door by carrying coffee and pretending to have lost their badge and somebody says oh yeah, open the door. Phishing success a user clicks on an email disguised as the company survey and unknowingly installs malware. How to mitigate human vector risk security awareness, training, strict access controls, verification protocols, regular phishing tests and clear reporting channels, which means encouraging employees to report suspicious behavior promptly.
Speaker 1:Impersonation and pre-texting. So impersonation and and pretexting are social engineering techniques that manipulate trust and authority to deceive individuals into revealing sensitive information or granting access. Impersonation is the act of pretending to be someone else, typically a trusted individual, to gain unauthorized access. The common tactics is authority pretending to be an executive familiarity, claiming to be a coworker or vendor. You work with Persuasion. Everybody else already proved this. I just need your okay, urgency. They must be done in five minutes or the network can go down. The methods that they deliver this is in person, email or phone calls or social media profile. Email or phone calls or social media profile. Pretexting involves crafting a detailed, believable, false narrative to trick the target into revealing confidential information or performing action. Characteristics are exploits, trust and known roles, hr IT, often supplemented by planted data or fake credentials, and may involve long-term setup, fake interviews, surveys, etc. Example a fake IT audit survey for employee engagement, pretending to be a new hire and journalists asking for comment. Defense against impersonation, pretexting, verification protocols, least privilege principle, security awareness, training, access control, logs and cameras and multi-factor authentication.
Speaker 1:Phishing and farming. Phishing and farming are two of the most common social engineering attacks used in cybersecurity. Both aim to deceive users into giving up sensitive information, but they differ in the deception is carried out. Phishing is a deceptive communication tactic that tricks a user into taking an action, such as clicking a link or entering credentials on a fake website. Key characteristics that are revealed via email, sms, phone or social media Spoof legitimate source and may include a malicious link or social media Spoof. Legitimate source and may include a malicious link. Tapper phishing, spear phishing, target phishing aimed at a specific individual or organization, whaling targeting senior executive or high-level individuals. Smishing phishing via text message phishing, phishing via phone and angular phishing using fake social media support accounts to scam victims. Farming is a technical attack that redirects users from a legitimate site to a malicious one without their knowledge.
Speaker 1:Highworks DNS poisoning alters DNS records to send users to a fake site. Host file modifications on a local computer redirects traffic. The user enters credentials, thinking the site is real. Mitigation strategies to create awareness, training, email filtering and anti-phishing tools. Dns security, antivirus endpoint protection, use of HTTPS and SSL and browse alerts. For example, you get a phishing email saying click here to verify your direct deposit and it links the payroll of your company, or you think it does DNS entry for bankcom. Let's say it's poison and you go to a fake page that looks identical to the real site and you put in your credentials. Best practice double check URLs before clicking. Use multi-factor. Never trust urgent requests for credentials or payments. Use reputable DNS servers and monitor DNS logs.
Speaker 1:Typosquatting exploits the human error. The attacker registers a domain that's one or two characters off from a well-known site Instead of googlecom. They might have like extra O's in Google, right Instead of googlecom and builds on malicious or deceptive websites on it. So you go to like Google like with extra O's and then you go to a site that looks like Google but it's not really Google. Then you type in your username and password and they got it. The goal is type of squatting.
Speaker 1:Domains are often used to steal credentials via phishing logins, deliver malware, payloads, display ads or redirect to affiliate pages, damage brand reputations and trick users into giving personal or payment info. Dns strategies to use is DNS filtering and web filtering, security and awareness training registered lookalike domains. Google does that. Browser security extensions enable HTTPS and check certificates. So quick examples instead of Applecom, there may be a site called Appleappllecom right, and instead of LinkedIn, it's LinkedIn with two Ds right. And instead of bankofamericacom it's the Bank of America, but America is misspelled and it's a fake banking login. You think you're in Bank of America page. You put in your credentials. They already have it. Business. Next We'll move on to business email compromise.
Speaker 1:This is a targeted social engineering attack with threat actors use fraudulent emails to trick individuals and organizations, typically finance or executive teams into transferring money or sensitive data. What's the goal To trick victims into performing unauthorized actions? Wiring funds, sensitive or sensitive data? What's the goal To trick victims into performing unauthorized actions, wiring funds or revealing data Techniques? Is attackers impersonating trusted parties such as CEO, vendor or business partner via email, highly targeted, often involve research and pretexting. The victims are usually CEO right. They go for the higher-ups. Invoice fraud right. They impersonate a vendor sending an invoice with updated banking info. Compromise Attacker hijacks a real internal email account and sends fraudulent message.
Speaker 1:Attorney impersonation, possessed legal counsel to pressure urgent confidential actions and payroll redirections. Response to updated direct deposits info to attack or control accounts. Actually I had this happen not happen but I wanted to change my direct deposit at one of my jobs and I sent them one email. They ignored it. I sent another one. Then they called me and they say, hey, is this you asking to change your direct deposit? I'm like, yeah, that's me. And then the lady hey, is this you asking to change your direct deposit? I'm like, yeah, that's me. And then the lady told me yeah, we've been getting a lot of fraud, so I have to call you. I'm like, yeah, that's fine.
Speaker 1:Techniques used email spoofing, domain impersonation, urgency and authority cues, pretexting and farming or fake portals, mitigation strategies, multi-factor authentication, email filtering, security awareness, training, verification protocols and segregation of duties. You see a lot of these things overlap, especially the social media ones. Example a finance officer receives an email that appears to be from a CEO requesting a wire transfer to a vendor. The email is urgent, written professionally and includes what looks like the vendor's new banking info. Without verifying it by phone or another channel, the officer proceeds, processes to transfer and the money is gone.
Speaker 1:Actually, this had happened with a student of mine. He told me that when his sister worked, the CEO was on vacation and somebody impersonating him emailed his secretary and said wire me $10,000. And she did, and then he never responded. And when he came back she said hey, did you get the $10,000? He goes what $10,000? It was already too late. They took the money. The bad guys took the the money. So that's a lesson to be learned. All right, that's gonna do it for security chapter two, part two in 701, security plus. Hope you enjoy this topic. Next time we will go on chapter three, but, like I said before, we're going to be doing um, we might do like the history of the floppy. I want to get into that just to take a break, just for some people who don't really maybe I'm not studying security plus and don't want to hang on to this 16 week chapter that I've committed myself to doing. So next time we're going to do, uh, the history of the eight inch floppy. That's coming up next on technology time. So you