1
00:00:00,000 --> 00:00:00,930
In this lesson,

2
00:00:00,930 --> 00:00:01,763
we're going to focus

3
00:00:01,763 --> 00:00:04,050
on the different types of social engineering attacks,

4
00:00:04,050 --> 00:00:05,160
including phishing,

5
00:00:05,160 --> 00:00:05,993
tailgating,

6
00:00:05,993 --> 00:00:06,826
piggybacking,

7
00:00:06,826 --> 00:00:07,800
shoulder surfing,

8
00:00:07,800 --> 00:00:08,633
eavesdropping,

9
00:00:08,633 --> 00:00:09,930
and dumpster diving.

10
00:00:09,930 --> 00:00:12,030
Now, before we get into the specific attacks,

11
00:00:12,030 --> 00:00:14,130
let's define social engineering.

12
00:00:14,130 --> 00:00:16,860
Social engineering is any attempt to manipulate users

13
00:00:16,860 --> 00:00:18,810
into revealing confidential information

14
00:00:18,810 --> 00:00:20,130
or performing other actions

15
00:00:20,130 --> 00:00:21,780
that are detrimental to that user

16
00:00:21,780 --> 00:00:23,820
or the security of our systems.

17
00:00:23,820 --> 00:00:26,730
Social engineering is always focused on the human element

18
00:00:26,730 --> 00:00:27,600
and trying to find a way

19
00:00:27,600 --> 00:00:29,790
to bypass our systems technical controls

20
00:00:29,790 --> 00:00:31,230
by simply hacking the human

21
00:00:31,230 --> 00:00:33,150
instead of hacking the technology.

22
00:00:33,150 --> 00:00:35,820
For example, if I wanted to break into your wireless network

23
00:00:35,820 --> 00:00:38,220
and I found that you had implemented a long, strong password

24
00:00:38,220 --> 00:00:41,220
for your WPA2-AES encrypted network,

25
00:00:41,220 --> 00:00:42,960
it could take me years upon years

26
00:00:42,960 --> 00:00:44,730
to brute force that password.

27
00:00:44,730 --> 00:00:47,670
But if I instead figure out a way to trick you or your users

28
00:00:47,670 --> 00:00:49,380
into sharing that password with me,

29
00:00:49,380 --> 00:00:52,260
I might be able to access the network by the end of the day.

30
00:00:52,260 --> 00:00:54,450
That's the idea of social engineering.

31
00:00:54,450 --> 00:00:55,830
In most of our networks,

32
00:00:55,830 --> 00:00:57,150
the weakest link in our security

33
00:00:57,150 --> 00:00:59,280
is our end users and our employees.

34
00:00:59,280 --> 00:01:02,370
This is why conducting good end user cybersecurity training

35
00:01:02,370 --> 00:01:05,220
is so important to the security of your organization.

36
00:01:05,220 --> 00:01:08,490
So, let's take a look at a few social engineering attacks.

37
00:01:08,490 --> 00:01:10,680
The first one we have is phishing.

38
00:01:10,680 --> 00:01:11,880
A phishing attack occurs

39
00:01:11,880 --> 00:01:13,230
when an attacker sends an email

40
00:01:13,230 --> 00:01:15,360
in an attempt to get a user to click a link.

41
00:01:15,360 --> 00:01:17,700
For example, if an attacker is going to send an email

42
00:01:17,700 --> 00:01:19,020
claiming there from PayPal

43
00:01:19,020 --> 00:01:21,210
and asking you to confirm your account information,

44
00:01:21,210 --> 00:01:23,880
this is a prime example of a phishing attack.

45
00:01:23,880 --> 00:01:26,910
In this example, the attacker may include PayPal's logo,

46
00:01:26,910 --> 00:01:29,640
the same format that PayPal uses in their emails normally,

47
00:01:29,640 --> 00:01:31,980
and other things that make it appear legitimate.

48
00:01:31,980 --> 00:01:34,410
But if you or your users click on that link,

49
00:01:34,410 --> 00:01:36,690
it would instead take you to a PayPal login page

50
00:01:36,690 --> 00:01:38,190
hosted on the attacker site

51
00:01:38,190 --> 00:01:39,690
where they're going to try to get you to log in

52
00:01:39,690 --> 00:01:41,940
by entering your username and your password,

53
00:01:41,940 --> 00:01:44,100
and now, they have your account details

54
00:01:44,100 --> 00:01:46,980
and can steal any money you may have in your account.

55
00:01:46,980 --> 00:01:49,260
Now, how many people do you think fall for this?

56
00:01:49,260 --> 00:01:51,300
Well, you'd actually be really surprised

57
00:01:51,300 --> 00:01:53,640
because the answer is a lot of people.

58
00:01:53,640 --> 00:01:54,480
In phishing attempts

59
00:01:54,480 --> 00:01:56,490
that I've done as part of a penetration test,

60
00:01:56,490 --> 00:01:58,080
I've personally seen response rates

61
00:01:58,080 --> 00:02:00,480
as high as 60% or 70% of users

62
00:02:00,480 --> 00:02:02,910
clicking the links inside those emails.

63
00:02:02,910 --> 00:02:05,070
Even when I include things like bad grammar,

64
00:02:05,070 --> 00:02:06,060
poor spelling,

65
00:02:06,060 --> 00:02:07,020
improper logos,

66
00:02:07,020 --> 00:02:08,370
and other things like that,

67
00:02:08,370 --> 00:02:10,020
users still end up clicking the links

68
00:02:10,020 --> 00:02:12,660
at a rate about 30% to 40%.

69
00:02:12,660 --> 00:02:15,480
This means phishing works really well for an attacker

70
00:02:15,480 --> 00:02:17,340
and it's really hard for us to prevent.

71
00:02:17,340 --> 00:02:19,020
Now, phishing is a bad thing.

72
00:02:19,020 --> 00:02:20,700
And the best thing you can do to prevent it

73
00:02:20,700 --> 00:02:22,470
is really train all of your end users

74
00:02:22,470 --> 00:02:24,030
and make them aware of it.

75
00:02:24,030 --> 00:02:26,820
Now, phishing itself takes one of three forms.

76
00:02:26,820 --> 00:02:28,230
This is either known as phishing,

77
00:02:28,230 --> 00:02:29,063
spear phishing,

78
00:02:29,063 --> 00:02:30,030
or whaling phish.

79
00:02:30,030 --> 00:02:30,900
In phishing,

80
00:02:30,900 --> 00:02:33,030
this is the most broad type of these three.

81
00:02:33,030 --> 00:02:34,200
In a phishing campaign,

82
00:02:34,200 --> 00:02:35,700
an attacker isn't really targeting

83
00:02:35,700 --> 00:02:37,290
any particular person or group,

84
00:02:37,290 --> 00:02:38,700
but instead sends out emails.

85
00:02:38,700 --> 00:02:41,010
They're likely to capture the most people.

86
00:02:41,010 --> 00:02:43,770
For example, the PayPal phishing email I mentioned earlier

87
00:02:43,770 --> 00:02:45,360
is a great form of phishing

88
00:02:45,360 --> 00:02:49,020
because there's over 377 million users of PayPal.

89
00:02:49,020 --> 00:02:50,520
So, if I just sent out that email

90
00:02:50,520 --> 00:02:52,410
to every email address I had,

91
00:02:52,410 --> 00:02:53,340
most likely,

92
00:02:53,340 --> 00:02:55,560
a lot of those people are going to have PayPal accounts

93
00:02:55,560 --> 00:02:57,930
and they'll possibly click the links in my email.

94
00:02:57,930 --> 00:03:00,480
Spearfishing, on the other hand, is more targeted.

95
00:03:00,480 --> 00:03:01,350
For example,

96
00:03:01,350 --> 00:03:03,660
let's pretend that you are a member of a small local bank

97
00:03:03,660 --> 00:03:05,430
called DT Savings and Loan.

98
00:03:05,430 --> 00:03:07,230
Now, unfortunately, DT Savings and Loan

99
00:03:07,230 --> 00:03:08,610
had a data breach last year,

100
00:03:08,610 --> 00:03:10,530
and that resulted in all the names and emails

101
00:03:10,530 --> 00:03:11,820
of all their account holders

102
00:03:11,820 --> 00:03:13,650
being downloaded by that attacker.

103
00:03:13,650 --> 00:03:15,930
That list is now on the dark web.

104
00:03:15,930 --> 00:03:17,400
Now, an enterprising young hacker

105
00:03:17,400 --> 00:03:19,260
decides to craft a spear phishing email

106
00:03:19,260 --> 00:03:21,750
that targets a hundred of the users on that list.

107
00:03:21,750 --> 00:03:23,130
In that email they create,

108
00:03:23,130 --> 00:03:25,410
they pretend to be from DT Savings and Loan,

109
00:03:25,410 --> 00:03:27,390
and they only send this email to people they know

110
00:03:27,390 --> 00:03:29,700
have accounts at DT Savings and Loan.

111
00:03:29,700 --> 00:03:30,750
You see the difference?

112
00:03:30,750 --> 00:03:32,910
Instead of trying to send the email to a million people

113
00:03:32,910 --> 00:03:35,310
and hoping some of them have a PayPal account,

114
00:03:35,310 --> 00:03:37,860
instead, we are now targeting people we know

115
00:03:37,860 --> 00:03:39,120
have a banking relationship

116
00:03:39,120 --> 00:03:40,800
with DT Savings and Load.

117
00:03:40,800 --> 00:03:43,530
The final type of phishing we have is known as whaling.

118
00:03:43,530 --> 00:03:44,970
Whaling is like spearfishing,

119
00:03:44,970 --> 00:03:47,850
but it's focused on key executives within an organization,

120
00:03:47,850 --> 00:03:51,570
such as your CEO, COO, CFO, CIO,

121
00:03:51,570 --> 00:03:54,060
and many other key leaders, executives, and managers

122
00:03:54,060 --> 00:03:55,620
within your company.

123
00:03:55,620 --> 00:03:58,140
Now, the second type of social engineering attack we have

124
00:03:58,140 --> 00:03:59,790
is known as tailgating.

125
00:03:59,790 --> 00:04:00,840
Tailgating is going to occur

126
00:04:00,840 --> 00:04:02,910
when an attacker attempts to enter a secure portion

127
00:04:02,910 --> 00:04:04,290
of the organization's building

128
00:04:04,290 --> 00:04:05,970
by following an authorized person

129
00:04:05,970 --> 00:04:06,870
into that area

130
00:04:06,870 --> 00:04:08,940
without their knowledge or consent.

131
00:04:08,940 --> 00:04:09,773
For example,

132
00:04:09,773 --> 00:04:11,280
if I just went up to the server room door

133
00:04:11,280 --> 00:04:12,930
and I swiped my access badge

134
00:04:12,930 --> 00:04:14,220
and I entered my pin,

135
00:04:14,220 --> 00:04:15,690
the door would beep and unlock

136
00:04:15,690 --> 00:04:16,829
and I can walk in

137
00:04:16,829 --> 00:04:19,410
because I'm part of the authorized personnel list.

138
00:04:19,410 --> 00:04:21,420
Now, as I open the door and walk through,

139
00:04:21,420 --> 00:04:23,160
but before the door shuts behind me,

140
00:04:23,160 --> 00:04:24,660
somebody could sneak in

141
00:04:24,660 --> 00:04:26,430
and get in there without my knowledge.

142
00:04:26,430 --> 00:04:27,990
That would be tailgating.

143
00:04:27,990 --> 00:04:28,890
For this reason,

144
00:04:28,890 --> 00:04:30,180
you should always train your employees

145
00:04:30,180 --> 00:04:32,040
to pull the door shut behind them

146
00:04:32,040 --> 00:04:33,480
and not simply walk away

147
00:04:33,480 --> 00:04:34,770
in hopes that force of gravity

148
00:04:34,770 --> 00:04:36,600
is going to shut the door for them.

149
00:04:36,600 --> 00:04:39,210
Now, the other side of this is known as piggybacking.

150
00:04:39,210 --> 00:04:41,070
This is something that is similar to tailgating,

151
00:04:41,070 --> 00:04:43,890
but it occurs with the employee's knowledge or consent.

152
00:04:43,890 --> 00:04:45,360
Now, piggybacking might occur

153
00:04:45,360 --> 00:04:47,490
when an attacker walks up to a secure area

154
00:04:47,490 --> 00:04:48,690
carrying a bunch of boxes,

155
00:04:48,690 --> 00:04:50,790
and they ask somebody to nicely open the door for them

156
00:04:50,790 --> 00:04:52,200
because their hands are full.

157
00:04:52,200 --> 00:04:53,850
If the employee, trying to be nice,

158
00:04:53,850 --> 00:04:56,490
opens the door and lets the attacker walk into the building,

159
00:04:56,490 --> 00:04:58,140
this is known as piggybacking

160
00:04:58,140 --> 00:05:00,420
because two people are entering on one swipe

161
00:05:00,420 --> 00:05:02,430
of the employee's access card.

162
00:05:02,430 --> 00:05:04,590
The next social engineering attack we have to talk about

163
00:05:04,590 --> 00:05:06,360
is known as shoulder surfing.

164
00:05:06,360 --> 00:05:07,860
Now, shoulder surfing occurs

165
00:05:07,860 --> 00:05:09,750
when attacker comes up behind an employee

166
00:05:09,750 --> 00:05:11,610
and tries to use direct observation

167
00:05:11,610 --> 00:05:13,830
to obtain authentication information.

168
00:05:13,830 --> 00:05:15,690
For example, you're sitting at your desk

169
00:05:15,690 --> 00:05:17,430
and you're logging into your computer in the morning.

170
00:05:17,430 --> 00:05:18,870
If I were to walk up near you

171
00:05:18,870 --> 00:05:21,270
and look over your should as you typed in your password,

172
00:05:21,270 --> 00:05:22,950
I might see your fingers start going

173
00:05:22,950 --> 00:05:26,580
P-A-S-S-W-O-R-D, password.

174
00:05:26,580 --> 00:05:28,290
Now, I know what your password is.

175
00:05:28,290 --> 00:05:30,510
Now, this is the idea of shoulder surfing

176
00:05:30,510 --> 00:05:33,180
because I'd looked at your hands as you were doing it.

177
00:05:33,180 --> 00:05:34,860
Now, usually it won't be as obvious

178
00:05:34,860 --> 00:05:36,270
as me standing right behind you

179
00:05:36,270 --> 00:05:37,500
and looking over your shoulder,

180
00:05:37,500 --> 00:05:39,780
but it can take a lot of different forms.

181
00:05:39,780 --> 00:05:41,640
Maybe I work at the desk next to yours

182
00:05:41,640 --> 00:05:43,380
and I glance over your computer screen

183
00:05:43,380 --> 00:05:45,540
and I see your bank balance or your credit card number

184
00:05:45,540 --> 00:05:46,860
or something like that.

185
00:05:46,860 --> 00:05:49,080
Any kind of information that someone's able to see

186
00:05:49,080 --> 00:05:50,970
that they're not really authorized to see

187
00:05:50,970 --> 00:05:53,250
could be gained using shoulder surfing.

188
00:05:53,250 --> 00:05:54,210
In the same way,

189
00:05:54,210 --> 00:05:56,370
I can use my eyes to conduct shoulder surfing.

190
00:05:56,370 --> 00:05:59,130
I can also use my ears to conduct eavesdropping.

191
00:05:59,130 --> 00:06:00,600
Now, maybe I'm going to stand around

192
00:06:00,600 --> 00:06:01,860
while you're talking with your boss,

193
00:06:01,860 --> 00:06:03,660
and I overhear you telling him some information

194
00:06:03,660 --> 00:06:04,620
about the projections

195
00:06:04,620 --> 00:06:06,210
from next quarter's profits.

196
00:06:06,210 --> 00:06:07,590
By listening to your conversation

197
00:06:07,590 --> 00:06:09,840
and doing that direct observation with my ears,

198
00:06:09,840 --> 00:06:12,030
I'm now able to listen in on that conversation

199
00:06:12,030 --> 00:06:14,580
and get the information that I might want to get.

200
00:06:14,580 --> 00:06:16,620
The final method of social engineering we have

201
00:06:16,620 --> 00:06:18,180
is known as dumpster diving.

202
00:06:18,180 --> 00:06:19,470
Now, dumpster diving occurs

203
00:06:19,470 --> 00:06:21,210
when an attacker actually scavenges

204
00:06:21,210 --> 00:06:23,280
for personal or confidential information

205
00:06:23,280 --> 00:06:25,710
inside the garbage or recycling containers.

206
00:06:25,710 --> 00:06:27,270
Yes, I know it sounds dirty.

207
00:06:27,270 --> 00:06:28,230
But guess what?

208
00:06:28,230 --> 00:06:29,790
This works really well.

209
00:06:29,790 --> 00:06:31,500
And so, hackers are willing to do it

210
00:06:31,500 --> 00:06:33,630
because they will find some really great information

211
00:06:33,630 --> 00:06:35,160
inside those dumpsters.

212
00:06:35,160 --> 00:06:37,410
If the attacker needs to break into an organization,

213
00:06:37,410 --> 00:06:39,930
they're first going to look through your trash for clues.

214
00:06:39,930 --> 00:06:42,450
For example, maybe, I can perform dumpster diving

215
00:06:42,450 --> 00:06:43,680
against an organization

216
00:06:43,680 --> 00:06:44,880
before I do a pen test.

217
00:06:44,880 --> 00:06:47,130
And from there, I can find a phone list.

218
00:06:47,130 --> 00:06:49,410
Now, I have people's names and their positions

219
00:06:49,410 --> 00:06:50,310
and their phone numbers,

220
00:06:50,310 --> 00:06:52,020
and maybe even their emails.

221
00:06:52,020 --> 00:06:54,450
All of this is great information for me to use.

222
00:06:54,450 --> 00:06:56,010
So, how do you prevent an attacker

223
00:06:56,010 --> 00:06:57,660
from gaining access to your information

224
00:06:57,660 --> 00:06:59,010
using dumpster diving?

225
00:06:59,010 --> 00:07:00,840
Well, you either need to shred your paperwork

226
00:07:00,840 --> 00:07:01,830
prior to throwing it away

227
00:07:01,830 --> 00:07:03,270
using a crosscut shredder,

228
00:07:03,270 --> 00:07:05,490
or you need to use a locked trash can

229
00:07:05,490 --> 00:07:06,750
that only your organization

230
00:07:06,750 --> 00:07:07,920
and the waste management company

231
00:07:07,920 --> 00:07:08,853
have access to.