SlideShare ist ein Scribd-Unternehmen logo

Cyber Security Awareness Month 2017-Nugget 5

•Als PPSX, PDF herunterladen•
•
C
Chinatu Uzuegbu

Combating Cyber Crimes 1 is Nugget 5 in the series Cyber Security Awareness Month 2017. Social Engineering Attacks are the most common and covers about 91% of all attacks. There is urgent need to combat the crimes against those bad guys....

Technologie
1 von 14
Cyber Security Awareness Month 2017: Nugget 5 Combating Cyber Crimes 1 (Social Engineering) Chinatu Uzuegbu Cyber Security Consultant CISSP, CISM, CISA, CEH, ITIL, MCSE, MCDBA
Previous Nugget Recap • We looked at how the measures of protection could be ascertained using some Vulnerabilities/Risk Assessment Methodologies. • We discussed Vulnerabilities, Threats and Risks extensively. • We looked at how we could tie the cost of each Security measure with the actual value of the Assets. • We looked at the Risk Equation, Risk Responses and Risk Analysis. • We understood that Risks are attended to based on the result of the Risk Responses and The Risk Analysis. • We determined the Cost of Counter Measure which would be compared with the Actual Value of the Asset. Counter Measure is proffered if the Actual Value of the Asset and the Annual Loss Expectancy is less than the Cost of Counter Measures. • We finally looked at some basic facts in Risk Management.
In This Nugget: Combating Cyber Crimes • We would take it up from the previous Nugget where we discussed the Vulnerabilities, Threats and the Risks that the Vulnerabilities could be exploited and threatened. • We would now look at the various Cyber Threats and the corresponding Counter Measures to combat them. • The Counter Measures could be preventive, detective, deterrent, Corrective, Recovery, Restoration, Compensative and Directive. • The aim of the Counter Measures is to assure that the Assets are protected with adequate measures of the Confidentiality, Integrity and Availability(CIA Triad) as the case may be. • Most of the Threats we would look at are categorised into Social Engineering, Denial of Service, Malwares, Breaches on Unauthorised Accesses, Perimeter, breaches, Un-Authentications, Outbound and Inbound, Zero-Day and Others. • We would finally present the Threats with their corresponding Counter Measures on a Tabular Layout.
Combating Cyber Crimes : Social Engineering • Social Engineering is a way of being tricked by an Attacker to collect sensitive information from a Victim. • It can be referred to as a way of using legitimate means such as company’s website to innocently launch an illegitimate website by clicking on a link in the company’s website. • Social Engineering attacks do not require any technical know-how but little skills in tricking and playing on the intelligence of the victim. • Social Engineering Techniques is one of the easiest ways that an attacker gains access to an unauthorised information, in fact it has been steadily reported that Social Engineering attacks are the most common and successful Cyber attacks as they cover about 91% of the Cyber attacks. • It is important that in Cyber Security, no one should be trusted, a little psyching by any un- assumed hacker could unleash highly sensitive information into the hands of the Attacker. • It is also important to note that human(employees) are the weakest link in Cyber Security, they could be used and brain washed at any point in time. • Social Engineering Attacks include: Phishing, Spear Phishing, Pharming, Dumpster Diving, Shoulder Surfing, Watering Holes, Pretexts, Tailgating or Piggybacking, Whaling Baiting, Quid Pro Quo and Others. • We would discuss each of these attacks and their corresponding Counter Measures in the subsequent slides.
Combating Cyber Crimes: Phishing and Counter Measures • Phishing is an act of using emails, messages and any form of communication media to trick a victim into supplying personal information by clicking on a malicious link in the email. • The personal Information supplied would then be used by the attacker to infer information such as Log-in details which they would use for other malicious acts against the Victim. The information could be used to extract information from the Social Media. • The personal information could be the Credit/Debit card details of the Victim, the names of the Victim, the company details such as IP address and others. • The messages and emails are composed in such a tricky manner that the Victim would not have any choice than to be deceived into feeding in the requested Information. In most cases the attackers would use well known details of the company such as the domain name to get the victim more enticed. • The attackers in most cases would use a short web address or embed links to re-direct victims to the malicious site hosting scripts that would trigger further attacks and exploits. • The main Counter Measure on Phishing attacks is Training and Security Awareness Courses. • It is advisable to use Phishing campaigns to drill staff on the level of Security knowledge acquired. • Downloading Attachments or clicking on links on such emails should be avoided. • The company should deploy spam filters and firewall to filter out such emails and keep away from employees reach.
Combating Cyber Crimes Spear Phishing and Counter Measures • Spear Phishing Attack is more like the Phishing attack but this time more targeted and focused on a highly privileged employee of the company such as the CEO/Managing Director. • The scenario is to get some information about that highly profiled Executive and then use the details to impersonate the Executive to get a more targeted information for malicious intents. • The Counter Measures on Spear Phishing still boils down to Security Awareness. • Ensure an adequate non-disclosure undertakings are in place with all employees of the company. • Employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https:// • Do thorough background checks on the help desk Team or the Team members working with the highly profiled Officer such as the CEO/MD and others. A more targeted Non-disclosure undertaking should be done with each person on assuming duties. • Use Spear Phishing drills to test the level of knowledge of each staff. • A level of consciousness and smartness in discerning directions of un- assumed attackers both in Phone conversation and others.
Combating Cyber Crimes Dumpster Diving And Counter Measures • Dumpster Diving is a process of gathering unauthorised company Information from the garbage bin or trashed can for the purpose of using for either a malicious intent or to disclose further to an unauthorised third party. • The brain behind dumpster diving could be to source information for benchmarking or competing with another company. It could be an avenue of granting customer information to the competitor for all sorts of malicious intents. • Dumpster Diving in most cases is seen as legal but could be unethical. This could be because the information gathered in most cases are discarded and trashed. • Some consequences of Dumpster Diving could be to reduce customer base, destroy the image of the company with the information the attacker could have gotten. • To Counter Dumpster Diving, always ensure you engage your paper shredders. Shred your discarded hard copied information , it does not really matter whether they are deemed sensitive or not, just imbibe shredding as part of Corporate culture. • Security Awareness on keeping documents intact is also a non-negotiable key.
Combating Cyber Crimes : Watering Holes and Counter Measures • Watering Hole Attack is a more focused and sponsored attack, the attacker takes time to study the website of the targeted company for vulnerabilities with the intents of injecting malicious codes into the web pages of the website. • When the Users of the victim company launch the pages of the website as their usual job routine, the Malicious codes inserted would trigger Trojans which would spread like a botnet to other systems on the network. • The Attacker uses this as a way of exploiting unknown vulnerabilities detected by the Attacker. • The Potential Victim System that is used to spread the Trojan is known as Watering Hole. • The consequences of Watering Hole is that the Vulnerability is a Zero- day(unknown) and would be difficult for the Victim Company to find their footing back from the diffused Trojan. • To Counter the effect of Watering Hole, you ensure your systems are updated at both application and Operating System levels. Most Updates could bypass such Zero-day attacks. • Security Awareness is also a key here, the attackers target the careless and weak Users and use them to trigger and spread the malicious codes. • Carefulness and Non-disclosure of Log-in credentials should apply here.
Combating Cyber Crimes: Tail Gating(Piggybacking) and Counter Measures • Tailgating, also known as Piggybacking is a process where an attacker or unauthorised Person tries to use the entry access right of an authorised Person to gain entrance into a building or an Office. • The Unauthorised Person would in most cases pretend to be in a haste or carrying a heavy load and try to persuade the authorised Person to hold the door for him/her to join. • The Authorised Person in turn would play an innocent pity partying game and eventually allow the unauthorised entrance into the building or Office. • The Consequence is that the Unauthorised Person would gain an unauthorised access into the building and then launch his malicious intent thereof. It could be to steal or to get information from the innocent employees. • To Counter Tailgating attacks, use dead man doors that would only admit entrance to one person at a time. • Security Awareness is another key, employees should ensure that look back and sides before such entrances. • Electronic doors with finger print access rights or swipe cards should also be promoted, with this employees could easily be tracked and cautioned when allowing unauthorised accesses.
Combating Cyber Crimes: Pretexting and Counter Measures • Pretexting is a process where the Attacker uses partial scripts or an articulated scenario to pretend and deceive the Target User(Victim) to get further information that would make up the Attacker’s script and in turn grant the Attacker unauthorised access. • In Pretexting, the Attacker takes his time in building access script, manipulating the Victim with reasons to grant them the remaining information that would eventually land them to accessing their target system or building. • The intention of the Attackers is to have access to sensitive information by pretending to be an authorised User or Vendor. • The Attacker could impersonate himself probably as an External IT Vendor or a reputable agency and manipulate the Victims into believing the intents of the attacker is pure. • The Attacker could also try to get information of the Target Server and the necessary details Online and use the information to access the Server online and then further launches attacks. • A good example is the case of attackers pretending to be representatives from a Modelling agencies and escort services requesting nude pictures of the Victims who happened to be girls, deceived them into thinking they were doing them a sort of good but only for these bad guys to use the nude pictures for pornography and other evil acts.(https://www.washingtonpost.com/news/the-intersect/wp/2014/10/07/forget-celebgate- hackers-are-gunning-for-the-nude-photos-of-ordinary-women-and-underage- girls/?utm_term=.7e42bd145640). • The Consequence of Pretexting is Information Theft that could further affect the reputation of the company and other damages centred around their malicious aim. • To Counter Pretexting, harden your Online Platforms and train your employees accordingly.
Combating Cyber Crimes : Baiting and Counter Measures • Baiting is another form of tricking employees and individuals into allowing the Attacker unauthorised access to the systems through offering of a gift. • A Baiter could promise to offer a Victim a gift if the Victim supplies his Log-in details to a link provided by the Attacker. The gift could be to download a promising Mobile App or Music. • The aim is to use gifts to entice the Victim into acquiring an unauthorised information. • A good example is that of attackers that pretended to be promoting their customised USB devices but in the USB device is a malware script embedded in a well designed image in such a way that when the image is launched, it triggers the malware script which would in turn send the details of the Victim’s system including the Password and the Name of the System to the email address of the Attacker. As many that got the USB devices as a gift would supposedly launch the embedded script and had their systems details sent online to the Attacker.(http://web.archive.org/web/20060713134051/http://www.darkreading.com/d ocument.asp?doc_id=95556&WT.svl=column1_1). • The consequence of Baiting is to gain undue information that would be used to launch a more targeted and dangerous attack. • To Counter Baiting Attack, Users should be trained on Integrity, security consciousness, perimeter defences such as Firewalls. It is important to update the Anti Virus Software on the systems.
Combating Cyber Crimes: Quid Pro Quo and Counter Measures • Quid Pro Quo is more like Baiting but with the promise of a service or benefit from the Attacker after the Victims must have innocently granted them undue Access. • The Attacker could pretend to be an IT Service Provider that would deceive the Victim with IT support in his mind. • The Victim would further be deceived into uninstalling authentic systems such as Anti Virus from the Victim’s System with Malware or a fraudulent System as a guise for an Update. • The Quid Pro Quo Attackers could talk the Victims into disabling their Anti Virus Software. • The Consequence could be fraudulent and absolute shut down of systems. • To Counter Quid Pro Quo attacks, Users should be conscious and promote a level of culture of integrity and refuse to be enticed with benefits of any kind just to gain a service. • Companies should engage Service Providers and ensure the servicing of the systems are restricted to them. • On no condition should unauthorised external Parties be allowed to work on individual systems. • Un-disclosure undertakings should be highly in place.
Combating Cyber Crimes: In Summary Most Common Social Engineering Cyber Crimes • Phishing • Spear Phishing • Dumpster Diving • Tail Gating or Piggybacking • Watering Holes • Pretexting • Baiting • Quid Pro Quo • Whaling • Shoulder Surfing • Others Social Engineering Counter Measures • Social Engineering Counter Measures are more or less applied from the same perspective. • The Counter Measures are mostly preventive. • Adequate Training and good Integrity Culture driven employee would mitigate Social Engineering attacks faster. • Users should focus on using more secured web sites with https:// and not Http://. • Users should be drilled on Phishing Campaigns to enable easy assessment of their Cyber Security Consciousness. • Companies/Users should run with up-to-date security Policies Patches, Anti Malware. • Human wing is the weakest link in Cyber Security, Un- disclosure Undertakings and necessary background checks should apply. • Other Layers of Security and the Concept of Defence in depth should also apply in cases where the attackers could breach the preventive layer of the security Measure. • Spam Filters, Mail Relaying , Firewall and other Counter Measures should also apply. • A level of Sanction should apply in cases of breaches caused by the Employees.
See You in the Next Nugget! Thank You Chinatu Uzuegbu CISSP, CISM, CISA, CEH, ITIL, MCSE

Empfohlen

Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesStephen Cobb
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 

Empfohlen

Why Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityWhy Executives Underinvest In Cybersecurity
Why Executives Underinvest In CybersecurityHackerOne
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awarenessJason Murray
 
Cyber Security Awareness
Cyber Security AwarenessCyber Security Awareness
Cyber Security AwarenessRamiro Cid
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
National Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationNational Life IT Department's Cyber Security Awareness Presentation
National Life IT Department's Cyber Security Awareness PresentationJamie Proctor-Brassard
 
NCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesNCSAM = Cyber Security Awareness Month: Trends and Resources
NCSAM = Cyber Security Awareness Month: Trends and ResourcesStephen Cobb
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationBijay Bhandari
 
Business Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfBusiness Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfChinatu Uzuegbu
 
Preventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfPreventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfChinatu Uzuegbu
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxChinatu Uzuegbu
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfChinatu Uzuegbu
 
World Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfWorld Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfChinatu Uzuegbu
 
The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?Chinatu Uzuegbu
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfChinatu Uzuegbu
 
Effectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfEffectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfChinatu Uzuegbu
 
What The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfWhat The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfChinatu Uzuegbu
 
What The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfWhat The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfChinatu Uzuegbu
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfChinatu Uzuegbu
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatuChinatu Uzuegbu
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimesChinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpChinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Weitere ähnliche Inhalte

Mehr von Chinatu Uzuegbu

Business Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfBusiness Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfChinatu Uzuegbu
 
Preventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfPreventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfChinatu Uzuegbu
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxChinatu Uzuegbu
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfChinatu Uzuegbu
 
World Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfWorld Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfChinatu Uzuegbu
 
The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?Chinatu Uzuegbu
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfChinatu Uzuegbu
 
Effectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfEffectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfChinatu Uzuegbu
 
What The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfWhat The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfChinatu Uzuegbu
 
What The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfWhat The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfChinatu Uzuegbu
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfChinatu Uzuegbu
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfChinatu Uzuegbu
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatuChinatu Uzuegbu
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.Chinatu Uzuegbu
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimesChinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpChinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 

Mehr von Chinatu Uzuegbu (20)

Business Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdfBusiness Process Revamp is Paramount in 2024.pdf
Business Process Revamp is Paramount in 2024.pdf
 
Preventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdfPreventing Cloud Data Breaches.pdf
Preventing Cloud Data Breaches.pdf
 
Securing The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptxSecuring The Clouds Proactively-BlackisTech.pptx
Securing The Clouds Proactively-BlackisTech.pptx
 
Securing The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdfSecuring The Clouds with The Standard Best Practices-1.pdf
Securing The Clouds with The Standard Best Practices-1.pdf
 
World Password Management Day, 2023.pdf
World Password Management Day, 2023.pdfWorld Password Management Day, 2023.pdf
World Password Management Day, 2023.pdf
 
The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?The Nigerian Cybersecurity Space-How Regulated Are We?
The Nigerian Cybersecurity Space-How Regulated Are We?
 
Fundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdfFundamentals for Stronger Cloud Security2.pdf
Fundamentals for Stronger Cloud Security2.pdf
 
Effectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdfEffectiveness of Cyber Security Awareness.pdf
Effectiveness of Cyber Security Awareness.pdf
 
What The Cyber Entails-2.pdf
What The Cyber Entails-2.pdfWhat The Cyber Entails-2.pdf
What The Cyber Entails-2.pdf
 
What The Cyber Entails-1.pdf
What The Cyber Entails-1.pdfWhat The Cyber Entails-1.pdf
What The Cyber Entails-1.pdf
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
Identity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdfIdentity & Access Management Day 2022.pdf
Identity & Access Management Day 2022.pdf
 
Combating cyber crimes chinatu
Combating cyber crimes chinatuCombating cyber crimes chinatu
Combating cyber crimes chinatu
 
Understanding Identity Management and Security.
Understanding Identity Management and Security.Understanding Identity Management and Security.
Understanding Identity Management and Security.
 
Practical approach to combating cyber crimes
Practical approach to combating cyber crimesPractical approach to combating cyber crimes
Practical approach to combating cyber crimes
 
Cyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-UpCyber Security Awareness Month 2017-Wrap-Up
Cyber Security Awareness Month 2017-Wrap-Up
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
 
Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015Cyber crime (prohibition,prevention,etc)_act,_2015
Cyber crime (prohibition,prevention,etc)_act,_2015
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2
 

KĂźrzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

KĂźrzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Cyber Security Awareness Month 2017-Nugget 5

  • 1. Cyber Security Awareness Month 2017: Nugget 5 Combating Cyber Crimes 1 (Social Engineering) Chinatu Uzuegbu Cyber Security Consultant CISSP, CISM, CISA, CEH, ITIL, MCSE, MCDBA
  • 2. Previous Nugget Recap • We looked at how the measures of protection could be ascertained using some Vulnerabilities/Risk Assessment Methodologies. • We discussed Vulnerabilities, Threats and Risks extensively. • We looked at how we could tie the cost of each Security measure with the actual value of the Assets. • We looked at the Risk Equation, Risk Responses and Risk Analysis. • We understood that Risks are attended to based on the result of the Risk Responses and The Risk Analysis. • We determined the Cost of Counter Measure which would be compared with the Actual Value of the Asset. Counter Measure is proffered if the Actual Value of the Asset and the Annual Loss Expectancy is less than the Cost of Counter Measures. • We finally looked at some basic facts in Risk Management.
  • 3. In This Nugget: Combating Cyber Crimes • We would take it up from the previous Nugget where we discussed the Vulnerabilities, Threats and the Risks that the Vulnerabilities could be exploited and threatened. • We would now look at the various Cyber Threats and the corresponding Counter Measures to combat them. • The Counter Measures could be preventive, detective, deterrent, Corrective, Recovery, Restoration, Compensative and Directive. • The aim of the Counter Measures is to assure that the Assets are protected with adequate measures of the Confidentiality, Integrity and Availability(CIA Triad) as the case may be. • Most of the Threats we would look at are categorised into Social Engineering, Denial of Service, Malwares, Breaches on Unauthorised Accesses, Perimeter, breaches, Un-Authentications, Outbound and Inbound, Zero-Day and Others. • We would finally present the Threats with their corresponding Counter Measures on a Tabular Layout.
  • 4. Combating Cyber Crimes : Social Engineering • Social Engineering is a way of being tricked by an Attacker to collect sensitive information from a Victim. • It can be referred to as a way of using legitimate means such as company’s website to innocently launch an illegitimate website by clicking on a link in the company’s website. • Social Engineering attacks do not require any technical know-how but little skills in tricking and playing on the intelligence of the victim. • Social Engineering Techniques is one of the easiest ways that an attacker gains access to an unauthorised information, in fact it has been steadily reported that Social Engineering attacks are the most common and successful Cyber attacks as they cover about 91% of the Cyber attacks. • It is important that in Cyber Security, no one should be trusted, a little psyching by any un- assumed hacker could unleash highly sensitive information into the hands of the Attacker. • It is also important to note that human(employees) are the weakest link in Cyber Security, they could be used and brain washed at any point in time. • Social Engineering Attacks include: Phishing, Spear Phishing, Pharming, Dumpster Diving, Shoulder Surfing, Watering Holes, Pretexts, Tailgating or Piggybacking, Whaling Baiting, Quid Pro Quo and Others. • We would discuss each of these attacks and their corresponding Counter Measures in the subsequent slides.
  • 5. Combating Cyber Crimes: Phishing and Counter Measures • Phishing is an act of using emails, messages and any form of communication media to trick a victim into supplying personal information by clicking on a malicious link in the email. • The personal Information supplied would then be used by the attacker to infer information such as Log-in details which they would use for other malicious acts against the Victim. The information could be used to extract information from the Social Media. • The personal information could be the Credit/Debit card details of the Victim, the names of the Victim, the company details such as IP address and others. • The messages and emails are composed in such a tricky manner that the Victim would not have any choice than to be deceived into feeding in the requested Information. In most cases the attackers would use well known details of the company such as the domain name to get the victim more enticed. • The attackers in most cases would use a short web address or embed links to re-direct victims to the malicious site hosting scripts that would trigger further attacks and exploits. • The main Counter Measure on Phishing attacks is Training and Security Awareness Courses. • It is advisable to use Phishing campaigns to drill staff on the level of Security knowledge acquired. • Downloading Attachments or clicking on links on such emails should be avoided. • The company should deploy spam filters and firewall to filter out such emails and keep away from employees reach.
  • 6. Combating Cyber Crimes Spear Phishing and Counter Measures • Spear Phishing Attack is more like the Phishing attack but this time more targeted and focused on a highly privileged employee of the company such as the CEO/Managing Director. • The scenario is to get some information about that highly profiled Executive and then use the details to impersonate the Executive to get a more targeted information for malicious intents. • The Counter Measures on Spear Phishing still boils down to Security Awareness. • Ensure an adequate non-disclosure undertakings are in place with all employees of the company. • Employees must be trained to question and validate unprompted links by calling the sender, sending a separate follow-up email or checking via services such as https:// • Do thorough background checks on the help desk Team or the Team members working with the highly profiled Officer such as the CEO/MD and others. A more targeted Non-disclosure undertaking should be done with each person on assuming duties. • Use Spear Phishing drills to test the level of knowledge of each staff. • A level of consciousness and smartness in discerning directions of un- assumed attackers both in Phone conversation and others.
  • 7. Combating Cyber Crimes Dumpster Diving And Counter Measures • Dumpster Diving is a process of gathering unauthorised company Information from the garbage bin or trashed can for the purpose of using for either a malicious intent or to disclose further to an unauthorised third party. • The brain behind dumpster diving could be to source information for benchmarking or competing with another company. It could be an avenue of granting customer information to the competitor for all sorts of malicious intents. • Dumpster Diving in most cases is seen as legal but could be unethical. This could be because the information gathered in most cases are discarded and trashed. • Some consequences of Dumpster Diving could be to reduce customer base, destroy the image of the company with the information the attacker could have gotten. • To Counter Dumpster Diving, always ensure you engage your paper shredders. Shred your discarded hard copied information , it does not really matter whether they are deemed sensitive or not, just imbibe shredding as part of Corporate culture. • Security Awareness on keeping documents intact is also a non-negotiable key.
  • 8. Combating Cyber Crimes : Watering Holes and Counter Measures • Watering Hole Attack is a more focused and sponsored attack, the attacker takes time to study the website of the targeted company for vulnerabilities with the intents of injecting malicious codes into the web pages of the website. • When the Users of the victim company launch the pages of the website as their usual job routine, the Malicious codes inserted would trigger Trojans which would spread like a botnet to other systems on the network. • The Attacker uses this as a way of exploiting unknown vulnerabilities detected by the Attacker. • The Potential Victim System that is used to spread the Trojan is known as Watering Hole. • The consequences of Watering Hole is that the Vulnerability is a Zero- day(unknown) and would be difficult for the Victim Company to find their footing back from the diffused Trojan. • To Counter the effect of Watering Hole, you ensure your systems are updated at both application and Operating System levels. Most Updates could bypass such Zero-day attacks. • Security Awareness is also a key here, the attackers target the careless and weak Users and use them to trigger and spread the malicious codes. • Carefulness and Non-disclosure of Log-in credentials should apply here.
  • 9. Combating Cyber Crimes: Tail Gating(Piggybacking) and Counter Measures • Tailgating, also known as Piggybacking is a process where an attacker or unauthorised Person tries to use the entry access right of an authorised Person to gain entrance into a building or an Office. • The Unauthorised Person would in most cases pretend to be in a haste or carrying a heavy load and try to persuade the authorised Person to hold the door for him/her to join. • The Authorised Person in turn would play an innocent pity partying game and eventually allow the unauthorised entrance into the building or Office. • The Consequence is that the Unauthorised Person would gain an unauthorised access into the building and then launch his malicious intent thereof. It could be to steal or to get information from the innocent employees. • To Counter Tailgating attacks, use dead man doors that would only admit entrance to one person at a time. • Security Awareness is another key, employees should ensure that look back and sides before such entrances. • Electronic doors with finger print access rights or swipe cards should also be promoted, with this employees could easily be tracked and cautioned when allowing unauthorised accesses.
  • 10. Combating Cyber Crimes: Pretexting and Counter Measures • Pretexting is a process where the Attacker uses partial scripts or an articulated scenario to pretend and deceive the Target User(Victim) to get further information that would make up the Attacker’s script and in turn grant the Attacker unauthorised access. • In Pretexting, the Attacker takes his time in building access script, manipulating the Victim with reasons to grant them the remaining information that would eventually land them to accessing their target system or building. • The intention of the Attackers is to have access to sensitive information by pretending to be an authorised User or Vendor. • The Attacker could impersonate himself probably as an External IT Vendor or a reputable agency and manipulate the Victims into believing the intents of the attacker is pure. • The Attacker could also try to get information of the Target Server and the necessary details Online and use the information to access the Server online and then further launches attacks. • A good example is the case of attackers pretending to be representatives from a Modelling agencies and escort services requesting nude pictures of the Victims who happened to be girls, deceived them into thinking they were doing them a sort of good but only for these bad guys to use the nude pictures for pornography and other evil acts.(https://www.washingtonpost.com/news/the-intersect/wp/2014/10/07/forget-celebgate- hackers-are-gunning-for-the-nude-photos-of-ordinary-women-and-underage- girls/?utm_term=.7e42bd145640). • The Consequence of Pretexting is Information Theft that could further affect the reputation of the company and other damages centred around their malicious aim. • To Counter Pretexting, harden your Online Platforms and train your employees accordingly.
  • 11. Combating Cyber Crimes : Baiting and Counter Measures • Baiting is another form of tricking employees and individuals into allowing the Attacker unauthorised access to the systems through offering of a gift. • A Baiter could promise to offer a Victim a gift if the Victim supplies his Log-in details to a link provided by the Attacker. The gift could be to download a promising Mobile App or Music. • The aim is to use gifts to entice the Victim into acquiring an unauthorised information. • A good example is that of attackers that pretended to be promoting their customised USB devices but in the USB device is a malware script embedded in a well designed image in such a way that when the image is launched, it triggers the malware script which would in turn send the details of the Victim’s system including the Password and the Name of the System to the email address of the Attacker. As many that got the USB devices as a gift would supposedly launch the embedded script and had their systems details sent online to the Attacker.(http://web.archive.org/web/20060713134051/http://www.darkreading.com/d ocument.asp?doc_id=95556&WT.svl=column1_1). • The consequence of Baiting is to gain undue information that would be used to launch a more targeted and dangerous attack. • To Counter Baiting Attack, Users should be trained on Integrity, security consciousness, perimeter defences such as Firewalls. It is important to update the Anti Virus Software on the systems.
  • 12. Combating Cyber Crimes: Quid Pro Quo and Counter Measures • Quid Pro Quo is more like Baiting but with the promise of a service or benefit from the Attacker after the Victims must have innocently granted them undue Access. • The Attacker could pretend to be an IT Service Provider that would deceive the Victim with IT support in his mind. • The Victim would further be deceived into uninstalling authentic systems such as Anti Virus from the Victim’s System with Malware or a fraudulent System as a guise for an Update. • The Quid Pro Quo Attackers could talk the Victims into disabling their Anti Virus Software. • The Consequence could be fraudulent and absolute shut down of systems. • To Counter Quid Pro Quo attacks, Users should be conscious and promote a level of culture of integrity and refuse to be enticed with benefits of any kind just to gain a service. • Companies should engage Service Providers and ensure the servicing of the systems are restricted to them. • On no condition should unauthorised external Parties be allowed to work on individual systems. • Un-disclosure undertakings should be highly in place.
  • 13. Combating Cyber Crimes: In Summary Most Common Social Engineering Cyber Crimes • Phishing • Spear Phishing • Dumpster Diving • Tail Gating or Piggybacking • Watering Holes • Pretexting • Baiting • Quid Pro Quo • Whaling • Shoulder Surfing • Others Social Engineering Counter Measures • Social Engineering Counter Measures are more or less applied from the same perspective. • The Counter Measures are mostly preventive. • Adequate Training and good Integrity Culture driven employee would mitigate Social Engineering attacks faster. • Users should focus on using more secured web sites with https:// and not Http://. • Users should be drilled on Phishing Campaigns to enable easy assessment of their Cyber Security Consciousness. • Companies/Users should run with up-to-date security Policies Patches, Anti Malware. • Human wing is the weakest link in Cyber Security, Un- disclosure Undertakings and necessary background checks should apply. • Other Layers of Security and the Concept of Defence in depth should also apply in cases where the attackers could breach the preventive layer of the security Measure. • Spam Filters, Mail Relaying , Firewall and other Counter Measures should also apply. • A level of Sanction should apply in cases of breaches caused by the Employees.
  • 14. See You in the Next Nugget! Thank You Chinatu Uzuegbu CISSP, CISM, CISA, CEH, ITIL, MCSE