- Understanding and avoiding social engineering
In the context of information security, social engineering refers to the psychological manipulation of a person to perform an action or divulge confidential material. It is a fraudulent means to gather information or access a system and is often one of the many steps taken in a more complex fraud scheme. Social engineering tactics sometimes rely on an individual’s kindness and empathy, as well as their weaknesses, or can be blatantly deceitful and dishonest. This module aims to provide a good understanding of what social engineering is and provides several contexts of where and how it can be detected. It arms the participants with vigilance against social manipulation, whether it be physical or digital.
- Pharming, Spear Phishing, Whaling and Vishing attacks
Phishing is a cyber-attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment. What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It is the most widespread and malicious, with phishing messages and techniques becoming increasingly sophisticated. This module trains the participants to spot techniques used by hackers and to guide them to do several procedural checks before opening links or attachments.
- Physical Security
Pharming attacks are typically widespread, where a hacker sends the same email to a multitude of recipients and waits to see which recipients take the bait.) Spear phishing attacks are onslaughts that are cleverly researched and that target an individuals’ weaknesses or Achilles heel (so to speak). With the advent of social media, people’s interests are publicly available to everyone for consumption. This makes the hacker’s task extremely easy when engineering a crafty spear-phishing attack. Whaling is a specific form of phishing that’s targeted at high-profile business executives, manager, and the like. It’s different from ordinary phishing in that with whaling, the emails or web pages serving the scam take on a more official or serious look and are usually targeting someone in particular. Examples of each attack are thoroughly explained in this module.
The greatest risk that individuals pose to organisations, is falling prey to ransomware attacks. These can be executed by hackers, physically or via attachments by email. Hackers will typically leave USB sticks, containing a few viral executable files, lying around the organization. Once launched and executed, the virus takes all the system files and encrypts them to the point that they are no longer recognizable, as shown in the image alongside. The hacker then requests payment in a currency (bitcoins) to receive a code to restore the files. This module explains the travesties that many organisations have suffered by falling victim to this kind of social engineering attack and also provides advice on how to protect against it.
- Password Protection and Management
Passwords are used commonly to gain entry to networks and into various Internet accounts in order to authenticate the user accessing the website. Password protection policies should be in place at organizations so that personnel know how to create a password, how to store their password and how often to change it. This module educates participants on password protection as well as password management.
- Personal Security
With the plethora of digital devices at our disposal, we are all exposed to cyber-crime in our own personal capacity. This module educates the participants on how to manage their devices, keep them updated with security patches and provides a basic understanding of the problems that may arise due to installation of unauthorised software, amongst many other items to protect themselves against.