-
Social Engineering
The use of social skills by an attacker to convince their target to carry out an action of their desire. This could be handing over sensitive information, sending money or even providing physical access to a restricted space.
-
Phishing
A subset of Social Engineering, luring individuals into providing sensitive information. Phishing can take numerous forms such as email, text or phonecall and preys on human traits like fear, greed and trust to trick targets.
-
Hacking
Less dependant on human interaction. The targetting and compromise of electronic devices, taking advantage of software vulnerabilities, misconfigurations and unpatched systems to gain unauthoirzed access.
The below is an episode from the podcast Darknet Diaries with guest Chris Hadnagy, an ethical social engineer. Whilst the full episode is well worth a listen we're going to focus on a small section starting at timestamp 54:12 which contains a real world phonecall as part of a comissioned social engineering attack iniated by a phishing email.
Passwords. The average person manages up to 100 passwords and it's important no two passwords are the same. You don't want the password to your bank or your job being in the hands of a hacker all because you used the same password at an online store that has much weaker security and suffered a data breach.
Have I Been Pwned is website that stores records of known data breaches and allows anyone to search both email addresses and passwords to check if they've been seen in a previous breach. It's a great resource to use and can help you pick more secure passwords and know if any of your current accounts are at risk.
Multi-factor Authentication. In the event your password does get stolen, using MFA stops someone from being able to login to your accounts by requiring a second authentication step. If you have an account somewhere that offers MFA, use it. Authenticator apps should be used over SMS or email based MFA where possible. If you want to take it a step further, hardware keys such as YubiKey offer the greatest level of security.
Dilligence. Think carefully before you provide your data to anyone or anything asking for it. If you've received an email from a boss or a client requesting sensitive information, ask yourself if it makes sense for this person to be requesting this data. Could their email have been compromised and now the hackers are targetting you? Is it even their real email address? Equally if a website is asking for your password, check the domain in the URL bar and make sure you're on the website you think you are. Attackers will often leverage a sense of urgency and it's imoprtant to keep a level head and think things through.
Consequence. A temporary lapse in judgement can have untold consequences and you don't want to become your own worst enemy. Before you send that next confidential work presentation to your personal email to work on over the weekend, think about what could go wrong if someone gains access to your email account. Before you post your next photo on social media, make sure you haven't left any sensitive documents in the background.