Welcome Login

You are here

Security Tip - Social Engineering and Phishing

Social Engineering and Phishing

No matter how much expertise and money your agency puts into securing its network and data assets—firewalls, security appliances, encryption, etc.—the human component of the security system is the most critical and quite often the most vulnerable. Social Engineering and Phishing are two techniques employed to attack the human component.

Social Engineering

Social Engineering is the manipulation of words and/or actions that are intended to establish a false sense of trust and confidence. Once trust is established, the attacker’s objective is to ultimately induce a desirable response. When an unsolicited contact is asking for information, consider whether the person you're talking to deserves the information they're requesting and how the information may be employed by an attacker.

Social engineers have repeatedly shown that those who focus on technology alone to solve the problem of protecting an IT system and its data are addressing only part of the problem. They discount or ignore the evidence that the human component will always be the weakest link. Technology is important but minimizing the vulnerability of this weak link is the system user’s responsibility.

Successful social engineering often depends on pressuring the target and not allowing time to think about their decision. If you find yourself dealing with someone and suddenly you feel pressured to make a decision, or to take some immediate action, you should stop and ask yourself; where is this pressure coming from - internal or external - and why am I being pressured? Unwarranted pressure is a big red flag and it should set off your alarm bells. Be wary if the contact does not match the person or message. A good personal policy is that when something doesn’t seem right it isn’t. Trust your gut instincts.

Phishing

Phishing attacks are closely related to social engineering and refer to the process where someone posing as a legitimate contact contacts you by email, telephone or in person. The purpose is to lure you into providing sensitive information. The information requested may then be used to access your user account, another user’s account or agency assets.

Email phishing attacks will often include eye-catching or attention-grabbing statements. These attacks are designed to immediately get your attention. Phishing scams are wide and varied and typically include information request from someone claiming to have a legitimate authority. Communications that unexpectantly appear in you inbox from a senior agency manager that you do not typically deal with directly is a red flag. You may recognize the source – your agency’s CIO office or IT Security Office, but the name is one that you do not recognize. Unless you are sure, you should not respond. If you are not sure, report it.

Many people will fall prey to social engineering or phishing attacks because the attackers understand human nature. These are sophisticated people that leverage this understanding to exploit human nature and our desire to be helpful and accommodating. Remember, attackers are skilled at establishing trust and then inducing a desired response.

Protecting yourself and your agency is not rude or hard-hearted. It is prudent. If there is any doubt STOP and contact your ISSO or agency help desk and report it.

The following are small samplings of techniques that are employed by attackers. These may not appear to be directly applicable to a government user but with simple variations, these techniques can, and are, successfully employed by an attacker. Our defense begins with the understanding that we are all targets.

The basic rule is: when in doubt, don’t!

Social Engineering or Phone Phishing

  • This technique uses the manipulation of words and/or actions intended to establish a false sense of trust and confidence. Once the trust is established, the attacker’s objective is to induce a desirable response.

When you receive an unsolicited contact that is asking for agency or personal information, consider whether the person actually deserves or needs the information they are requesting and how could the information be employed by an attacker.

Instant Messaging

  • An attacker may employ this helpful and convenient messaging application by sending an instant message with a link directing the user to a fake phishing website. The instant message may appear to be from someone you know and this link may have the same look and feel as the legitimate website. Never provide personal or agency specific information to unsolicited sites. If a message is unexpected, do not click on the link. Call the person and make sure.

Web Based Delivery

  • Web based delivery is a sophisticated phishing technique. It is also known as “man-in-the-middle” attack. For this technique the attacker is located in between the original legitimate website and the phishing system. The phisher can then trace details during a transaction between the legitimate website and the user. As a user continues to pass information, it will be gathered by the phishers, without the user knowing about it.

Link Manipulation

  • Link manipulation is another form of previously noted techniques where the phisher sends a link to a web-site. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link.

A commonly used anti-phishing defense is to move the mouse over the link to view the actual address. If it looks strange, assume it is, and don’t click on it.

Key Loggers

  • Key loggers refer to the malware used to capture inputs from the keyboard. Once captured the information will then be sent to an attacker who will decipher passwords and other sensitive information.

Key loggers may be installed on your system by clicking on unfamiliar links or opening attachments sent by unreliable or unknown sources.

11
Share

Views: 1108

The GSA USAccess Managed Service Office (MSO) uses this community to communicate the latest USAccess updates to our customer agencies (including... More
10/10/2019
3:00 PM to 4:00 PM
10/16/2019 9:00 AM to 10/17/2019 5:00 PM
11/20/2019 9:00 AM to 11/21/2019 5:00 PM
  • TerryRoper's picture
    TerryRoper
  • chris.robinson's picture
    chris.robinson
  • lizden10's picture
    lizden10