Chapter 17 Common Types of Attacks

So, first thing you need to understand are that humans are the weakest link in any network. 

If you didn't have humans, you wouldn't have any security issues.  

We referred to them as stupid human tricks.  

You can tell when you're monitoring a network when all the people have gone home for the day or it's a holiday, et cetera, because your traffic volume goes way down, your alert volume goes way down. 

So, the first thing we want to talk about is social engineering.  

Social engineering is basically just using your social skills to get something or somewhere where you should not be able to go where you're not authorized to go.  

So, I will use an example of when I was in college. 

The computer network labs were all locked, and if you got there before the professor, you had to wait out in the hallway.  

One day I was really early, the professor in the next room just happened to be my ex-girlfriend and so I just said hi.  

We got along well and she's like, what are you doing?  

I said just wait to get in my class and she came out and let me in. 

Should never have done that, but she had access because she was in that building, so she used her swipe card and let me into the computer lab.  

If I was a bad guy, I could have done all kinds of things to the 60 computers in there, to the network server in there. 

And then other things are phishing, so emails that come with a link or something for you to click on where people don't pay attention to the web address that's going back through the e-mail address. 

So, the biggest thing you can do is look to see the address that it's returning to. 

You get a lot of spoofs.  

Some of them are really, really obvious.  

If you're getting something from Amazon and it's going back to user 12345 at Gmail, that’s not Amazon.  

Some aren't as easy as that, but that's a big thing.  

Phishing emails, a lot of people just click the link, they don't pay attention. 

That's why we do phishing e-mail tests, and then those people get to do training as to not what to do but they make it look like your users.  

One of our tests had our HR director’s name slightly spelt wrong and requested us to do something with our payroll services, update something or something like that.  

I recognized it right away.  

I'm good friends with the person that I knew, no, that's not how she spells her name.  

And that's not how her name is in the system.  

And it was a phishing test.  

But they try to get as much information from you as they can.