Extremely Easy Security — Learn Social Engineering in Plain English (1.1 Part 1)

What the hell is InfoSec, you ask?

InfoSec is shorthand for Information Security. In non-simple terms, it’s:

“The practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.” (geeksforgeeks.org)

Uh, what now? And how is that different than Cybersecurity?

(If you haven’t read the intro yet, head over to the beginning.)

Honestly, these days, the two things are almost the same. A lot of people and job descriptions use both words to describe the same roles (Cybersecurity Analyst, Information Security Analyst, etc) but that’s not exactly correct.

As far as I know, Cybersecurity is more focused on securing the computer systems while Information Security is more focused on securing the information. (People can have information, too, not just computers, which is why there’s a whole field about securing people called Social Engineering. We’ll talk about that in a second.)

A lock and key, but the key is crossed out with red lines, because security.

If you’re on the offensive side of Social Engineering, you’re learning how to manipulate people into giving you access to information that you’re not supposed to have.

This can be as simple as asking someone a friendly question. Or it can be as complex as stuffing pillows under your shirt and carrying a box of bricks so you can pretend to be struggling and pregnant while someone kindly opens the door for you — into an unauthorized area of course. Some people even do this professionally, and their teams create entire schemes to try and gain physical access into a company. Then they go and brief companies about what their social engineering weaknesses are, so they can better stay safe.

Here’s an example of a social engineering email.

(Note: Social engineering doesn’t have to be in person — a lot of it takes place online too, and in voice and video calls.)

“Hey Bob, this is your boss Joe. I was wondering if you could email me the building evacuation map as soon as possible. I asked for it from Jeffrey, but he’s not replying to my emails and I need to print copies of it for a drill.”

Then Joe, who is really a woman you’ve never met named Lisa, pretends to be pregnant and breaks into your company through the hidden back door that no one knows about, because you just replied to her fake email address with a map of your company.

Building map.

If you’re on the defensive side, you’ll be training your employees, family members, romantic partner, or whoever, about the signs to recognize when someone is social engineering, and how to prevent it.

Now you might be thinking, “Ok, so it just means we try to stop people from getting work related information, right? Like, if I post online about what color I just painted my dog’s toenails, hackers don’t care?”

Actually, you may be surprised to learn that any information you give out can be used against you and your company. The more you reveal about where you are, who you are, or where you’ve been (who, what, when, where, why, and how — literally anything) the more you’re setting yourself up to get hacked.

Based on your nail post, I might be able to learn what time it is you’re out of the office, or your general location, or the name of your dog. Then when you aren’t paying attention, I can use your dog’s name to guess your email password.

So, no, maybe don’t post about your dog’s toenails. (Even if you aren’t interested in social engineering, please, for the love of God.)

For a great resource on Social Engineering and how to stop it, see Christopher Hadnagy’s Book “Social Engineering: The Art of Human Hacking.”

The first section of the CompTIA SY0–601 exam (that’s the confusing letter and number code for the Security exam) goes over a huge list of different types of social engineering attacks. If you work for a company or are concerned about your privacy in any way, you need to be able to identify these.

Phishing

So, the example up there with Bob. That’s what phishing basically is — it’s when someone’s trying to social engineer you through an email (sometimes people say “phishing text message,” too). These things can look like exact copies of emails that you’d get from companies whose websites you regularly visit, and as if it’s coming from a reliable email address.

I once got an email from a popular credit card company that was a password reset. Only, the weird part was that I was not a customer of this credit card company. When I moved my mouse and hovered it over the link (Even that is not advised, because one time, I actually clicked a phishing link this way) I saw the name of the website it was trying to take me to.

It was almost the same exact website name as the real credit card company, only with one extra letter at the end.

Yeah, totally a real credit card company, and totally not a virus.

(The best way to prevent this is just not to click on links in emails. Go to that website directly by typing it in your browser.)

Smishing

Also like phishing, but done solely through SMS (this stands for “Short Message Service,” and it just means your average text message.)

When I first started applying to jobs online, I started getting a lot of these. Then I realized that I accidentally made my phone number public on one of my resumes for everyone to see.

Uh, yeah, just because you study security doesn’t mean you’re not going to do stupid stuff. Christopher Hadnagy talks about this too.

Vishing

Phishing over voice calls. This is one of my favorites, because the level of acting here can be ridiculously good. I once saw a YouTube video of a woman who pressured a phone company into giving her access to a random person’s account by pretending to be a struggling mom. To make it more convincing, she played fake baby crying noises on YouTube in the background.

You can check it out here.

(Make sure to hover over that link first. Hope you’re paranoid now.)

Spam

I’m pretty sure we all know what this is. If you don’t, don’t worry, I’ll demonstrate it for you now.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Hi this is Steve and I’m here to offer you 30 days of free car insurance.

Yeah.

SPIM (Spam Over Instant Messaging)

Steve, but he texts you instead.

Steve, who looks unhinged, holding a can of Spam and talking about how much he loves car insurance.

Spear Phishing

This one is a bit tricky, because it often gets confused with “whaling” which we’ll talk about soon.

Spear phishing is when you are phishing a specific target that you have in mind inside of a company.

For example, if you know that there’s an older woman named Martha in accounting who isn’t very tech-savvy and knowledgeable about social engineering, you might use her as a target for your next phishing email. You just saw a post that she made on social media about how much she enjoys listening to Beethoven and working for her company. You also noticed that her work email is public.

Because you’re a bad person and you suck, you trick Martha into opening your email for some free Beethoven concert “tickets” while she’s at work, and gain access to her computer.

Then, to the company network.

Next Up: Extremely Easy Security — Learn Cyber Threats & Attacks in Plain English (1.1 Part 2) | by solitaryfuture