2.4 Social Engineering Attacks, Threats, and Vulnerabilities
COMPTIA A+ CORE 2 - DOMAIN 2
Cyber Wizard
This article provides an overview of social engineering attacks, cyber threats, and system vulnerabilities that can compromise security, as required for the CompTIA A+ exam.
CompTIA A+ Exam Domain: Domain 2.4 - Explain common social-engineering attacks, threats, and vulnerabilities.
Social Engineering Attacks
Social engineering exploits human psychology to manipulate individuals into divulging confidential information or performing actions that compromise security.
Phishing
Definition: Fraudulent emails, messages, or websites that appear legitimate but are designed to steal sensitive data.
Example: Fake bank emails tricking users into entering credentials.
Prevention:
Verify URLs before clicking links.
Enable email filtering and spam detection.
Train users to recognize phishing attempts.
Vishing (Voice Phishing)
Definition: Social engineering attacks conducted via phone calls.
Example: An attacker posing as tech support requesting login details.
Prevention:
Verify caller identities before sharing information.
Use company-approved communication channels.
Shoulder Surfing
Definition: Observing a person’s screen or keystrokes to steal information.
Example: A hacker looking over someone’s shoulder to capture login credentials.
Prevention:
Use privacy screens on devices.
Be aware of surroundings in public spaces.
Whaling
Definition: Targeted phishing attacks aimed at high-profile individuals (e.g., executives).
Example: Fake CEO email requesting a wire transfer.
Prevention:
Implement strong email authentication.
Train employees to recognize executive impersonation.
Tailgating (Piggybacking)
Definition: Gaining access to restricted areas by following an authorized person.
Example: An attacker sneaks into an office behind an employee.
Prevention:
Implement security policies requiring badge scanning.
Train employees to challenge unknown individuals.
Impersonation
Definition: Pretending to be someone else to gain access to systems or information.
Example: An attacker posing as IT support to request login credentials.
Prevention:
Verify identities before granting access.
Use multi-factor authentication (MFA).
Dumpster Diving
Definition: Retrieving sensitive information from discarded documents or hardware.
Example: Finding passwords in discarded company printouts.
Prevention:
Shred confidential documents before disposal.
Securely wipe storage devices before recycling.
Evil Twin Attack
Definition: Creating a fake Wi-Fi hotspot that mimics a legitimate network to intercept user data.
Example: A hacker setting up a rogue hotspot named “Public Library Wi-Fi.”
Prevention:
Avoid connecting to unknown or unsecured networks.
Use VPNs for secure browsing.
Common Cybersecurity Threats
Distributed Denial of Service (DDoS)
Definition: Overloading a server with excessive traffic to disrupt services.
Example: Botnets attacking an e-commerce site, making it unavailable.
Prevention:
Use firewalls and traffic filtering.
Deploy DDoS mitigation solutions.
Denial of Service (DoS)
Definition: A single source floods a system to exhaust resources.
Example: Sending repeated requests to crash a website.
Prevention:
Implement rate limiting.
Use network monitoring tools.
Zero-Day Attack
Definition: Exploiting software vulnerabilities before patches are available.
Example: A hacker discovers an unpatched flaw in a web browser and exploits it.
Prevention:
Apply updates and patches promptly.
Use intrusion detection systems (IDS).
Spoofing
Definition: Impersonating another device or user to gain access.
Example: Fake IP addresses to bypass firewalls.
Prevention:
Use secure authentication.
Monitor for unauthorized network activity.
On-Path Attack (Man-in-the-Middle, MITM)
Definition: Intercepting communications between two parties.
Example: Capturing unencrypted login details over public Wi-Fi.
Prevention:
Use encrypted connections (HTTPS, VPNs).
Implement multi-factor authentication.
Brute-Force Attack
Definition: Attempting multiple password combinations to gain access.
Example: Automated tools guessing login credentials.
Prevention:
Implement account lockout policies.
Require complex passwords.
Dictionary Attack
Definition: Using a list of common passwords to crack credentials.
Example: Attempting “password123” and “letmein” in rapid succession.
Prevention:
Enforce strong password policies.
Use account lockout mechanisms.
Insider Threat
Definition: A trusted individual misuses their access privileges.
Example: A disgruntled employee leaking company data.
Prevention:
Use least privilege access principles.
Monitor unusual user activity.
SQL Injection (SQLi)
Definition: Injecting malicious SQL code to manipulate a database.
Example: Using ' OR '1'='1 to bypass authentication.
Prevention:
Use parameterized queries.
Sanitize user input.
Cross-Site Scripting (XSS)
Definition: Injecting malicious scripts into web pages viewed by users.
Example: Attackers embedding scripts in comment sections.
Prevention:
Implement content security policies.
Validate and escape user input.
Common System Vulnerabilities
Non-Compliant Systems
Devices that do not adhere to security policies.
Prevention: Implement strict compliance audits.
Unpatched Systems
Systems without the latest security updates.
Prevention: Enable automatic updates.
Unprotected Systems (Missing Antivirus/Firewall)
Lack of protective software increases exposure to threats.
Prevention: Install and update security tools regularly.
End-of-Life (EOL) Operating Systems
Unsupported OS versions no longer receive security patches.
Prevention: Migrate to supported OS versions.
Bring Your Own Device (BYOD) Risks
Personal devices on company networks can introduce security risks.
Prevention: Implement Mobile Device Management (MDM) and enforce BYOD policies.
Final Thoughts
Understanding social engineering attacks, cybersecurity threats, and system vulnerabilities is crucial for maintaining security. The CompTIA A+ exam tests knowledge of these topics to ensure IT professionals can detect, mitigate, and prevent security incidents effectively.