CompTIA security+ is an exam a professional certification exam that provides the core-knowledge for a starter or a professional who is trying to venture into the cybersecurity profession.
The exam is categorized into 5 domains which are:
Domain 1: Threats, Attacks and Vulnerabilities
Domain 2: Architecture and Design
Domain 3: Implementation
Domain 4: Operations and Incident Response
Domain 5: Governance, Risk and Compliance
Listen to CyberPodYoruba - Introduction to Cybersecurity
In this post, we are going to be talking about the first one which is: Attacks, Threats and Vulnerabilities; Let’s dive in:
Domain 1: Threats, Attacks and Vulnerabilities
Social engineering is a type of an attack whereby an hacker exploits someone’s weaknesses to gain access to a vital information or systems. Hackers pretend to be who they are not by tricking people into giving them vital information like passwords or even allowing them into secure areas.
Social engineering is an attack that relies heavily on human weakness and interaction. Hackers trick people into disclosing private information and best practices and also breaking standard security protocols. An attacker can use all this to launch a successful cyber-attack.
Social engineering is often used to gain access to the IT infrastructure of physical facility.
1.1 CompTIA Security+ Exam: Compare and Contrast different types of Social Engineering Techniques:
Follow #CyberPodYoruba on YouTube
There are 2 categories of social engineering attacks:
· Physical attacks: can be carried out physically
- Tailgating
- Shoulder surfing
- Dumpster diving
· Virtual attacks: can be carried out anywhere with computer with internet access.
- Phishing
- Hoax
- Watering hole attack
- Phishing: The number one cyber-attack and a common entry point for ransomware. It is an attack in which a criminal pretends to be a trustable entity in order to trick a person into clicking on an infected link, which results in malware installation or release of sensitive data. Some common phishing techniques required in the CompTIA Security+ exam includes:
o Spear phishing: The word “spear” means “a weapon with a pointed tip.” Spear phishing is a phishing technique that is targeted to specific group or a specific user.
o Vishing: also known as voice phishing. This is a voice scam meant to steal sensitive information. Vishing scams includes:
- Bank Account Compromise: These scammers pretend to be from the victim’s bank and then go on to state that the victims have issues with their account numbers or their accounts have been compromised. The moment the victims release sensitive information like passwords; the attacker/scammer uses it to break in.
- Law Enforcement impersonation: A scammer/attacker could pretend to be a serving member of any law enforcement in the country who then insinuate and persuade the victims that they’re trying to help the them avoid criminal charges, but they need certain personal information begin and also speed up the process.
Government official impersonation: Vishing calls from someone claiming to work for the government’s tax agency.
Software Installation: The scammer calls to inform a victim to install a software; usually a malware, and the scammer will be able to access sensitive.
o Whaling: The word “whale” means “a very large fish.” Whaling happens when an attacker goes after a “big fish,” such as a CEO.
o Smishing: SMS or text message form of phishing.
The best defense for phishing attack is user awareness training.