cybersecurity

Social Engineering Attack – What Your Organization Should Know

by
Social Engineering Attack What Your Organization Should Know

Social engineering is a human threat vector from cybersecurity point. It simply means the criminal action of exploiting human nature rather than technical path to gain unauthorized access to people’s minds, digital systems, data and other assets. We cannot talk about this threat enough; it is oftentimes the most relegated and the most exploited of all paths. This very brief article will cover the following sub-headings; meaning of social engineering facts about it human cognition often exploited by it broad types of social engineering common tools of it anatomy of social engineering countermeasures against it Facts about social engineering It is built on manipulation, regardless of the type. It is considered the path of least resistance to cyberattacks. A high number of successful security attacks have started with or involved a social engineering method. People should be critical part of firewall – human firewall, if you don’t mind.  awareness of it must be prioritized. Human cognition oftentimes exploited In the context of this piece, human cognition involves the mental process of understanding and reacting to unfolding events.  Average criminals, have always believed that these human traits would increase chances for success, as such they can’t do without them. See the highlight below. Authority – people most of the time respect and obey authority. Trust – it is natural for most people to trust, especially someone with authority. Responsiveness – a responsible person would want to be responsive to events. Fear – people fear not to get into trouble or found wanting of anything. Urgency – urgent reaction is natural, especially under duress. Threat – people want to avoid threatening event that steal their peace. Reward – it is often enticing and enriching to be rewarded. Curiosity – the inquisitiveness and excitement to face and close out challenge. Ignorance – is a liability to the holder, and an opportunity to the exploiter. Priority – people choose what to prioritize per time. Types of social engineering  Phishing: this is email based social engineering. It can be Spear phishing – targeting certain category of persons. Whaling – targeting rich and public personalities. Smishing: this type uses sms text to attack. Vishing: this one is voice/audio based. Watering hole: uses website or social media avenue to attack. Physical types of it Shoulder surfing: unauthorized covert observation. Piggy backing or tailgating: concert entry or exit to circumvent protocol. Dumpster diving: searching dump sites or bins for confidential data. Baiting: uses infested USB or other similar gifting to entice and attack. Other types known as synthetic content Synthetic content types of social engineering include; Disinformation: intentional spread of false and misleading information. Shallow fake: refers to alteration of original media content to misrepresent fact. Deep fake: uses artificial intelligence to generate and spread deceptive content. Common tools of social engineering Website Social profile Spoofing toolkits Clothing and apparel Appeal/charisma Phishing toolkits Audio recorder Infested USB Spy cameras Romance Anatomy of social engineering attack Establish objective – from outset social engineering attackers set out what they want to achieve. Determine target – they would establish who should be targeted, oftentimes perceived success rate is used to make this choice. Do reconnaissance – background investigation would be carried out to have better insight to routine behaviors of targets. Develop tools – necessary toolkits will be developed. Mobilize resources – other resources needed to accomplish the attack will be mobilized. Launch attack – at this stage, attack would be launched, sometimes in small scale. Evaluate success rate – the rate of success would be gauged. Revise/modify – if necessary, some modification would be applied to increase success rate. Relaunch attack and keep modifying as needed. Reap results – this maybe positive or negative. Countermeasures against social engineering Technical: policy, firewalls, authentication, and alert. Non-technical: training, awareness, and simulations. Social engineering is one of the most dreadful cyber threats of modern time. It can be a stand-alone; or a path to many other cybersecurity incidents. What is more? Cyber criminals find it very handy, reliable, and result-orient. They take advantage of human nature to deploy social engineering. Awareness and knowledge are key to avoid falling victim and compromising your personal identifiable data or that of your organization. ALSO READ: 4 Types Of Phishing Attacks And 10 Signs To Know A Phishing Email

4 Types Of Phishing Attacks And 10 Signs To Know A Phishing Email

by
4 Types Of Phishing Attacks And 10 Signs To Know A Phishing Email

Phishing is a type of social engineering attack built on manipulating and deceiving people to reveal confidential and private information which is then used to carry out further crime against them.  This attack takes advantage of gullibility and vulnerability of human emotion to steal from people. Phishing attacks have become a popular, easy to use and very dependable tool for cyber criminals. When in operation; criminals would reach out to users through any communication channel, pretend to represent a legitimate authority; maybe a financial service provider, health insurance provider, a family member or trusted friend, proffer assistance, then request for inimical action from the user. Actions that maybe required from users during phishing attacks include but not limited to; Reveal private and confidential information, e.g. password, date of birth, social security number, BVN, code, etc. Click a link that will further direct users to secondary resource where confidential information will be stolen. Open attachment which in most case will contain malwares that will launch further attack on the device and network. Request for cash to enable a staged problem to be solved. Reveal a sent code to enable completion of a proposed solution. With automation and Artificial Intelligence dominating and directing modern interactions and commerce, people shall depend more on digital channels of communication. Available facts have proven that oftentimes, phishing attacks regardless of its type have more success rate than failure. This means more people are falling victim to these exploits. Hence, the benefits of deepening your understanding about them. Let’s dive into four common types of phishing attack. And how to identify email based phishing attack. Four types of phishing attacks. Spear phishing – this type targets specific category of persons, e.g. insurance or bank customers, students, male mine workers, etc. Whaling attack: is a sub-spear type of attack that targets high net worth and high-profile individuals like company executives, politicians, celebrities, etc. Just like implication of the name “Whale” biggest fish – this attack targets only “big fish”. That is, wealthy people. Smishing attack: this is an SMS based phishing where short message service is used to deceive a receiver into providing private and confidential information or taking other action. This is catchy because, it does not require internet connectivity to hit its intended targets. Vishing attack: this type is a direct opposite of smishing. It uses voice call to reach out and deceptively request for confidential and private information from receiver. In the same vein, internet connectivity is not required to execute this attack. Ten Signs to know a phishing email It will come from a stranger: oftentimes phishing emails come from unknown person or agent. It will come from a public email domain: examples of public email domains are yahoo.com, gmail.com, hotmail.com. Domain name will either be misspelt or corrupted: when it pretends to come from private domain, such domain will never spell correctly as the genuine one. There will be a form of misspelling or corruption of it. It will disguise as proffering assistance: merchants of phishing attacks always pretend to offer one form of assistance or the other. Shylock assistance you may call it. The mail content will be poorly written: content of mail will likely lack expected quality of a business communication. Mail will include suspicious attachment or link: this would require further actions like follow or open. It calls for urgent action: whatever is the call for action from phishing attack always comes with “urgency”. It will request user to provide personal information to enable closure of an event. It may request user to send cash to enable a staged problem to be solved. It will appeal to a defined sentiment. Phishing is a low end and cost-effective tool for cybercrime. It is a social engineering attack that exploits inherent weakness in people to get through and steal from them or carry out other crimes against targets. Getting basic knowledge about method of attacks and the techniques to identify them is a better way to go to prevent being a victim. ALSO READ: Cybersecurity Threat Of Social Engineering

Top Cybersecurity Threats of 2024

by
Top cybersecurity threats of 2024

Cybersecurity threat is any criminal activity that has potential to take place through the use of computer devices and the internet. There are many types of cybersecurity threats today, they come from different sources technically known as vectors. Such sources may include state actors, terrorist groups, organized criminal groups, hackers, malicious insiders like; employee, supplier, vendor, competitor, etc. Contemporary world is increasingly being shaped and controlled by automation powered by artificial intelligence, internet-of-things, cloud infrastructure and others; dependence on digital handlers are no longer optional. This development comes with its inevitable security risks. Cyberspace has become the current battle field where criminal elements have continued to innovate various methods of attacks on existing vita resources. Knowledge of these attacks and the vectors is key to planning and implementing preventive and responsive security measures. In no particular order; see below highlight of some top cyber security threats of 2024. Social engineering: this sort of crime occurs when a cybercriminal deceives internet users to provide sensitive personal information; the information given is oftentimes used to commit various kinds of crimes against the person or the organization they represent. Social engineering plays on human intelligence and emotion; it uses of tricks and games to generate personal and confidential information from ignorant people and use same to commit further cybercrimes. Third party exposure: talks about level of potential cyber threats an organization is exposure to due to its relationship with vendors and suppliers within its information technology supply chain. Configuration mistake: otherwise known as misconfiguration, refers to errors in information technology system configuration settings; examples may include fraudulent dataset, hidden data, unstructured data, wrong formatting, failure to patch or wrong patch, non-configuration of firewalls, non-segmentation of network, not using multi-factor authentication, ignorant workforce. These mistakes can occur in any stage of development, deployment and operation of an information technology infrastructure. Artificial intelligence threat: this malicious act could occur when cybercriminals use AI techniques to exploit system vulnerabilities and launch attack. Mobil device threat:  is a threat that take place through use of mobile device. Suffice to say that most known cybersecurity threats can occur via mobile devices. This power tool is also a powerful threat. Insider threat: Insider threat is any security risk that come from people within an organization. This maybe anyone who by virtue of their roles have access to sensitive information and other corporate resources capable of being used against the business. There are two types of insider threat. One is intentional threat, the other is accidental threat. The former is oftentimes premeditated and by impulse, the latter is by ignorance or accidental. State sponsored threat:  this sort of event occurs when some rogue nation states sponsor or directly carry out cyber-attacks against fellow states, prominent organizations or individuals. DNS tunneling: this sort of attack allows hackers to bypass network security by using Domain Name System as conveyor for malicious data traffic. Tunneling is a powerful tool for hackers, and a serious threat for resource owners and managers. Ransomware: this event occurs when malware takes control, locks and encrypt a resource (this could be data, files, or system), render it inaccessible, then makes a demand as condition for its release. Trojan horse: is a virus that disguise as genuine or legitimate program to gain access to a system. Attackers oftentimes use social engineering as delivery channel for this sort of threat. Drive by attack: also known as drive-by download use “exploit kits” to launch automatic download of malware onto a system without a user’s consent. It is usually associated with compromised webpages or plug n play devices. Poor cyber hygiene: cyber hygiene means maintaining healthy cyber practices for security of systems, devices, networks and data. Main goal is to secure sensitive data against attacks. When this is lacking – poor cyber hygiene is the case. Example may include poor network security, lack of configuration management, lack of cybersecurity training for employee. Cloud vulnerability: this refers to weakness in cloud infrastructure which attackers can take advantage of and gain unauthorized access to data resources. Poor data management: this refers to fluid practices that negate the security of data resources. Cyber bulling: this sort of event happens when digital communication channel is used to send intimidating, assaulting and damaging messages to a target. Cyber stalking: this sort of event occurs when digital communication channel is used to track and harass a target (usually a person). DDoS attack: Distributed Denial of Service is a malicious act of disrupting and denying normal traffic flow to a web resource through the use of overwhelming requests that renders the resource incapable. Brute force: is a hacking method that applies trial and error to crack login credentials, encryption keys and pass words to gain unauthorized access to a network or account. It is reported that brute force success rate is rising; making it a simple and reliable tool for cyber criminals. Man-in-the-middle:  also known as MITM or path attack occurs when a cybercriminal secretly intercepts and alters a flowing conversation between two parties without their knowledge or consent. Poor post incident management: this results when after-incident is not properly managed to prevent recurrence. Cybersecurity threats are a serious challenge to businesses. Managing it requires good understanding of different methods in which they may occur. What was discussed in this article is not exhaustive, as such there should be ongoing efforts to uncover and have good insight to more. ALSO READ Cybersecurity Threat Of Social Engineering

16 Trending Physical Security Threats Every Corporate Organization should Prepare to Deal with

by
16 Trending Physical Security Threats

Physical security is responsible for overall protection of assets, people and information in the business place. Threat is any person, group, and/or activity that have potential to cause breach of security within a defined space. While the underlie principle of physical security has universal application; what may be defined or accepted as threat is relative to time and space. Threat is synonymous with loss as such, whatever is seen as security threat must elicit thoughtful concern from organization who might suffer its impacts. For instance, pilfering may seem inconsequential in most business setting however, if was not confronted and addressed it can run down a business. The starting point for any corporate organization is to put in place a functional security team who have capability to harness available resources to prevent or frustrate potential threats. Physical security threats are constantly evolving alongside modern society. This is largely influenced by workplace culture, technology, knowledge, socioeconomic factors, globalization, and available market. To stay abreast or ahead of this trend, an organization must build agility, resilience and dominance. What can shape the kind of physical security threats a business may face include type and size of such business, industry, location, leadership and regulation, policing and criminal justice system. Here is highlight of all-time physical security threats every corporate organization should prepare to deal with. Access breach – happens when people and/or materials enter or leave business premises without authorized approval. An organization with porous access management will struggle to exist. Any state or country characterize by border (land, water, and air) porosity will be overrun by criminality. General theft – this old stealth craft may occur in form of stealing, dupe/swindle, pilfering, shoplifting, diversion, shrinkage, padding, undersupply, cargo theft, siphon, fraud, etc. regardless of its form, it is a business killer. Vandalism – this threat is a property crime. It involves willful destruction of a company property Stowaway – this sort of security threat is applicable to aviation and maritime transport sector. It occurs when people illegally board an airplane or ship with intent to enter another country without following official protocol. Burglary – this refers to act of gaining illegal access into a locked building, room or office with intent to commit crime. Oftentimes it involves forceful breaking and entry; sometimes, it may happen with ease of access. Arson – this is act of intentionally setting fire on a property to cause loss to the owner or users. It may be influenced by a disease called pyromania or by vengeance or by criminal intent. Robbery – this old coercive craft involves act of violence through the aid of a weapon to take what belongs to others. Civil unrest – this may occur in form of riot, protest, demonstration, strike, picketing, lockout or lockdown. Regardless of how it happens, it can cause business disruption. Kidnapping – involves abduction or hostage taking of people with aim for a gain. Identity theft – this crime involves intentionally taking on identity of another person and conducting relationship in the name and profile of the person. It is very common on cyber space; however, it also exists in physical world. For instance, a non-staff thief can use identity credentials of a staff to prowl, and to access or exit company premises. Natural disaster – this is an act of nature (force majeure) which may include flood, drought, storm, hurricane, tornado, and earthquake. Convergence of threat – also known as cyber-physical threat is a peculiar kind of threat that is increasingly bridging the gap between physical and cyber security worlds. When a cyber-attack impacts physical services of an organization, a convergence of threat is playing out. For instance, a ransomware or distributed denial of service can cause panic and frustration for customers of an organization thereby creating mutual insecurity. Product adulteration – this sort of security threat is applicable to manufacturing industry. It is a practice of faking a branded product that enjoy widespread industry acceptance and sometimes dominance. Workplace violence – this applies whenever any act of violence against someone happens in a business premises. It may include robbery, assault, harassment, fight, and other types of uncontrolled aggression. Fraud/embezzlement – fraud is a dishonest act of stealing money or property by deception or trick, while embezzlement involves stealing company’s money by a person of trust and authority. Sexual harassment and/or rape – this refers to intimidating act against someone for sexual pleasure; or forcefully having sexual intercourse with a person. This threat is most common with female gender; however, a male can also become victim of it. Physical security threats are realities of modern world business. The security threats exposed above are not new, however, criminals have continued to innovate new ways of committing them such that solutions which worked a decade ago may not be effective today. Proper prior planning will prevent poor performance in responding to these threats. ALSO READ: Insider Threat Management And Guide

Cybersecurity Threat Of Social Engineering

by
Cybersecurity threat of social engineering

Cyber security threat is any criminal activity that has potential to take place through the use of computer devices and the internet. There are many types of cybersecurity threats today – they include social engineering, malware attack through viruses and warms, man-in-middle attack, denial of service attack, inject attack and supply chain attacks. This article will focus on and briefly introduce cybersecurity of social engineering. Cyber security threats may come different sources technically known as vectors. Such sources may include state actors, terrorist groups, organized criminal groups, hackers, malicious insiders like; employee, supplier, vendor, competitor, etc. Social engineering happens when a criminal deceives internet users to provide sensitive personal information; the information given is oftentimes used to commit various kinds of crimes against the person or the organization they represent. Social engineering attack makes use of tricks and games to get information from ignorant people and use such information to commit cybercrime. It is a malicious activity. Social engineering is gaining popularity. The trend is also disturbing due to increasing presence of innocent and ignorant computer users who knew next to nothing about it. Social engineering exploit human curiosity, feeling, ignorance, greed, naivety and mistakes to strike. Common types of social engineering attacks include; baiting, phishing, vishing, pretexting, and smishing. See below, brief description of these various methods of social engineering. Baiting: the attacker would lure the user through free gifts and/or others largesse. Phishing: the attacker would send fraudulent email pretending to have come from a trusted source. Vishing:   the attacker would use voice phone call and pretend to come a trusted source. Pretexting: the attacker pretends to represent a trusted authority so as to elicit information from the user. Smishing: the attacker would use fraudulent text message to trick the user. Every act of criminality takes advantage of weak controls or ignorance in some cases. This is technically known as opportunity. With this in mind, the dark web guys (the criminals) prowl on cyber space; spying, hunting, exploiting and experimenting with many of the weak links and the ignorance of users; oftentimes they are successful. To avoid being a victim of social engineering see below; a few recommended guidelines you should practice so as to keep you protected from this menace. Activate 2-factor authentication in all online accounts, including social media. Avoid accessing shared links from strangers, always reconfirm shared links from a known sender. Avoid use of public wifi; if you must use it, do not expose personal information while there. Avoid sharing personal information publicly on social media, it exposes you to criminals. You may wish to patronize software which protects against the threats of social engineering. Do not share personal information or “sent code/pin” to those who would call on phone and claim to be agents from your bank or financial service providers. Visit your bank/others for transactions and confirmations. Do not disclose or click a shared link/code/pin from strangers who would claim to be “Admin” from a WhatsApp group you belong to. Call the Admins to verify and reconfirm before taking decision to accept. Maintain situational awareness (that is, alertness) at all times. Cyber security threat of social engineering is real. It is very common in cyber space where contemporary presence is gaining increasing dominance. Many internet users are not aware of this threat, hence this enlightenment. ALSO READ: CYBERCRIME OF IDENTITY THEFT

Business And Career Opportunities In Private Security Industry

by
ImgResizer 20240731 0814 08207

Private security industry is growing rapidly globally. It is estimated to worth about 235.37 billion USD in 2023. Contemporary society is faced with myriads of security threats. Virtually every aspect of life has one of security challenges or the other. There are challenges in physical, socio-political, health, economic, cyber, and food security amongst others.  Security challenges have kept abreast with societal development. Of recent, the 9/11 2001 terrorist attack at World Trade Centre in New York USA has completely changed the perception of security and pushed it to front burner of budget proposals. Organizations, being it public or private have obligations to protect their assets including people and information. Those who have the required knowledge, competence and skills to assist in fulfilling these needs are creating values, wealth and confidence and earn from it. Business and career opportunities abound in private security industry and the field is large, it is still expanding. For basic understanding, private security industry refers to all security related functions, services and products outside of public law enforcement and the military. It is driven by private individuals but regulated by government of the state. See below, some business and career opportunities available in private security industry. Contractor to military, police and others: provision of services, supply of kits and various accessories to government security agencies, e.g., Military, Police, etc. Security consultancy: proffer and execute advanced security solutions to meet needs that are peculiar to clients. Training consultancy: develop and sell security related knowledge. Guard force service: provide man-guarding solution to clients. Road or Rail escort: provide road or rail escort to people and cargo. Airport protocols: provide meet, greet, & ease services at airport. Cash-In-Transit escort: provide fortified escort for cash movements to financial institutions. Executive protection: provide intelligence, & physical protection to VIPs and their interests. Bouncer/body guard: provide body-guard protection for personnel and for events. Security kits & accessories: supply security uniform kits and accessories to security companies and others. Canine (K9) dog service provision: provide security dog services to clients. Canine dog training (instructor): breed, train and provide dogs for k9 service companies. Private investigation: provide fact-finding security solutions to clients. e.g., due diligence, routine investigation, background screening and vetting as well as undercover security operations. Technical security (IT based): this involves production, installation & management of surveillance system, software development and franchise, vehicle tracking, drone patrol, system & information security, etc. CCTV Control room operation: provide management, administration & operation at CCTV control room. Security Project Management: this involves executing security projects like physical security installations, calibrations and testing, training, security risk assessment, security content design/development, audit. Marketing & branding: identify and provide market for security solutions. Talk show host: provide security related talk show for public enlightenment and education through radio, tv, YouTube, podcast etc. and security event compere/MC. Security operation and management (practitioners): provide direct security functions to organizations or individuals, e.g., guards, officers, supervisors, coordinators, analysts, managers, directors, vice presidents, etc. Security blogging: provide security information to public through blogging and other journalistic writings, e.g., this article you are reading now. Pipeline protection for oil & gas industry: provide physical security to pipelines, jetties and platforms. Ship/Vessel escort: provide maritime security escort to vessels, boats, fishing trolleys, and others. Community vigilante service (CVS): provide security protection using legal vigilante team in a community. Lease security patrol vehicles: provide security patrol vehicles, motorcycles, bicycles, horses, etc. on lease or hire. Sale of high-profile security gadget: supply security saves, vaults, doors, etc. Exhibition & trade shows: provide/organize security exhibitions and trade shows. Peace & Security NGO: run humanity-based security non-governmental organization focusing on peace and security, e.g., International Peace Bureau. Chaplaincy service (guidance & counseling): provide faith-based support services to security practitioners in the industry. Self-defense academy: provide training on non-lethal self-defense, e.g., taekwondo, karate, aerobics, martial art, etc. Security awareness coach: provide training on basic domestic security to organizations, individuals, families, homes, groups, etc. Write security text books, podcast, DVDs: research and produce security knowledge in soft or hard copy format, e.g., “Access Control” by Azubuike Nwenewo. Defensive driving school: provide defensive driving (driving against adverse condition and/or mistakes from other road users.) service for security protocol drivers. ALSO READ: You Need A Bodyguard

Cybercrime of identity theft

by
ImgResizer 20240727 2211 51816

Cybercrime is any criminal activity that takes place through the use of computer devices and the internet. The growing trend of identity theft has been a source of concern to many people, especially business owners who stand to risk losing so much whenever they suffer any attack from cyber criminals. There are many types of cybercrime but this article will focus on and briefly introduce one known as identity theft. And proffer some guidelines on how to avoid being a victim of it. IDENTITY THEFT: this is defined to mean fraudulently using someone’s personal information to obtain benefits in different forms; at the expense of the owner of such information. Some examples are; using another person’s personal information to get attention, and from it collect loans and credits, using another person’s information to have access to the person’s online banking or mobile banking application, then transfer monies belonging to such person to another bank account owned or controlled by the criminal, etc. This phenomenon is increasingly gaining popularity especially in cyber space where many innocent and ignorant people expose themselves. Another reason it is common in our modern society is because many people who reside in urbans and cities own bank accounts, and use more online transactions than physical one. It is also very common now to see people spend more time on computers, especially mobile phones doing different things. While using these computers, they sometimes give out many personal information such as date of birth, national identity number, bank verification number known as BVN, password and codes. Criminals in cyberspace are always hunting for this sort of information. When they have them; the owner’s identity will be stolen; theft and other crimes will be committed against such owners. Every act of fraud (that is, crime) thrives on weak controls which is called opportunity. With this in mind, the dark web guys (the criminals) prowl on cyber space; spying, hunting, exploiting and experimenting with many of the weak links. Oftentimes, they are successful. To avoid being a victim of identity theft see below; a few recommended guidelines. Use 2-factor authentication in all online accounts, including social media. Avoid accessing shared links from strangers + reconfirm shared links from a known sender. Avoid use of public wifi; if you must, do not use personal information while there. Avoid sharing personal information publicly on social media. You may wish to patronize software which provides security protection against identity theft. Do not rush to contribute to “social media solicitations” from your circle seeking help for emergency or other issue – make voice calls to the solicitor for confirmation. Do not share personal information or “sent code/pin” to those who would call on phone and claim to be agents from your bank or financial service provider. Do not disclose or click a shared link/code/pin from strangers who would claim to be “Admin” from a WhatsApp group you belong to. Call the Admins to reconfirm. Do not rush to send money to persons who would call you and claim there is “serious health emergency” involving your friend or family member. Request name and address of the hospital handling such emergency – if given, send some nearby whom you know to go for physical confirmation, otherwise ignore. Maintain situational awareness (that is, alertness) at all times. Identity theft is real. It is very common in cyber space where contemporary presence is more dominant. ALSO READ: Ethical Issues Of Artificial Intelligence In Healthcare