Domain 2 · 2.2 Threat Vectors & Attack Surfaces

2.2.6 Human Vectors / Social Engineering

Phishing, vishing, smishing, pretexting.

16 min

Human vectors and social engineering represent the exploitation of human psychology and behaviors to gain unauthorized access to data, physical spaces, or secure networks.

Common Social Engineering Channels - Phishing: The most common digital attack vector, using fraudulent emails to trick users into clicking malicious links or disclosing credentials. - Smishing: A variation of phishing conducted via SMS/text messaging. Cybercriminals often send urgent account alerts or package delivery notifications to solicit sensitive data. - Vishing: Voice-based phishing where attackers use IP telephony (VoIP) or phone calls to manipulate victims. Attackers may use "caller ID spoofing" to appear as a trusted entity like a bank or IT department. - Pretexting: The act of inventing a fabricated scenario or "pretext" to engage a victim in a way that increases the chance they will divulge information or perform an action (e.g., pretending to be a surveyor or a corporate auditor).

Physical and Information-Based Vectors - Tailgating: Following an authorized person into a secure building without scanning a badge. Preventing this requires user training and physical barriers like turnstiles or mantrap systems. - Dumpster Diving: Searching through trash for sensitive documents, password memos, or hardware that hasn't been properly shredded or sanitized. - Shoulder Surfing: Observing a user’s screen or keypad entry from a distance to steal PINs, passwords, or confidential data. - Removable Media: Using USB thumb drives as a vector by leaving them in public "baiting" locations or using physical access to plug them into target systems.

Security Awareness and Training Technical controls often fail if the human element is weak. Effective training must be recurring and engaging to prevent "user burnout." - Gamification: Increasing engagement by using points, badges, and leaderboards to teach security concepts. - Capture the Flag (CTF): A hands-on training exercise where users attempt to solve security puzzles or exploit vulnerabilities in a controlled environment to understand the attacker's perspective. - Computer-Based Training (CBT): Utilizing diverse media like videos and interactive modules to keep material fresh and memorable. - Social Media Policy: Training employees on OSINT (Open-Source Intelligence) risks, ensuring they do not post proprietary data or personal details that attackers could use for pretexting.

Quick recall - Phishing = Email; Smishing = SMS; Vishing = Voice. - Pretexting = The "story" or lie used to set up the scam. - Tailgating = Physical entry vulnerability. - Gamification = Uses competition and rewards to fight training fatigue. - USB/Removable Media = Primary physical vector for malware delivery.