September 13, 2025 • 23 mins
Cybersecurity isn't just about firewalls and antivirus software—it's about understanding the complex interplay between technical systems and human psychology. In this continuation of our Security+ series, we explore the multifaceted world of attack surfaces, threat vectors, and social engineering techniques that cybercriminals employ.
We start by breaking down what constitutes an attack surface—those vulnerable points where unauthorized users might attempt to breach your systems. From physical hardware and network components to applications and human elements, each represents a potential entry point for attackers. We then explore the pathways attackers use to exploit these vulnerabilities, from vulnerable software and network vectors to more devious approaches like lure-based and message-based vectors.
The episode takes a deep dive into social engineering—the art of manipulating human behavior rather than exploiting technical flaws. Through real-world examples, including my own experience with an attempted password reset scam, we demonstrate how attackers use techniques like impersonation, pretexting, phishing, and business email compromise to bypass even the most sophisticated security systems. One of my students shared how his sister's company lost $10,000 when an attacker impersonated the vacationing CEO and requested a wire transfer—a stark reminder that human vulnerabilities often pose the greatest security risk.
Whether you're studying for Security+ certification or simply want to better protect yourself and your organization, this episode provides essential insights into the psychological aspects of cybersecurity. Understanding these concepts is crucial not just for IT professionals, but for everyone who uses digital technology. Have you ever encountered a social engineering attempt? How did you recognize and respond to it?
If you want to help me with my research please e-mail me.
Professorjrod@gmail.com
If you want to join my question/answer zoom class e-mail me at
Professorjrod@gmail.com
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:25):
Music To TechnologyTap.
I'm Professor J-Rod and thisepisode is Chapter 2, part 2 of
our continuing series onSecurity+.
Let's get into it All right.
(01:07):
So we're at Chapter 2, part 2of our series on Security+.
So when we left off, we are atwhat is an attack surface?
The attack surface is a totalset of points where an
unauthorized user or an attackercould attempt to enter or
extract data from a system ornetwork.
Type of attack surface physicalhardware ports, usb
(01:31):
workstations.
Two network open ports,unsecured Wi-Fi routers.
Three applications API web apps, code vulnerabilities.
Four human social engineering,phishing, manipulation of staff.
Five supply chain third-partysoftware hardware
vulnerabilities.
What are threat vectors?
(01:52):
Threat vectors is the method orpathways an attacker uses to
exploit a vulnerability in theattack surface.
Common attack vectors bycategories vulnerable software
unpatched systems, zero-dayvulnerabilities, unsupported
legacy software, poor codequality or insecure design,
agentless versus client-basedconfigurations.
(02:13):
Two network vectors unsecurednetwork, lack of encryption,
segmentation, open service ports, remote access, default
credentials, wireless cloud orBluetooth exports.
Number three lured-basedvectors baiting targets with
malicious content, removablemedia, trojan horse programs,
infected documents, explodableimage files or PDF.
(02:36):
Four message-based vectorsphishing, vishing, smishing,
instant message, social mediamessages with malicious link and
chatbot exploitations.
And last is supply chainvectors.
Compromised third-party vendors.
Tamper software updates orhardware.
Infected open source packages,mismanaged service providers.
Mitigation strategies.
(02:58):
Implement a defense in depth,perform regular vulnerability
assessments, apply patches andupdates promptly.
Use network segmentation andfirewalls.
Educate users on social mediatactics.
Vet third-party vendors andsupply chains.
Vulnerable software vectors areone of the most common and
dangerous threat vectors used byattackers.
(03:20):
These vulnerabilities exist indesign, code or configurations
of software and are oftenexploited when systems are not
properly secure or updated.
What are softwarevulnerabilities?
Well, it's a weakness or flawin a program that can be
exploited to cause unintendedbehavior, including data breach,
privilege escalations or systemcompromise.
Common types of vulnerablesoftware vectors coding flaws,
(03:44):
including buffer overflows,integer overflows, improper
input validations and hard-codedcredentials.
Design weakness.
Weak authentication methods.
Lack of encryption forsensitive data.
Poor session management andinsecure default settings.
Unpatched or outdated software.
No vulnerabilities in softwarenot yet updated, exploited using
(04:07):
public exploit kits, a commonattack vector in ransomware.
Botnets For unsupported orend-of-life software no longer
receive security updates fromthe vendors.
Example Windows XP Still don'tuse industrial systems, even
though there's no updating forit.
Client-based versus agentlesssystems Client-based are more
tightly integrated but maycreate local vulnerabilities.
(04:30):
Agentless rely on remote accessprotocol and can be
misconfigured.
Mitigation best practiceregularly patch and update
secure coding practice,vulnerability management
programs, penetration testingand software inventory and
control.
Next we go to network vectors.
Network vectors are attackpathways that exploit
(04:53):
vulnerabilities within a networkor infrastructure.
These types can organizelocally or remotely and often
target misconfigurations, weakencryption or unsecure protocols
, configurations weak encryptionor unsecure protocols.
Key concept network vector is amethod through which attackers
gain access to system or data byexploiting network-level
vulnerabilities.
Common network attack vectorremote versus local.
(05:15):
Remote exploit a system over anetwork, either internet facing
service and local.
Require access to the internalnetwork or physical machine.
Unsecure network lack ofconfidentiality, integrity,
availability, for example, openWi-Fi.
Poorly segmented internalnetworks.
Mitigation best practicedisabled unused ports and
(05:38):
protocols.
Used firewalls and segmentationenable strong authentication or
multi-factor authentication,encrypt communications, monitor
network traffic and conductregular scans.
Then there's lower base vectorsor attack vectors that rely on
social engineering or temptationto trick a user into initiating
(05:59):
an exploit.
These vectors often involvemalicious files, devices or web
content that appear trustworthy.
A lore-based vector is anattack strategy with a threat
actor using enticing content orobjects to provoke user
interaction that leads to systemcompromise.
Common types of lore removabledevices, usb drop drop attacks
(06:22):
placing infected media in avisible public space, executable
files, a game app, a game or anapp or installer that secretly
contains malware.
Document files Word, Excel, pdffiles with malicious macros or
embedded script, trojan horse,malware programs that appear
useful but contain maliciouscode, microrobase lures, office
(06:44):
documents prompting users toenable content.
Image files, image that exploitvulnerabilities in a viewer
application.
And scripting files like Java,powershell or VBScript executing
malicious code.
An example that they use is theUSB drive.
A threat actor leaves a USBdrive in an employee's break
(07:08):
room labeled payroll recordquarter.
Two Curious employees insertthem into the workstation,
executing an embedded malwarepayload that installs a remote
access tool.
Mitigation educate staff, blockUSB port and use device control
management.
Next, we have message-basedvectors, which are attacks that
(07:29):
exploit communication platformsto deliver malicious content or
links, relying heavily on socialengineering and user
interaction.
A message-based vector usesmessages sent via digital
communication channels email,sms, instant messages to deceive
a user into opening maliciousattachments, clicking a
hard-phone link or revealingsensitive information.
(07:51):
Common message-based channelsemails, sms, instant message,
social media and voice calls.
Characteristics isimpersonation.
Message may mimic trustedsources.
Urgency immediate action isrequired.
It's a classic triggerObfuscation, use of shortened
(08:11):
URLs by typosquatting domains orspoof email address.
A multi-stage attack.
A message leads to a fake sitethat installs malware and
collects credentials.
Examples Phishing email A userreceives a message appearing to
be from Microsoft 365.
Saying their password isexpiring.
The link leads to a fake loginpage Smashing text your package
(08:34):
is delayed.
Click here to reschedule thelink.
Installs spyware on the phonedelayed.
Click here to reschedule thelinks.
Install spyware on the phone.
Slack message an attackerposing as a colleague sends a
fake pdf file containingransomware and vision.
Call an it help desk.
Calls asking for multi-factorauthentication, reset codes or
remote access.
(08:54):
Defense measures, email emailfiltering, ur URL filtering,
user training, mfaimplementation that's,
multi-factor mobile securitysolutions and monitoring and
reporting tools.
Next, we have a supply chainattack surface, which encompass
all the systems, vendors andprocesses involved in designing,
(09:16):
developing, manufacturing anddelivering products or services,
and represents a growing areaof cyber risk.
A supply chain attack occurswhen an attacker compromises a
third-party service provider,vendor or partner to gain
unauthorized access to a targetorganization.
Instead of attacking theprimary organization directly,
(09:36):
the attacker infiltrates atrusted link in the chain.
Common attack vectors softwareupdates, inserting malware into
legitimate updates, compromisebills, injecting malicious code
during application build orrelease cycles.
Counterfeit hardware,distributing tainted network
devices, usb drives or Internetof Things components.
(09:58):
Credential theft, attacks onvendor's credentials used for
remote access or maintenance.
Api exploits.
Exploiting insecure API betweenpartners or services.
And data exfiltration.
An attacker uses third-partyaccess to quickly siphon off
sensitive data.
A real-world example of this isthe SolarWinds attack in 2020.
(10:20):
Threat actors compromisedSolarWinds, orion software
update processes, inserting abackdoor that was downloaded by
18,000 organizations, includingthe US government.
Even well-established vendorscan become unintentional
conduits for attack.
Next is social engineering.
Social engineering is the artof manipulating, influencing or
(10:43):
deceiving individuals to gainunauthorized access to
information systems or aphysical location, hacking the
human instead of the technology.
Core objects of socialengineering reconnaissance,
unauthorized access, malware,execution and physical access.
Common techniques isimpersonation, pretexting,
(11:04):
phishing, vishing, smishing,farming, waterhole attacks and
tailgating.
Psychological principleexploited authority urgency,
trust scarcity and fear.
Social engineering preventiontactics security awareness
training.
Teach users to recognizemanipulation tactics.
(11:24):
Phishing simulation.
Test employees' response tofake attack attempts.
Verification procedures alwaysconfirm requests through trusted
channels.
Email caller filtering, flagsuspicious domain, block spoof
phone numbers.
Report mechanisms.
Easy process to reportsuspected social engineering
(11:45):
attempts.
Example an attacker calls thefront desk claiming to be from
IT department and urgentlyrequesting remote access to a VP
machine due to criticalvulnerability, the receptionist
wanting to help and unaware ofverification protocols give
access, leading to networkvulnerability.
The receptionist wanting tohelp and unaware of verification
protocols give access, leadingto network breach.
That happened to me.
They called me once asking tochange somebody's password.
(12:07):
The guy called me and said hey,I'm Frank in the Chicago office
, can you change my password?
And the procedure is for me tocall him back.
I said all right, I'll call himback.
I said all right, I'll call youback at the office and he said
he was in at the office, that hewas home.
So I said I'll call you at homeand I hung up on him, looked at
the company directory, foundhis name, his number at home,
(12:28):
called him at home.
He didn't pick up.
I didn't change the password,turns out that they were
auditing us and I actually did agood job.
Human vectors Human vectors arecybersecurity vulnerabilities
that exploit human behaviorrather than technical flaws.
Attackers manipulateindividuals to gain access to a
system, data or physicallocation, often the weakest link
(12:51):
in security.
Human vectors refer to anexploitation path that rely on
people, not software or hardware.
That are often involved insocial engineering attacks and
insider threats.
The human vector techniquesinclude phishing, vishing,
smishing, pretexting,impersonation, tailgating,
shoulder surfing and dumpsterdiving.
(13:13):
Why human vector works?
Attacker takes advantage oflack of awareness or training.
Human vector works attackertakes advantage of lack of
awareness or training, trust inauthority or colleagues, desire
to be helpful, stress or urgency, and routine behavior and
predictability.
You have three examples Helpdesk scam a caller pretends to
be an executive, locked out oftheir account.
The help desk resets thepassword without verifying
(13:36):
identity.
That's what happened to me.
Often intrusion an attackertailgates an employee through a
locked door by carrying coffeeand pretending to have lost
their badge and somebody says ohyeah, open the door.
Phishing success a user clickson an email disguised as the
company survey and unknowinglyinstalls malware.
How to mitigate human vectorrisk security awareness,
(13:59):
training, strict access controls, verification protocols,
regular phishing tests and clearreporting channels, which means
encouraging employees to reportsuspicious behavior promptly.
Impersonation and pre-texting.
So impersonation and andpretexting are social
engineering techniques thatmanipulate trust and authority
(14:22):
to deceive individuals intorevealing sensitive information
or granting access.
Impersonation is the act ofpretending to be someone else,
typically a trusted individual,to gain unauthorized access.
The common tactics is authoritypretending to be an executive
familiarity, claiming to be acoworker or vendor.
You work with Persuasion.
(14:43):
Everybody else already provedthis.
I just need your okay, urgency.
They must be done in fiveminutes or the network can go
down.
The methods that they deliverthis is in person, email or
phone calls or social mediaprofile.
Email or phone calls or socialmedia profile.
Pretexting involves crafting adetailed, believable, false
(15:03):
narrative to trick the targetinto revealing confidential
information or performing action.
Characteristics are exploits,trust and known roles, hr IT,
often supplemented by planteddata or fake credentials, and
may involve long-term setup,fake interviews, surveys, etc.
Example a fake IT audit surveyfor employee engagement,
(15:27):
pretending to be a new hire andjournalists asking for comment.
Defense against impersonation,pretexting, verification
protocols, least privilegeprinciple, security awareness,
training, access control, logsand cameras and multi-factor
authentication.
Phishing and farming.
Phishing and farming are two ofthe most common social
(15:48):
engineering attacks used incybersecurity.
Both aim to deceive users intogiving up sensitive information,
but they differ in thedeception is carried out.
Phishing is a deceptivecommunication tactic that tricks
a user into taking an action,such as clicking a link or
entering credentials on a fakewebsite.
Key characteristics that arerevealed via email, sms, phone
(16:11):
or social media Spoof legitimatesource and may include a
malicious link or social mediaSpoof.
Legitimate source and mayinclude a malicious link.
Tapper phishing, spear phishing, target phishing aimed at a
specific individual ororganization, whaling targeting
senior executive or high-levelindividuals.
Smishing phishing via textmessage phishing, phishing via
phone and angular phishing usingfake social media support
(16:36):
accounts to scam victims.
Farming is a technical attackthat redirects users from a
legitimate site to a maliciousone without their knowledge.
Highworks DNS poisoning altersDNS records to send users to a
fake site.
Host file modifications on alocal computer redirects traffic
.
The user enters credentials,thinking the site is real.
(16:57):
Mitigation strategies to createawareness, training, email
filtering and anti-phishingtools.
Dns security, antivirusendpoint protection, use of
HTTPS and SSL and browse alerts.
For example, you get a phishingemail saying click here to
verify your direct deposit andit links the payroll of your
(17:21):
company, or you think it doesDNS entry for bankcom.
Let's say it's poison and yougo to a fake page that looks
identical to the real site andyou put in your credentials.
Best practice double check URLsbefore clicking.
Use multi-factor.
Never trust urgent requests forcredentials or payments.
Use reputable DNS servers andmonitor DNS logs.
(17:46):
Typosquatting exploits the humanerror.
The attacker registers a domainthat's one or two characters
off from a well-known siteInstead of googlecom.
They might have like extra O'sin Google, right Instead of
googlecom and builds onmalicious or deceptive websites
on it.
(18:06):
So you go to like Google likewith extra O's and then you go
to a site that looks like Googlebut it's not really Google.
Then you type in your usernameand password and they got it.
The goal is type of squatting.
Domains are often used to stealcredentials via phishing logins,
deliver malware, payloads,display ads or redirect to
affiliate pages, damage brandreputations and trick users into
(18:28):
giving personal or payment info.
Dns strategies to use is DNSfiltering and web filtering,
security and awareness trainingregistered lookalike domains.
Google does that.
Browser security extensionsenable HTTPS and check
certificates.
So quick examples instead ofApplecom, there may be a site
(18:52):
called Appleappllecom right, andinstead of LinkedIn, it's
LinkedIn with two Ds right.
And instead of bankofamericacomit's the Bank of America, but
America is misspelled and it's afake banking login.
(19:14):
You think you're in Bank ofAmerica page.
You put in your credentials.
They already have it.
Business.
Next We'll move on to businessemail compromise.
This is a targeted socialengineering attack with threat
actors use fraudulent emails totrick individuals and
organizations, typically financeor executive teams into
transferring money or sensitivedata.
What's the goal To trickvictims into performing
unauthorized actions?
Wiring funds, sensitive orsensitive data?
(19:35):
What's the goal To trickvictims into performing
unauthorized actions, wiringfunds or revealing data
Techniques?
Is attackers impersonatingtrusted parties such as CEO,
vendor or business partner viaemail, highly targeted, often
involve research and pretexting.
The victims are usually CEOright.
They go for the higher-ups.
(19:56):
Invoice fraud right.
They impersonate a vendorsending an invoice with updated
banking info.
Compromise Attacker hijacks areal internal email account and
sends fraudulent message.
Attorney impersonation,possessed legal counsel to
pressure urgent confidentialactions and payroll redirections
.
Response to updated directdeposits info to attack or
(20:20):
control accounts.
Actually I had this happen nothappen but I wanted to change my
direct deposit at one of myjobs and I sent them one email.
They ignored it.
I sent another one.
Then they called me and theysay, hey, is this you asking to
change your direct deposit?
I'm like, yeah, that's me.
And then the lady hey, is thisyou asking to change your direct
deposit?
I'm like, yeah, that's me.
And then the lady told me yeah,we've been getting a lot of
fraud, so I have to call you.
(20:41):
I'm like, yeah, that's fine.
Techniques used email spoofing,domain impersonation, urgency
and authority cues, pretextingand farming or fake portals,
mitigation strategies,multi-factor authentication,
email filtering, securityawareness, training,
verification protocols andsegregation of duties.
(21:03):
You see a lot of these thingsoverlap, especially the social
media ones.
Example a finance officerreceives an email that appears
to be from a CEO requesting awire transfer to a vendor.
The email is urgent, writtenprofessionally and includes what
looks like the vendor's newbanking info.
Without verifying it by phoneor another channel, the officer
(21:24):
proceeds, processes to transferand the money is gone.
Actually, this had happened witha student of mine.
He told me that when his sisterworked, the CEO was on vacation
and somebody impersonating himemailed his secretary and said
wire me $10,000.
And she did, and then he neverresponded.
(21:46):
And when he came back she saidhey, did you get the $10,000?
He goes what $10,000?
It was already too late.
They took the money.
The bad guys took the the money.
So that's a lesson to belearned.
All right, that's gonna do itfor security chapter two, part
two in 701, security plus.
(22:07):
Hope you enjoy this topic.
Next time we will go on chapterthree, but, like I said before,
we're going to be doing um, wemight do like the history of the
floppy.
I want to get into that just totake a break, just for some
people who don't really maybeI'm not studying security plus
(22:27):
and don't want to hang on tothis 16 week chapter that I've
committed myself to doing.
So next time we're going to do,uh, the history of the eight
inch floppy.
That's coming up next ontechnology time.
So you
Music To TechnologyTap.
I'm Professor J-Rod and thisepisode is Chapter 2, part 2 of
our continuing series onSecurity+.
Let's get into it All right.
(01:07):
So we're at Chapter 2, part 2of our series on Security+.
So when we left off, we are atwhat is an attack surface?
The attack surface is a totalset of points where an
unauthorized user or an attackercould attempt to enter or
extract data from a system ornetwork.
Type of attack surface physicalhardware ports, usb
(01:31):
workstations.
Two network open ports,unsecured Wi-Fi routers.
Three applications API web apps, code vulnerabilities.
Four human social engineering,phishing, manipulation of staff.
Five supply chain third-partysoftware hardware
vulnerabilities.
What are threat vectors?
(01:52):
Threat vectors is the method orpathways an attacker uses to
exploit a vulnerability in theattack surface.
Common attack vectors bycategories vulnerable software
unpatched systems, zero-dayvulnerabilities, unsupported
legacy software, poor codequality or insecure design,
agentless versus client-basedconfigurations.
(02:13):
Two network vectors unsecurednetwork, lack of encryption,
segmentation, open service ports, remote access, default
credentials, wireless cloud orBluetooth exports.
Number three lured-basedvectors baiting targets with
malicious content, removablemedia, trojan horse programs,
infected documents, explodableimage files or PDF.
(02:36):
Four message-based vectorsphishing, vishing, smishing,
instant message, social mediamessages with malicious link and
chatbot exploitations.
And last is supply chainvectors.
Compromised third-party vendors.
Tamper software updates orhardware.
Infected open source packages,mismanaged service providers.
Mitigation strategies.
(02:58):
Implement a defense in depth,perform regular vulnerability
assessments, apply patches andupdates promptly.
Use network segmentation andfirewalls.
Educate users on social mediatactics.
Vet third-party vendors andsupply chains.
Vulnerable software vectors areone of the most common and
dangerous threat vectors used byattackers.
(03:20):
These vulnerabilities exist indesign, code or configurations
of software and are oftenexploited when systems are not
properly secure or updated.
What are softwarevulnerabilities?
Well, it's a weakness or flawin a program that can be
exploited to cause unintendedbehavior, including data breach,
privilege escalations or systemcompromise.
Common types of vulnerablesoftware vectors coding flaws,
(03:44):
including buffer overflows,integer overflows, improper
input validations and hard-codedcredentials.
Design weakness.
Weak authentication methods.
Lack of encryption forsensitive data.
Poor session management andinsecure default settings.
Unpatched or outdated software.
No vulnerabilities in softwarenot yet updated, exploited using
(04:07):
public exploit kits, a commonattack vector in ransomware.
Botnets For unsupported orend-of-life software no longer
receive security updates fromthe vendors.
Example Windows XP Still don'tuse industrial systems, even
though there's no updating forit.
Client-based versus agentlesssystems Client-based are more
tightly integrated but maycreate local vulnerabilities.
(04:30):
Agentless rely on remote accessprotocol and can be
misconfigured.
Mitigation best practiceregularly patch and update
secure coding practice,vulnerability management
programs, penetration testingand software inventory and
control.
Next we go to network vectors.
Network vectors are attackpathways that exploit
(04:53):
vulnerabilities within a networkor infrastructure.
These types can organizelocally or remotely and often
target misconfigurations, weakencryption or unsecure protocols
, configurations weak encryptionor unsecure protocols.
Key concept network vector is amethod through which attackers
gain access to system or data byexploiting network-level
vulnerabilities.
Common network attack vectorremote versus local.
(05:15):
Remote exploit a system over anetwork, either internet facing
service and local.
Require access to the internalnetwork or physical machine.
Unsecure network lack ofconfidentiality, integrity,
availability, for example, openWi-Fi.
Poorly segmented internalnetworks.
Mitigation best practicedisabled unused ports and
(05:38):
protocols.
Used firewalls and segmentationenable strong authentication or
multi-factor authentication,encrypt communications, monitor
network traffic and conductregular scans.
Then there's lower base vectorsor attack vectors that rely on
social engineering or temptationto trick a user into initiating
(05:59):
an exploit.
These vectors often involvemalicious files, devices or web
content that appear trustworthy.
A lore-based vector is anattack strategy with a threat
actor using enticing content orobjects to provoke user
interaction that leads to systemcompromise.
Common types of lore removabledevices, usb drop drop attacks
(06:22):
placing infected media in avisible public space, executable
files, a game app, a game or anapp or installer that secretly
contains malware.
Document files Word, Excel, pdffiles with malicious macros or
embedded script, trojan horse,malware programs that appear
useful but contain maliciouscode, microrobase lures, office
(06:44):
documents prompting users toenable content.
Image files, image that exploitvulnerabilities in a viewer
application.
And scripting files like Java,powershell or VBScript executing
malicious code.
An example that they use is theUSB drive.
A threat actor leaves a USBdrive in an employee's break
(07:08):
room labeled payroll recordquarter.
Two Curious employees insertthem into the workstation,
executing an embedded malwarepayload that installs a remote
access tool.
Mitigation educate staff, blockUSB port and use device control
management.
Next, we have message-basedvectors, which are attacks that
(07:29):
exploit communication platformsto deliver malicious content or
links, relying heavily on socialengineering and user
interaction.
A message-based vector usesmessages sent via digital
communication channels email,sms, instant messages to deceive
a user into opening maliciousattachments, clicking a
hard-phone link or revealingsensitive information.
(07:51):
Common message-based channelsemails, sms, instant message,
social media and voice calls.
Characteristics isimpersonation.
Message may mimic trustedsources.
Urgency immediate action isrequired.
It's a classic triggerObfuscation, use of shortened
(08:11):
URLs by typosquatting domains orspoof email address.
A multi-stage attack.
A message leads to a fake sitethat installs malware and
collects credentials.
Examples Phishing email A userreceives a message appearing to
be from Microsoft 365.
Saying their password isexpiring.
The link leads to a fake loginpage Smashing text your package
(08:34):
is delayed.
Click here to reschedule thelink.
Installs spyware on the phonedelayed.
Click here to reschedule thelinks.
Install spyware on the phone.
Slack message an attackerposing as a colleague sends a
fake pdf file containingransomware and vision.
Call an it help desk.
Calls asking for multi-factorauthentication, reset codes or
remote access.
(08:54):
Defense measures, email emailfiltering, ur URL filtering,
user training, mfaimplementation that's,
multi-factor mobile securitysolutions and monitoring and
reporting tools.
Next, we have a supply chainattack surface, which encompass
all the systems, vendors andprocesses involved in designing,
(09:16):
developing, manufacturing anddelivering products or services,
and represents a growing areaof cyber risk.
A supply chain attack occurswhen an attacker compromises a
third-party service provider,vendor or partner to gain
unauthorized access to a targetorganization.
Instead of attacking theprimary organization directly,
(09:36):
the attacker infiltrates atrusted link in the chain.
Common attack vectors softwareupdates, inserting malware into
legitimate updates, compromisebills, injecting malicious code
during application build orrelease cycles.
Counterfeit hardware,distributing tainted network
devices, usb drives or Internetof Things components.
(09:58):
Credential theft, attacks onvendor's credentials used for
remote access or maintenance.
Api exploits.
Exploiting insecure API betweenpartners or services.
And data exfiltration.
An attacker uses third-partyaccess to quickly siphon off
sensitive data.
A real-world example of this isthe SolarWinds attack in 2020.
(10:20):
Threat actors compromisedSolarWinds, orion software
update processes, inserting abackdoor that was downloaded by
18,000 organizations, includingthe US government.
Even well-established vendorscan become unintentional
conduits for attack.
Next is social engineering.
Social engineering is the artof manipulating, influencing or
(10:43):
deceiving individuals to gainunauthorized access to
information systems or aphysical location, hacking the
human instead of the technology.
Core objects of socialengineering reconnaissance,
unauthorized access, malware,execution and physical access.
Common techniques isimpersonation, pretexting,
(11:04):
phishing, vishing, smishing,farming, waterhole attacks and
tailgating.
Psychological principleexploited authority urgency,
trust scarcity and fear.
Social engineering preventiontactics security awareness
training.
Teach users to recognizemanipulation tactics.
(11:24):
Phishing simulation.
Test employees' response tofake attack attempts.
Verification procedures alwaysconfirm requests through trusted
channels.
Email caller filtering, flagsuspicious domain, block spoof
phone numbers.
Report mechanisms.
Easy process to reportsuspected social engineering
(11:45):
attempts.
Example an attacker calls thefront desk claiming to be from
IT department and urgentlyrequesting remote access to a VP
machine due to criticalvulnerability, the receptionist
wanting to help and unaware ofverification protocols give
access, leading to networkvulnerability.
The receptionist wanting tohelp and unaware of verification
protocols give access, leadingto network breach.
That happened to me.
They called me once asking tochange somebody's password.
(12:07):
The guy called me and said hey,I'm Frank in the Chicago office
, can you change my password?
And the procedure is for me tocall him back.
I said all right, I'll call himback.
I said all right, I'll call youback at the office and he said
he was in at the office, that hewas home.
So I said I'll call you at homeand I hung up on him, looked at
the company directory, foundhis name, his number at home,
(12:28):
called him at home.
He didn't pick up.
I didn't change the password,turns out that they were
auditing us and I actually did agood job.
Human vectors Human vectors arecybersecurity vulnerabilities
that exploit human behaviorrather than technical flaws.
Attackers manipulateindividuals to gain access to a
system, data or physicallocation, often the weakest link
(12:51):
in security.
Human vectors refer to anexploitation path that rely on
people, not software or hardware.
That are often involved insocial engineering attacks and
insider threats.
The human vector techniquesinclude phishing, vishing,
smishing, pretexting,impersonation, tailgating,
shoulder surfing and dumpsterdiving.
(13:13):
Why human vector works?
Attacker takes advantage oflack of awareness or training.
Human vector works attackertakes advantage of lack of
awareness or training, trust inauthority or colleagues, desire
to be helpful, stress or urgency, and routine behavior and
predictability.
You have three examples Helpdesk scam a caller pretends to
be an executive, locked out oftheir account.
The help desk resets thepassword without verifying
(13:36):
identity.
That's what happened to me.
Often intrusion an attackertailgates an employee through a
locked door by carrying coffeeand pretending to have lost
their badge and somebody says ohyeah, open the door.
Phishing success a user clickson an email disguised as the
company survey and unknowinglyinstalls malware.
How to mitigate human vectorrisk security awareness,
(13:59):
training, strict access controls, verification protocols,
regular phishing tests and clearreporting channels, which means
encouraging employees to reportsuspicious behavior promptly.
Impersonation and pre-texting.
So impersonation and andpretexting are social
engineering techniques thatmanipulate trust and authority
(14:22):
to deceive individuals intorevealing sensitive information
or granting access.
Impersonation is the act ofpretending to be someone else,
typically a trusted individual,to gain unauthorized access.
The common tactics is authoritypretending to be an executive
familiarity, claiming to be acoworker or vendor.
You work with Persuasion.
(14:43):
Everybody else already provedthis.
I just need your okay, urgency.
They must be done in fiveminutes or the network can go
down.
The methods that they deliverthis is in person, email or
phone calls or social mediaprofile.
Email or phone calls or socialmedia profile.
Pretexting involves crafting adetailed, believable, false
(15:03):
narrative to trick the targetinto revealing confidential
information or performing action.
Characteristics are exploits,trust and known roles, hr IT,
often supplemented by planteddata or fake credentials, and
may involve long-term setup,fake interviews, surveys, etc.
Example a fake IT audit surveyfor employee engagement,
(15:27):
pretending to be a new hire andjournalists asking for comment.
Defense against impersonation,pretexting, verification
protocols, least privilegeprinciple, security awareness,
training, access control, logsand cameras and multi-factor
authentication.
Phishing and farming.
Phishing and farming are two ofthe most common social
(15:48):
engineering attacks used incybersecurity.
Both aim to deceive users intogiving up sensitive information,
but they differ in thedeception is carried out.
Phishing is a deceptivecommunication tactic that tricks
a user into taking an action,such as clicking a link or
entering credentials on a fakewebsite.
Key characteristics that arerevealed via email, sms, phone
(16:11):
or social media Spoof legitimatesource and may include a
malicious link or social mediaSpoof.
Legitimate source and mayinclude a malicious link.
Tapper phishing, spear phishing, target phishing aimed at a
specific individual ororganization, whaling targeting
senior executive or high-levelindividuals.
Smishing phishing via textmessage phishing, phishing via
phone and angular phishing usingfake social media support
(16:36):
accounts to scam victims.
Farming is a technical attackthat redirects users from a
legitimate site to a maliciousone without their knowledge.
Highworks DNS poisoning altersDNS records to send users to a
fake site.
Host file modifications on alocal computer redirects traffic
.
The user enters credentials,thinking the site is real.
(16:57):
Mitigation strategies to createawareness, training, email
filtering and anti-phishingtools.
Dns security, antivirusendpoint protection, use of
HTTPS and SSL and browse alerts.
For example, you get a phishingemail saying click here to
verify your direct deposit andit links the payroll of your
(17:21):
company, or you think it doesDNS entry for bankcom.
Let's say it's poison and yougo to a fake page that looks
identical to the real site andyou put in your credentials.
Best practice double check URLsbefore clicking.
Use multi-factor.
Never trust urgent requests forcredentials or payments.
Use reputable DNS servers andmonitor DNS logs.
(17:46):
Typosquatting exploits the humanerror.
The attacker registers a domainthat's one or two characters
off from a well-known siteInstead of googlecom.
They might have like extra O'sin Google, right Instead of
googlecom and builds onmalicious or deceptive websites
on it.
(18:06):
So you go to like Google likewith extra O's and then you go
to a site that looks like Googlebut it's not really Google.
Then you type in your usernameand password and they got it.
The goal is type of squatting.
Domains are often used to stealcredentials via phishing logins,
deliver malware, payloads,display ads or redirect to
affiliate pages, damage brandreputations and trick users into
(18:28):
giving personal or payment info.
Dns strategies to use is DNSfiltering and web filtering,
security and awareness trainingregistered lookalike domains.
Google does that.
Browser security extensionsenable HTTPS and check
certificates.
So quick examples instead ofApplecom, there may be a site
(18:52):
called Appleappllecom right, andinstead of LinkedIn, it's
LinkedIn with two Ds right.
And instead of bankofamericacomit's the Bank of America, but
America is misspelled and it's afake banking login.
(19:14):
You think you're in Bank ofAmerica page.
You put in your credentials.
They already have it.
Business.
Next We'll move on to businessemail compromise.
This is a targeted socialengineering attack with threat
actors use fraudulent emails totrick individuals and
organizations, typically financeor executive teams into
transferring money or sensitivedata.
What's the goal To trickvictims into performing
unauthorized actions?
Wiring funds, sensitive orsensitive data?
(19:35):
What's the goal To trickvictims into performing
unauthorized actions, wiringfunds or revealing data
Techniques?
Is attackers impersonatingtrusted parties such as CEO,
vendor or business partner viaemail, highly targeted, often
involve research and pretexting.
The victims are usually CEOright.
They go for the higher-ups.
(19:56):
Invoice fraud right.
They impersonate a vendorsending an invoice with updated
banking info.
Compromise Attacker hijacks areal internal email account and
sends fraudulent message.
Attorney impersonation,possessed legal counsel to
pressure urgent confidentialactions and payroll redirections
.
Response to updated directdeposits info to attack or
(20:20):
control accounts.
Actually I had this happen nothappen but I wanted to change my
direct deposit at one of myjobs and I sent them one email.
They ignored it.
I sent another one.
Then they called me and theysay, hey, is this you asking to
change your direct deposit?
I'm like, yeah, that's me.
And then the lady hey, is thisyou asking to change your direct
deposit?
I'm like, yeah, that's me.
And then the lady told me yeah,we've been getting a lot of
fraud, so I have to call you.
(20:41):
I'm like, yeah, that's fine.
Techniques used email spoofing,domain impersonation, urgency
and authority cues, pretextingand farming or fake portals,
mitigation strategies,multi-factor authentication,
email filtering, securityawareness, training,
verification protocols andsegregation of duties.
(21:03):
You see a lot of these thingsoverlap, especially the social
media ones.
Example a finance officerreceives an email that appears
to be from a CEO requesting awire transfer to a vendor.
The email is urgent, writtenprofessionally and includes what
looks like the vendor's newbanking info.
Without verifying it by phoneor another channel, the officer
(21:24):
proceeds, processes to transferand the money is gone.
Actually, this had happened witha student of mine.
He told me that when his sisterworked, the CEO was on vacation
and somebody impersonating himemailed his secretary and said
wire me $10,000.
And she did, and then he neverresponded.
(21:46):
And when he came back she saidhey, did you get the $10,000?
He goes what $10,000?
It was already too late.
They took the money.
The bad guys took the the money.
So that's a lesson to belearned.
All right, that's gonna do itfor security chapter two, part
two in 701, security plus.
(22:07):
Hope you enjoy this topic.
Next time we will go on chapterthree, but, like I said before,
we're going to be doing um, wemight do like the history of the
floppy.
I want to get into that just totake a break, just for some
people who don't really maybeI'm not studying security plus
(22:27):
and don't want to hang on tothis 16 week chapter that I've
committed myself to doing.
So next time we're going to do,uh, the history of the eight
inch floppy.
That's coming up next ontechnology time.
So you
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Cardiac Cowboys
The heart was always off-limits to surgeons. Cutting into it spelled instant death for the patient. That is, until a ragtag group of doctors scattered across the Midwest and Texas decided to throw out the rule book. Working in makeshift laboratories and home garages, using medical devices made from scavenged machine parts and beer tubes, these men and women invented the field of open heart surgery. Odds are, someone you know is alive because of them. So why has history left them behind? Presented by Chris Pine, CARDIAC COWBOYS tells the gripping true story behind the birth of heart surgery, and the young, Greatest Generation doctors who made it happen. For years, they competed and feuded, racing to be the first, the best, and the most prolific. Some appeared on the cover of Time Magazine, operated on kings and advised presidents. Others ended up disgraced, penniless, and convicted of felonies. Together, they ignited a revolution in medicine, and changed the world.