Social Engineering Attacks
There are many types of attacks and social engineering attacks are most common. These include phishing, pretexting, baiting, quid pro quo, tailgating, and dumpster diving. The commonly used phishing techniques include phishing, spear phishing, whaling, vishing and smishing. When using these techniques an attacker can do business email comprise attacks which is more of a secondary type of social engineering attack.
Some of the best defenses for social engineering attacks are a layered approach with Verification, Technology and Policy. For the verification domain, trust but verify, be skeptical of any urgency and watch out for red flags. In the technology domain, use things like Multifactor Authentication (MFA), email filtering and endpoint protection. Using the principle of least privilege, awareness training and clear reporting channels are done for the Policy domain.
Phishing
By using mass phishing, the attacker tries to get sensitive information about the victims. When spear phishing, an attacker tries to target specific individuals like a middle manager while whaling is a phishing technique to target the CEO or other C-Suite officers. Vishing attacks are phishing attempts by voice messages or by phone with smishing there is an attack by text messages.
Social Engineering
Pretexting is a social engineering technique to get a sense of trust from the attacker, and the victim is tricked into revealing sensitive information. Baiting is where there is something that is for free if they tell the attacker their information. Quid pro quo or something for something is an attack where the attacker gives a service or benefit for information.
Physical Attacks
Tailgating or piggybacking is where an unauthorized person enters areas where they follow behind someone that has access. Another physical social engineering attack is dumpster diving where an attacker gains information that comes from a dumpster. In order to prevent tailgating and piggybacking there are some things that can deter these attacks which are mantraps or card access and security guards.
Conclusion
The types of attacks that occur with social engineering are mainly done by phishing and some other kind of social engineering attack. This information is something that needs to be learned so that as a defender you can understand attacks as they happen and quickly respond to them. Working with social engineering attacks has been something to learn from the CCST Cybersecurity exam that I have currently.
There are more social engineering attacks that are used more in types of phishing attacks, but they are easier to understand with things like vishing that is over voice and smishing is over text messages. Doing the CCST Cybersecurity has prepared me in my cybersecurity knowledge by being tested on these social engineering attacks.