Network Security | Social Engineering & HTTPS

  Modern interconnected operations create a situation where information system security stands as an essential fundamental component. The online storage and transmission of sensitive data expose individuals and organizations to rising cyberattack threats. Information systems require secure confidentiality and integrity and availability protections because they prevent financial losses and reputational damage and privacy violations. The National Institute of Standards and Technology (NIST) defines information security as the set of processes which protect digital data against unauthorized access or modification (NIST, 2020).

The attacks which take advantage of human behavior along with standard tools are equally dangerous as those that exploit technical vulnerabilities. The "ping" command serves as a primary illustration of misuse. The ping command serves network diagnostic functions, but attackers use it to execute Ping Flood and Denial-of-Service (DoS) attacks. Attackers launch system crashes and significant slowdowns by sending massive amounts of Internet Control Message Protocol (ICMP) echo requests to a system (Scarfone & Mell, 2007). Such attacks disrupt operations by making systems unavailable while simultaneously leaving them vulnerable to additional exploitation.

HTTPS phishing together with social engineering represents the most widespread contemporary threats in the digital world. Both attack methods are particularly dangerous because they use user-directed methods to evade traditional security systems.

Attackers use HTTPS phishing to develop deceptive websites which use legitimate SSL certificates that duplicate trusted online destinations such as banking sites or government portals and email providers. Users tend to feel secure when they see HTTPS combined with the padlock icon, so they become more prone to interact with deceptive sites. According to Kumaraguru et al. (2010) users regularly fail to detect the small alterations found in web addresses and the abnormal language used in website content. Attackers use compromised user accounts to obtain login credentials together with financial data and personally identifiable information (PII) which results in identity theft and financial fraud.  HTTPS phishing attacks are possible because attackers can easily fake the visual security indicators which users rely on to verify security. The dark web provides phishing kits and SSL certificates at low cost which makes it easier for attackers to launch their attacks (OpenText Cybersecurity, 2023). The protection against these attacks requires organizations to implement sophisticated email and DNS filtering systems which detect phishing attempts before they find their way to users. Security awareness training as a regular practice should be implemented to educate users about identifying suspicious content that appears on “secure” sites.

Social engineering attacks operate through human trust manipulation instead of targeting technical systems. Attackers use pretexting to impersonate reliable individuals for information acquisition and baiting to trick victims into downloading harmful content (Mitnick & Simon, 2002). Human psychology-based attacks can compromise any secure system because attackers can trick users into revealing their credentials or inserting infected USB devices.

Human behaviors based on trust along with helpfulness and urgency when faced with authority create natural vulnerabilities to social engineering attacks. An employee will often follow a fake IT technician's demand to verify their credentials or activate a link from a spoofed email address. Social engineering attacks produce symptoms which include atypical user behavior together with system configuration modifications and unauthorized file transfers. Attackers can acquire administrative control while installing malware and stealing sensitive data as a result of these attacks.

Organizations should establish verification protocols for all unexpected and confidential requests by using callback verification and multi-factor authentication (MFA). Organizations should perform simulated phishing tests in conjunction with user training sessions to develop security-conscious behavior among their employees.


References

Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L. F., Hong, J., & Nunge, E. (2010). Protecting people from phishing: The design and evaluation of an embedded training email system. CHI '07: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, 905–914. https://doi.org/10.1145/1240624.1240760

Mitnick, K. D., & Simon, W. L. (2002). The Art of Deception: Controlling the Human Element of Security. Wiley.

National Institute of Standards and Technology (NIST). (2020). An Introduction to Information Security (SP 800-12 Rev. 1). https://doi.org/10.6028/NIST.SP.800-12r1

Comments

Post a Comment

Popular posts from this blog

Programming Languages | Scratch

Through the use of Scratch, I was able to get my first real exposure to programming and gain some important understandings of the process and its fundamentals. Scratch is a graphical user interface programming language which uses blocks of codes that can be dragged and connected instead of typing in codes. My project was a simple one, where two cats would converse with the user and provide responses and move around. This exercise helped me grasp the fundamental of programming like loops, conditionals and events. The feedback was almost instant which made testing and debugging easier and thus I got a clearer picture of how the code is executed and how it is linked within the program.   The major thing that I was able to learn from this experience was that every process should be divided into parts or steps in order to make the solution of a problem easier. For instance, I broke down my scratch program into components such as movement, looping and questions. This is very essential in...
Read more

Documenting a Day | Application Software

  All types of application software were developed for certain purposes in the field of data processing and presentation.   The main purpose of Word processing software, including Microsoft Word and Google Docs, is to develop, modify and arrange text documents. These applications help the user to organize the written content in a systematic way and also offer the user the ability to make the content more presentable to readers through formatting. Spreadsheet applications like Microsoft Excel and Google Sheets are used in organizing numerical data, performing calculations and presenting the data in forms of charts or graphs to represent the information in a better way. Presentation software including Microsoft PowerPoint and Google Slides assists the user in developing multimedia slideshows that are often used in educational or professional settings.   Database applications like Microsoft Access and MySQL are used in the collection, storage, and retrieval of structured dat...
Read more