Only those who have the patience to do simple things,perfectly ever acquire the skill to do difficult things easily.

Protected Voices: Social Engineering

The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including social engineering, to help mitigate the risk of cyber influence operations targeting U.S. elections.

Video Transcript

Hello, I’m Jay, a special agent with the FBI.

Welcome to social engineering—or, more bluntly, targeted lies designed to get you to let your guard down. Social engineering is the most common technique deployed by criminals, adversaries, competitors, and spies to exploit humans and computer networks. That's because it's all too simple—you don't need any technical skills to be successful.

Social engineering is the use of deception, through manipulation of human behavior, to target and manipulate you into divulging confidential or personal information and using it for fraudulent purposes. In the context of information security, social engineering might also mean psychologically manipulating people to take action to inadvertently give adversaries access to protected information or assets. Social engineering can also be used to embarrass and humiliate campaigns, voter groups, and others.

Phishing, phishing campaigns and spear-phishing are just a few examples of social engineering.

Phishing is the fraudulent practice of sending an email, which appears to come from a reputable source, to lure someone to reveal personal information or click on a link. Just like when you go fishing, you throw a hook into a body of water to bait a fish to bite on the hook. In this case that’s done by a malicious email.

Phishing campaigns generally target a group of individuals or companies by sending multiple fraudulent, but enticing emails, in the hope that at least one person falls for the bait. These emails are often designed to look official—as if coming from your campaign itself, a trusted vendor, donor, or other known sender.

Spear-phishing, on the other hand, is a very targeted and customized email to lure the targeted victim to take action. Typically the adversary has done some research on the victim to understand what would make this specific person fall for the scam. Criminal and foreign sponsored governments, cyber adversaries, use spear-phishing emails to get access to protected networks. Sometimes simply dropping the name of someone the target knows is enough to lower their guard.

So let’s talk about how and why cyber adversaries prefer social engineering tactics.

It’s easy, low cost, and widely successful. It’s easy because there are off-the-shelf apps or social-engineering exploitation kits available online. These kits aggregate open-source information about you from various social media sites to help the attacker craft a highly convincing spear-phish email.

Cyber advisories can also mirror a legitimate website by using off-the-shelf tools, so that they can direct you to a fake website that looks authentic to capture your login credentials.

And sometimes, the phishing needs no technology at all beyond a well-written email, with just enough social finesse to get you to reveal sensitive information.

If you download a malicious email attachment or click on a malicious link or log in to a fake mirrored website, you might be letting an attacker sneak past even the most robust cybersecurity defenses. Depending on the structure of your computer network, a successful phishing attack could compromise your entire network.  So, how can you minimize your risk of becoming a victim?

Two simple techniques will help you guard against these attacks.

First, before you open an email attachment or click on a link, even from people you know, look at the email header to see exactly what the sender’s email address is. Adversaries often change one letter, symbol or number in an email address so that it closely resembles a legitimate email address. If you don’t see that tiny change, you may be replying to a cyber adversary instead of a trusted friend. The same thing is true for embedded links. Hover your mouse over the link, and make sure it doesn’t have any masquerading characters.

Second, be careful when handling emails that contain attachments. If you don’t know the sender, call the person before you open it. If you do know the sender but weren’t expecting an attachment, call the person before you open the attachment. When possible, avoid using the phone number listed in the email. Also, avoid opening emails on mission-critical systems, where sensitive data resides. An infection on such a system may result in significant loss of information.

These techniques sound pretty simple. But in the context of political campaigns, it can be challenging to abide by them, particularly because you’re constantly communicating with constituents, most of whom you don’t know personally. So, how can you balance your critical need to communicate with constituents against your need to safeguard your computer networks?

Training and creating awareness is one of the most important steps your campaign can take. It’s extremely important for your campaign to educate staff and volunteers about social engineering as an attack vector.  That puts your staff in a better position to detect these attempts and avoid becoming victims.

You can get as creative as you want to deliver these training sessions. We’ve seen some organizations send out controlled phishing emails to their employees to determine if extra training is required for those who have trouble identifying phishing emails. You may also want to provide reference sheets or training videos about social engineering.

Encourage campaign staff and volunteers to think about all the information they’re publicly sharing on social media and review and restrict privacy settings on social media accounts regularly. Information that seems innocuous—such as office locations, meeting date and times, names of people written on a whiteboard in the background of a selfie shared online—can give adversaries information they can use to target you.

Adversaries may also target your personal email accounts and might even try to connect with you on social media. As a general rule, don’t accept friend requests from people you don’t know.

At the end of the day, you, the human user, are the first line of defense against social engineering attacks. Your campaign should consider educating all staff and volunteers about how social engineering works and the harm it can cause. The more training, the better. Make it a regular part of your campaign week. Ask your colleagues to watch this video, or pass the information to them yourselves.

The social engineering tips won’t keep your campaign’s information systems safe from every kind of cyber threat, but they will help you significantly minimize your risk.

Remember, your voice matters, so protect it.

Packed with amazing data about the world in 201的更多相关文章

  1. 13 Amazing Component Sets Driving Success In Delphi Berlin On Android And IOS

    There are quite a few Firemonkey component sets available for Delphi Berlin which can get you ahead ...

  2. My journey introducing the data build tool (dbt) in project’s analytical stacks

    转自:https://www.lantrns.co/my-journey-introducing-the-data-build-tool-dbt-in-projects-analytical-stac ...

  3. SAE J1850 VPW Implement

    ---恢复内容开始--- OBDII Interface Project When I can ever find enough time away from schoolwork, I try to ...

  4. Ogre 1.8 terrain 和 paging 组件

    以下转自:http://hi.baidu.com/xocoder/item/e8d87cf53d87612b753c4cfd OGRE地形生成 OGRE可以通过两个接口来生成地形,分别是void Te ...

  5. CPU二则

    CPU二则 CPU二则 aligned load & unaligned load non-temporal store(streaming store) 参考文献 aligned load ...

  6. 转:Ogre TerrainGroup地形赏析

    1.1  参考 http://www.ogre3d.org/tikiwiki/tiki-index.php?page=Ogre+Terrain+System http://www.ogre3d.org ...

  7. OpenStack_Swift源代码分析——Ring的rebalance算法源代码具体分析

    1 Command类中的rebalnace方法 在上篇文章中解说了,创建Ring已经为Ring加入设备.在加入设备后须要对Ring进行平衡,平衡 swift-ring-builder object.b ...

  8. Video processing systems and methods

    BACKGROUND The present invention relates to video processing systems. Advances in imaging technology ...

  9. [Windows] Access SMBIOS

    SMBIOS architecture System Management BIOS (SMBIOS) is the premier standard for delivering managemen ...

随机推荐

  1. linq to sql 项目移植后,数据库实体类需要重新创建?

    项目中,使用LINQ to SQL 访问数据库,代码移植到其他机器上,每次需要重新生成dbml文件,有无方法只要更改app.config呢? 经过试验是可行的: 1.引用system.configur ...

  2. POJ1015陪审团(Jury Compromise)——dp+路径记录

    题目:http://poj.org/problem?id=1015 差值是有后效性的,所以“转化为可行性”,开一维记录“能否达到这个差值”. 当然可以开两维分别记录 a 和 b,但 “值只是0或1” ...

  3. ES(1): Creat linux VM on Azure

    本章记录在ES集群之前的环境准备工作,主要包含的内容如下: 目录: 创建linux虚拟机 启用root用户 创建linux虚拟机 首先创建一个云服务 按向导创建云服务名称,如下 创建虚拟机, 第二步: ...

  4. eclipse JDK 下载 and 安装 and 环境配置

    eclipse和JDK软件下载 链接:https://pan.baidu.com/s/1bpRHVIhNtK9_FMVbi34YUQ 密码:y3xr eclipse和JDK这两个软件是配套使用的,适用 ...

  5. R语言学习——列表

    1.列表 列表是一种泛化的向量,其并没有要求所有元素都是同一类型,其元素甚至可为任意类型. 列表格式自由,为统计的计算结果的返回提供了极便利的方法. 2.列表的创建 可以用list()函数创建列表. ...

  6. ASP.NET Web Pages:WebMail 帮助器

    ylbtech-.Net-ASP.NET Web Pages:WebMail 帮助器 1.返回顶部 1. ASP.NET Web Pages - WebMail 帮助器 WebMail 帮助器 - 众 ...

  7. freePBX汉化方法记录——备忘

    FreePBX汉化[root@bgcc69:/var/www/html/admin/i18n/zh_CN/LC_MESSAGES]$pwd/var/www/html/admin/i18n/zh_CN/ ...

  8. 2018ICPC网络赛(焦作站)E题题解

    一.题目链接 二.题意 给定一棵树,有四种操作: $1\ u\ v\ x$:把节点$u$到$v$路径上的所有点的权值乘以$x$: $2\ u\ v\ x$:把节点$u$到$v$路径上的所有点的权值加上 ...

  9. 第12章 网络基础(2)_数据封装和IP地址

    4. 数据封装和IP地址 (1)数据封装 (2)IP地址 ①在TCP/IP网络中,每个主机都有唯一的地址,它是通过IP协议族实现的. ②IP协议要求在每次与TCP/IP网络建立连接时,每台主机都必须为 ...

  10. 第7章 进程关系(5)_贯穿案例2:mini shell(2)

    5. 贯穿案例2:mini shell(2) (1)己经完成的功能:pwd.cd.exit命令 (2)阶段性目标: ①env.export.echo及其他命令 ②标准输入.输出重定向"> ...