Security Awareness Program: Social Engineering and BYOD Risks

Verified

Added on 2022/09/26

AI Summary

This assignment presents a case study of a social engineering attack and a BYOD (Bring Your Own Device) security breach. The social engineering scenario details how an attacker uses a phishing email to gain access to an employee's credentials, ultimately compromising the company's sales data and customer information. The BYOD scenario illustrates the risks associated with employees using personal devices for work, including the loss of sensitive data due to a stolen phone. The assignment highlights the importance of employee training, strong security policies, and the use of security measures such as updated anti-virus software and spam filters. Key takeaways are provided for both employees (e.g., being cautious about clicking on links in spam emails and verifying domain links) and company CEOs (e.g., implementing strong security policies, BYOD policies, and using cloud facilities). The assignment underscores the need for a comprehensive security awareness program to protect against various cyber threats and data breaches.

Social engineering security awareness program
JOE: Sales office- Logs in into his computer and as the norm he starts by opening his mail to
check if there is any client requests, new client message, or any order requested by any client.
Receives a spam mail with header “ORDERS THAT YOU NEED TO WORK ON”
JOE: Hey Joe! (He gets more eager to know and smiling as his commission for the month will
be higher than other months). (To himself). The company CEO!! He will assist me with clients!!
This is awesome.
SCREEN: Joe opens the spam email from the said CEO. Scrolling down the spam email. It starts
by asking him to reconfirm his details to verify that there are true details. He then clicks a link
that takes him to the site (Similar to a system he uses within the organization works for). Joe
starts to enter his username and password (Details he uses to login to the company system).
JOE: Happy: (A message is sent back to him; I will submit customer details within 30 minutes)
SYSTEM: SOCIAL ENGINEER ATTACKER- key-logger details submitted from target system
IP address 192.168.1.100 (http://www.jimjamsalescompany.com)
SYSTEM- SOCIAL ENGINEER ATTACKER- Yes! I now have full access to Jim Jam
company sales team, clients’ details, and all the organization employees. Wah!!! They even
contact their customers via the system by sending them texted messages.
SYSTEM –SOCIAL ENGINEER ATTACKER – To herself (I do not have administrators logins
some of the functionalities are disabled, I need to use Nmap to get server details and then install
key-logger to have admin details)

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

SYSTEM-SOCIAL ENGINEER ATTACKER – PAP! I am now in, I have full access to the
whole system. I can even send a message to their bank customer care to request a refund of a
certain customer. A message is sent to the bank and money is deposited to a newly created client.
JOE: To himself! (Thirty minutes are over and am yet to get the details). Joe heads to the CEO
office and requests from the secretary that he wants to see the CEO.
CEO: How are you, Joe? It has been long since I saw you? (Still on his computer). A phone rings
from the bank.
CAROL- bank customer care- We have already deposited money as requested by you. Thank
you for banking with us.
CEO- Get shocked!! To Joe: What brought you in my office? And please ne quick, I have an
urgent matter to attend to, now that I have received that strange call.
Joe- You sent me a mail where you later promised that you will send new clients’ details within
thirty minutes. It is now one hour.
CEO: What!!! When did I send such? And where is that email I sent. Kindly show me on my
computer. (Joe check his CEO sent emails but no such email sent)
CEO: Kindly go counter check the email again. I need to sort an issue we might have lost ten
thousand dollars if I do not act now.

BYOD security awareness program
JAMES: (To himself) I need to save this data on my iPhone so that I can work from home. My
laptop is much faster.
SCREEN: James saves financial, customers details, and employee details on his iPhone
EMILY: (James supervisor): To James, make sure payroll design is over. Also prepare a list of
all those suppliers who needs to be paid. Get their invoice details from the system
JAMES: Gets all the details and saves it on his iPhone.
JAMES: out of the office and heads home. On his way home, his phone is snatched away. To
himself (All my work is gone, together with supplier’s details, their bank accounts, phone
numbers, and names)
Key take away
To employees
 It is important think before you click any spam email: Attackers employ what is referred
to as sense of urgency. They try to make you a happy and you react by clicking.
 Research any link sent to you: It always important to check domain links to verify if there
are real.
To company CEOs
 It is important to ensure all organization devices are secured using updated anti-virus and
ensure that employees set their spam filters to high
 The company need to craft proper policies about BYOD devices. The company needs to
use cloud facilities if need be for one to work from home.