��ū�컨��

00:03

Hello everyone, I'm Mary Gower and today I'm joined by Joshua Craft at the University of Alaska system office of Information Technology. Josh is a security analyst. So today we're going to be talking about social engineering and we'll have a follow-up chat where we talk about social engineering using artificial intelligence. In a nutshell social engineering is using psychological tactics to manipulate people.

In an information security context, social engineering is the use of deception and or manipulation intended to essentially cause a person to divulge information they normally wouldn't -- and it's usually used for fraudulent purposes. So unlike a cyber attack, bad actors gain the trust of their targets so they give up that personal information.Imagine now at the University we have a researcher -- let's call him Greg -- who routinely communicates online with colleagues. And a hacker will target Greg and meticulously research his communication patterns.

Then posing as an IT support specialist this hacker begins to send three seemingly legitimate emails over the span of a couple of weeks. These emails discuss routine system updates, software patches, upcoming security measures, and project work. Each message is crafted to mirror the University's communication style. So what this does, is it makes it challenging to discern any malicious intent. After establishing a sense of familiarity and trust with Greg, the hacker sends a fourth email this time containing a link that appears to be a program specifically associated with Greg's research. Trusting the routine nature of the communication Greg clicks on the link redirecting him to a convincing but fake login page where he enters his credentials and unbeknownst to Greg his username and password are now in the hands of the hacker.

02:23

Another common scenario takes advantage of certain events or transitions for setting up an attack -- like at tax time or when employees are first starting a job. For example, a hacker carefully monitors departments within the university, pinpointing recently hired employees in financial aid for example. After identifying the targets the hacker sifts through all this information about their recent office events, gathered from the campus newsletters, student newspapers or even the office's Facebook account. The hacker then will craft a personalized phishing email posing as a human resource employee. The email prompts the new employee to click on a link for university onboarding training -- however that link actually leads to a phishing site designed to capture these log-in credentials allowing the hacker to gain unauthorized access to the new employee's sensitive financial aid data.

03:40

To prevent this from happening, start with being skeptical. Always approach unexpected emails, 

messages or calls with caution. Verify the identity of the sender through established and trusted communication channels before sharing sensitive information or clicking on links. If you're ever in question, reach out to that colleague. Send them an email, make a phone call, verify maybe they did or did not send those suspicious messages.

Additional counter measures could include training employees on recognizing phishing attempts and implementing Two Factor Authentication -- also known as TFA -- to add an extra layer of security beyond just the password.

Keep tabs on what's happening in security awareness and take training to learn to recognize and respond appropriately to social engineering attempts. You can check out the cybersecurity trainings at my��ū�컨��. The simplest way to locate them is to search “data security” once you've logged in to my��ū�컨��.

04:44

The best resource for learning the latest about all of these kinds of changes in the landscape are usually cybersecurity news articles. The principles of social engineering do not necessarily change through time -- it's their core kind of inner workings to hack the human psychology and get users to divulge information by exploiting them. There's a really great article called “Social engineering: definition, examples, and techniques”; on an online resource named CSO that I recommend looking up. It talks about many different elements of social engineering and examples as well.

For urgent matters, contact your local service desk. If you need further assistance including individualized help contact the Office of Information Technology Security at ua-oit-security@alaska.edu or visit the OIT's website.