Социальная инженерия относится к изощренному использованию обмана для манипулирования людьми с целью разглашения конфиденциальной или личной информации в мошеннических целях, когда злоумышленники пытаются использовать людей, а не уязвимости системы.
search engine optimization (seo) poisoning | It is not uncommon for social engineers to build a website around frequently used internet search terms in order to lure users into performing an action, such as downloading a trojan or divulging ... reverse social engineering; |
security awareness training | The process of educating users about it security risks and reinforcing the importance of compliance with security policies. most employees will have a level of awareness about the risks posed by, ... |
sender policy framework (spf) | This is a validation system that allows receiving mail exchangers (mxs) to check with the sending domain to ensure that the host which the mail originated from is authorized to send mail for that ... |
sensitive personal data | The gdpr covers a special category of personal data called sensitive personal data. this is any data which covers the data subject’s racial or ethnic origin, political opinions, religious beliefs,... |
shadow it | It hardware or software is used to handle organisational data without explicit approval. for example, an employee who uses a personal gmail account for internal or external work-related communicat... |
shoulder surfing | This is the capture of confidential data by observation of a target, while passwords or pin numbers are being input into a computing device, such as a tablet, atm machine or door entry system. sho... |
siem (security indication event management) | This is a system for aggregating security-related log files from devices across your network to help detect suspicious activity. siems can be effective at detecting technical breaches, but are not... |
sim swap | This technique is commonly used to bypass two-factor authentication. the attacker obtains a victim’s personal information through a phishing scam. details such as the address, mobile telephone num... |
simulated phishing | An exercise which involves computer users being sent phishing-type emails to investigate their susceptibility to phishing attacks. this can also be used as a training and security awareness tool.<... |
smishing (aka sms phishing) | This is a technique whereby targets are sent sms messages from an attacker masquerading as a trustworthy entity who is requesting personal information. one popular smishing scam involves a message... |
spam filter | The job of a spam filter is to prevent spam or malicious emails from reaching your email inbox. most spam filters rely on a mixture of artificial intelligence, heuristics and natural language proc... |
spear phishing | Just like phishing, but targeted at a specific person or group. spear-phishing is a highly focused attack with a higher probability of success due to a well-researched pretext. anti-phishing train... |
steganography | The practice of concealing a file within another one. for example, a social engineer might hide a malicious executable inside a jpeg file, which he then emails to his victim. upon clicking a seemi... |
subject access request | Under gdpr, data subjects can now make a subject access request to an organisation for all personal information held on them and an in-depth description of how it is being processed. this request ... |
tab-nabbing | Occurs when a malicious url opens in a browser’s open tab. it usually happens without the user being immediately aware of it. the tabs opened are often designed to imitate a legitimate site in ord... |
tailgating (a.k.a piggybacking) | The act of following someone into a secured area, usually by exploiting someone’s courtesy of “holding the door”. to mitigate against this type of physical intrusion, it should be explicitly state... |
typo-squatting | When a hacker registers a domain name that is similar to an established one for the purposes of advertising, drive-by malware or phishing attacks. for example, a hacker might register a domain, su... credential harvesting; |
url obfuscation | A web address that has been obfuscated in the browser address bar. for example, a url might be encoded to disguise its true value by using hex, dword or octal encoding. this is a form of social en... |
url shortening | This was originally designed to make long urls (website links) more manageable when typing or more easily transmitted in mediums where character limits exist (e.g. sms messaging). however, url sho... |
vishing | A social engineering scam in which confidential information (such as credit card information) is extracted from a target over the telephone for financial gain. a common vishing scam involves an at... |
watering hole attack | The targeting of a website used by a specific group of users. for example, if an attacker wanted to attack an airline, they might insert malware into an aviation website, such as pprune.org, which... |
whitelisting | As traditional anti-virus software only relies on signature-based definitions or heuristics, there is always the risk that a zero-day threat will infect a system. to mitigate against this risk, ap... |
zero-day exploit | An attack that exploits a zero-day vulnerability. |
zero-day vulnerability | A vulnerability in hardware or software of which is unknown to the manufacturer/ developer or general public. the name “zero day” references the number of days that the software or hardware vendor... |
data accountability | transparency; |
pharming, credential harvesting | dns cache poisoning; |