Posted by Tyler Chancey, GCFA on

Tyler Chancey is a cybersecurity professional currently serving as the Director of Cyber Security at Scarlett Cybersecurity Services. With a solid foundation in Computer Software Engineering from the University of Florida, Tyler holds a repertoire of certifications that underscore his expertise. These include the prestigious Microsoft 365 Certified: Enterprise Administrator Expert and Microsoft 365 Certified: Security Administrator Associate, showcasing his mastery in Microsoft's enterprise solutions. Tyler's commitment to comprehensive security is further evidenced by his CompTIA Security+ certification, demonstrating proficiency in core cybersecurity principles. Additionally, his GIAC Certified Forensic Analyst (GCFA) credential attests to his advanced skills in forensic analysis—an invaluable asset in today's complex cybersecurity landscape. Tyler's dedication to staying at the forefront of industry standards is evident in the active pursuit and maintenance of these certifications, making him a trusted authority in the field.

Tyler C., GCFA 

Job title: Director of Cyber Security
Expertise: Information Security, Cybersecurity Incident Response, Cybersecurity Compliance, Cyber Policy
Education: University of Florida, Computer Software Engineering

Highlights:

  • Director of Cyber Security at Scarlett Group since 2022 
  • Holds GCFA and Microsoft 365 Enterprise Administrator certifications
  • Expertise in compliance, incident response and cyber policy

Experience: 

Tyler C. currently serves as the Director of Cyber Security at Scarlett Group in Jacksonville, Florida. He first joined Scarlett Group in 2019 as a Cyber Security Consultant, before being promoted to his current director role in 2022. Tyler has over 4 years of experience providing cybersecurity services to American private and public organizations.

Education:

Tyler earned his degree in Computer Software Engineering from the University of Florida in 2016. While at UF, he developed expertise in programming and software development.

Licenses & Certifications:

  • Microsoft 365 Certified: Enterprise Administrator Expert (Issued May 2023)
  • GIAC Certified Forensic Analyst (GCFA) (Issued Jan 2019, Expires Jan 2027)  
  • Microsoft 365 Certified: Security Administrator Associate (Issued Jul 2022, Expired Jul 2023)
  • CompTIA Security+ (Issued Jun 2020, Expired Jun 2023)

Additional Skills: 

  • Customer Service, Leadership, Public Speaking, Network Security, Forensic Analysis, Disaster Recovery, Cloud Applications

An HVAC vendor tells you that he needs to check your server rooms for proper airflow. You don’t think twice about letting him in, he does what he needs to, and he is gone before too long. A few weeks later, your company is plastered on the local news for being the latest big data breach. What happened, and how can you prevent this?

The scenario described above is a prime example of social engineering. Social Engineering in information security is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes” (Google). The attacker was dressed as a trusted individual (HVAC vendor) and exploited that trust to perform malicious activities on your servers.

Social Engineering is the oldest form of “attack” in the InfoSec realm. New technology has given rise to dozens of communication channels as an avenue to perform these attacks. Business owners need to know what Social Engineering looks like before they are able to properly defend against it.

Social Engineering – Common Techniques

Attackers do not need to exclusively rely on technology to achieve their goals. One of the most effective avenues for gaining access into a network is to simply manipulate the employees into handing it over. There are many techniques that are used by social engineers. Always be on the lookout for the things listed below and be sure to maintain a “trust but verify” attitude with all electronic communications.

Security professionals do not want everyone to be paranoid, but the extra few seconds it can take to confirm someone’s identity can determine the fate of a company.

Phishing

Phishing is one of the “technology reliant” methods of social engineering. A phishing attack is a scenario where a malicious actor will communicate via email, phone (often called “vishing”) or messaging service. The intention is always to mislead the employee.

A well-known usage of email phishing is to include malicious links that the attacker manipulates the victim into clicking. Disturbingly, links are not the only method to phish users. More specialized messages will request that a user send confidential data under the pretense of being somebody important. These types of attacks are extra dangerous because they can be harder to train against and indicate more advanced threats.

Baiting

A USB was found in the parking lot with the phrase “Annual Incentive” written on the outside. Eager to see this confidential information, a user connects this USB to their device. Instead of viewing information, this user has now infected your network. This happens far more often than one might think and is a highly successful attack.

This technique of leaving a piece of bait meant to be found is common and exploits our natural curiosity. These attacks are easy to prevent via proper security procedures and training.

Intimidation

Not all intimidation is physical. Many attackers will simply attempt to overwhelm whoever they are contacting by impersonating someone of authority. No role is off limits in the attacker’s imagination. They can impersonate a CEO, manager, or even a federal agent in order to frighten a victim into cooperation.

This approach usually involves calling or messaging a lower-level employee, demanding something urgently while threatening their job or even jail time. Without proper training, many people are easily flustered and simply give the attacker whatever they want to avoid trouble.

Confidence

Many times, simply acting like you belong is enough to gain access. People are busy and naturally trusting. If you come into an office with a water jug on your shoulder, many people will assume you are the water delivery guy and won’t question you being there. Attackers exploit this trust and “hide in plain sight” in order to gain unwarranted access into areas.

This technique is especially powerful when office personnel are expecting major changes or activity for a set period of time (such as an office remodel).

Defending Against Social Engineering

Social Engineering is just another tool in the attacker’s playbook. Being proactive is the single best counter to any threat, but defending against basic psychology can be tricky. You can significantly increase your immunity to social engineering by changing the way your employees think and heavily emphasizing trust but verify within your environment.

Training

Employee training is the main solution to foil dedicated social engineers. A solid, centralized policy for dealing with guests must be strictly enforced to prevent unwanted access. Email awareness campaigns and employee phishing training helps to significantly reduce the chance that a user falls for a phishing scam. Identification verification methods are vital to prevent people from claiming they belong and sneaking by security.

Simulations

“No plan survives first contact with the enemy.” This military mantra fits surprisingly well in the business world. Realistic simulations go along with training to a certain extent. These hidden tests provide real-world experience to your users in the form of emails, calls, and even actors posing as delivery personnel or repairmen. By checking that the training and policies are being followed, owners can get an idea on what needs to be improved or streamlined.

Network Security

The unfortunate truth is that even the best training programs still leave small gaps. The larger the organization becomes, the higher the chance that somebody falls into a gap and doesn’t react properly to their training. When things do get in, an extensive security net can help to prevent the spread throughout the network.

Data Loss Prevention

A relatively new concept in cybersecurity, DLP can help security teams look for information being leaked from the environment. While this will not help the initial compromise, it can stem the bleeding from a successful attack and lead to much quicker remediation.

Administrative Controls

Network Administrators must ensure that permissions are handled properly within the environment. Many social engineering attacks can be thwarted simply by not allowing less-trained associates to have access to confidential data. If an attacker wants to get ahold of a specific financial document but cannot get an account with the proper permissions, the attack is effectively dead in the water.

References

  • Sjouwerman, Stu. “New Study Finds Employees Pose the Greatest Cybersecurity Risk.” Blog, blog.knowbe4.com/new-study-finds-employees-pose-the-greatest-cybersecurity-risk.
  • “What Is Social Engineering: Attack Techniques & Prevention Methods: Imperva.” Learning Center, Imperva, www.imperva.com/learn/application-security/social-engineering-attack/.
  • “What Is Social Engineering? Examples And.” Webroot, www.webroot.com/us/en/resources/tips-articles/what-is-social-engineering.
  • “What Is Social Engineering? Tips to Help Avoid Becoming a Victim.” Official Site, us.norton.com/internetsecurity-emerging-threats-what-is-social-engineering.html.

Share This

Related Posts

Stolen information from a data breach is causing millions of HCA Healthcare patients in Florida to worry. The company explained the private data was stolen from an external storage location used to automate email messages.
It’s that time of year again. Your organization’s cyber insurance contract is coming up for renewal. Year over year, you notice that the premiums have been steadily increasing.
Today, social media activities, monetary transactions, and technology play important roles in the way organizations carry out their business and communicate with potential customers. These same vehicles can be targets for cyber attacks.