Cybersecurity isn't just about computers. It's about people, money, motivations, and the messy reality that no system is ever 100% safe. This topic gives you the core vocabulary every security pro uses: how attackers manipulate people, who the attackers actually are, how attacks unfold step by step, and how organizations decide what risks are worth fighting and how to fight them. Once these foundations click, everything else in the course builds on top.
Social Engineering Attacks
Social engineering is hacking the human, not the machine. Instead of cracking a password, the attacker tricks someone into handing it over. These attacks work because humans have predictable psychological reactions, and adversaries know exactly which buttons to push.
The setup behind most social engineering attacks is pretexting: the attacker invents a believable reason to contact you. Maybe they "work in IT" and need to fix your account. Maybe they're "from the bank" calling about suspicious charges. The pretext gives the rest of the attack a story that feels normal.
On top of pretexting, attackers layer in psychological tactics:
- Authority: The attacker pretends to be (or pretends to be acting on behalf of) someone powerful. Example: an email "from the CEO" telling an accountant to wire money immediately.
- Intimidation: Threatening bad consequences if you don't comply. Example: "Your account will be locked and reported to HR if you don't verify your password now."
- Consensus: Making you feel like everyone else is already doing it. Example: "All your coworkers have already completed this security survey, please finish yours."
- Scarcity: Pretending the offer or opportunity is running out. Example: "Only 5 spots left for the company bonus program, click here to claim yours."
- Familiarity: Pretending to know you or be close to someone you trust. Example: "Hey, it's Jake from accounting, we met at the holiday party. Quick favor..."
- Urgency: Creating a deadline so tight you don't stop to think. Example: "You have 10 minutes to confirm this transaction or it will be canceled."
A single phishing email often combines several of these. "URGENT: Message from the CEO. Wire $50,000 to this account in the next hour or we lose the deal" stacks authority, urgency, and intimidation all at once.
Types of Adversaries
Not every attacker is a hoodie-wearing hacker in a basement. The CED groups adversaries by skill level and motivation.
- Script kiddies are low-skill attackers who download tools other people built and run them without really understanding how they work. They're usually after bragging rights or quick money. Think of someone using a free DDoS tool to knock a game server offline.
- Hacktivists attack for a cause: political, social, or personal. They believe their illegal methods are justified by their beliefs. Defacing a corporation's website to protest its practices is a classic hacktivist move.
- Insider adversaries are the scariest in some ways because they already have legitimate credentials. A disgruntled employee, or someone bribed by an outside group, can walk past every firewall because the system thinks they belong there. Their motivations are often revenge or money.
- Cyberterrorists want to cause widespread disruption to communities, regions, or nations. Their targets are big: power grids, water treatment plants, hospitals. They may work alone, for a government, or for a criminal group.
- Transnational criminal organizations are in it for the money. They run large ransomware operations and steal corporate intellectual property to sell on illegal markets. These are professional, organized groups, not lone hackers.
The key thing to remember: motivation shapes the attack. A hacktivist wants attention, so they want you to know they hit you. A criminal organization wants money, so they may try to stay quiet and demand a ransom.
Phases of a Cyberattack
Attacks usually unfold in stages. Not every attack uses every phase, but this is the general flow.
1. Reconnaissance
The attacker gathers info about the target. A lot of this comes from open source intelligence (OSINT), which just means freely available info: LinkedIn profiles, company websites, public records, social media. If an attacker learns your CFO's name and email format from LinkedIn, that's OSINT.
2. Initial Access
The attacker gets their first foothold. This usually happens through social engineering (someone clicks a phishing link) or weak/stolen credentials.
3. Persistence
Once inside, attackers don't want to lose access. They install something that lets them get back in whenever they want. A common tool is a command and control (C2) channel, which lets the attacker send commands to the infected device and receive output. Malware like a remote access trojan (RAT) or a rootkit makes persistence possible.
4. Lateral Movement
The attacker spreads. They try to escalate privileges, meaning they look for accounts with more access than the one they started with. Going from a regular employee account to an admin account is the goal.
5. Taking Action
Now they do what they came to do. This could mean stealing (exfiltrating) data, encrypting files for ransom, or destroying systems.
6. Evading Detection
On the way out, smart attackers cover their tracks. They delete or edit log files and remove malware they planted so investigators have a harder time figuring out what happened.
The Risk Assessment Process
Before an organization can defend itself, it has to figure out what it's actually defending. That's where risk comes in. Risk exists when a threat can exploit a vulnerability to compromise an asset.
An asset is anything valuable: money, intellectual property, customer data, servers, buildings, even reputation.
Risk assessment looks at two things:
- Likelihood: How probable is it that this vulnerability gets exploited?
- Severity: How bad would the damage be?
What affects likelihood
- Value of the target. A bank gets attacked more than a local bakery.
- Skill required. If a vulnerability has a well-known, easy-to-use exploit, way more attackers can pull it off.
- Motivation and capability of adversaries. A nation-state attacker can do things a script kiddie can't.
What affects severity
Severity is usually measured in financial cost, but it also includes operational impact (can you still run the business?) and reputational impact (will customers trust you afterward?).
Here's a good example from the CED: a hacktivist who cares about illegal fishing wants to deface the website of a food company that supports those practices. They don't make a dollar from the attack, but the company loses reputation and has to deal with cleanup. The severity is real even though the attacker's "reward" is non-financial.
Quantitative vs. qualitative
- Quantitative risk assessment uses numbers. You might rate a vulnerability a 7/10 or estimate the risk at $10,000 per year.
- Qualitative risk assessment uses categories like "low, medium, high, severe" or "likely high impact" vs. "unlikely low impact."
A solid risk assessment document includes the vulnerable asset and its value, the likely threats, the specific vulnerabilities and how they'd be exploited, the severity (financial, operational, reputational), the likelihood, and a final rating.
Strategies for Managing Risk
Once you know your risks, you have four options. You'll often see these called the four risk responses.
- Risk avoidance: Stop doing the risky activity. If processing online payments is too risky, don't accept online payments. The catch: if the activity is core to your mission, you can't avoid it. A bank can't just stop being a bank.
- Risk transference: Make someone else carry the risk. Cyber insurance is the classic example. If a breach happens, the insurance company pays out. You can also transfer risk to a government program or even to consumers (think of fees that cover potential losses).
- Risk mitigation: Add security controls to reduce the likelihood or impact. Installing a firewall, requiring multi-factor authentication, or training employees on phishing are all mitigation.
- Risk acceptance: Acknowledge that you can't eliminate every risk and decide to live with what's left. That leftover risk is called residual risk: the risk remaining after you've avoided, transferred, and mitigated as much as you can.
Organizations care about cost-effectiveness. A control that costs $50,000 a year to prevent a $5,000 risk doesn't make sense. Cost-effective solutions cost less to install and maintain than the expected loss from an attack.
Types of Security Controls
Security controls are the actual protections an organization puts in place. Every control should support at least one of the three core principles, often called the CIA triad:
- Confidentiality: Only authorized people, systems, or processes can access data. Lose this and data gets stolen.
- Integrity: Data are accurate and trustworthy. Lose this and data can be tampered with.
- Availability: Data and services are accessible when authorized people need them. Lose this and you face downtime.
Controls get classified two different ways: by type and by function.
By type (what kind of control it is)
- Physical controls protect the physical space: locks, fences, cameras, bollards (those short posts that block vehicles), security guards.
- Technical controls protect the digital space: firewalls, anti-malware software, encryption.
- Managerial controls are the rules and policies: password policies, regular access reviews, incident response plans (IRPs).
By function (what the control does)
- Preventative controls try to stop attacks before they happen. Locks and encryption are preventative.
- Detective controls spot attacks while they're happening or after. Examples: intrusion detection systems (IDSs), cameras, and security incident and event management (SIEM) systems.
- Corrective controls fix the damage and restore systems. Examples: patching a vulnerability, repairing a broken card reader, or running an intrusion prevention system (IPS) to stop an active attack.
A single control can fit multiple categories. A camera is a physical control and a detective control. A firewall is a technical control and (depending on how it's used) preventative or detective.
Defense in Depth
No single control catches everything. That's why organizations use defense in depth, also called layered defense. The idea is simple: stack multiple types of controls so that if one fails, another one is still there.
Different threats need different controls. A phishing email isn't stopped by a fence. A burglar isn't stopped by anti-malware software. By layering different control types, you cover more ground.
You also get resilience. If an attacker bypasses one control, the next layer can still block them or at least limit the damage. An attacker who phishes their way past the human layer still has to get past the network firewall, then the device's anti-malware, then encryption on the data itself.
Typical layers in defense in depth:
- Policy/Governance: Security policies, password policies, acceptable use policies.
- Data and Applications: Encryption, access controls, data loss prevention (DLP) software.
- Device: Endpoint detection and response (EDR), authentication, anti-malware, host-based firewalls.
- Network: Authentication mechanisms, encryption, firewalls, network segmentation.
- Physical Perimeter: Locks, security guards, gates and fences, cameras.
Think of it like a castle. The moat doesn't replace the walls, and the walls don't replace the guards inside. Each layer assumes the one before it might fail, and that's the whole point.
Vocabulary
The following words are mentioned explicitly in the College Board Course and Exam Description for this topic.Term | Definition |
|---|---|
access control | Security mechanisms that restrict who can access specific resources, systems, or data based on user identity and permissions. |
adversary | An individual or entity that attempts to exploit vulnerabilities in systems, applications, or data to cause harm, steal information, or disrupt operations. |
anti-malware software | Software that detects and removes malicious software (malware) from a device; another term for anti-malware software. |
asset | Anything of value that needs protection, including financial resources, intellectual property, data, digital infrastructure, physical property, and reputation. |
authentication | The process of verifying the identity of a user or system, typically through credentials such as passwords. |
authority | A social engineering tactic where adversaries impersonate someone with power over a target or pretend to relay instructions from that person. |
availability | The security principle ensuring that systems and data are accessible and functional when needed by authorized users. |
command and control (C2) | A protocol that allows adversaries to send commands to a compromised device and receive output, often used to maintain persistence. |
confidentiality | A security principle that ensures only authorized individuals, systems, or processes can access data. |
consensus | A social engineering tactic where adversaries create social pressure by making a target believe everyone else is doing a desired action. |
corrective controls | Security controls that fix problems and help restore systems to an operational state, such as vulnerability patching and intrusion prevention systems. |
cyberattack | A coordinated attempt by adversaries to disrupt, harm, steal, or destroy devices, networks, or data, typically executed through multiple phases. |
cyberterrorists | Adversaries motivated by politics or beliefs who seek to disrupt entire communities, regions, or nations through cyberattacks on critical infrastructure, acting independently or on behalf of governments or criminal organizations. |
data exfiltration | The unauthorized transfer of data from a target system to an external location controlled by adversaries. |
Data Loss Prevention (DLP) Software | A security control that monitors and prevents unauthorized transmission or loss of sensitive data. |
defense-in-depth strategy | A layered security approach that uses multiple types of security controls at different levels to protect sensitive data and systems from various threats. |
detective controls | Security controls that help identify attacks when they occur, such as intrusion detection systems and security incident and event management systems. |
encryption | A security technique that converts data into an unreadable format to prevent unauthorized access if data are stolen or intercepted. |
Endpoint Detection and Response (EDR) Service | A security control that monitors devices for suspicious activity and responds to threats detected on endpoints. |
evading detection | The final phase of a cyberattack in which adversaries remove or edit log files and erase evidence of their presence on compromised devices. |
exploit | A technique or tool used to take advantage of a vulnerability to compromise a system or network. |
familiarity | A social engineering tactic where adversaries pretend to be or know someone close to a target to establish trust. |
firewall | A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. |
hacktivists | Adversaries motivated by social, political, or personal causes who compromise computers and networks to support their cause or stop perceived harm. |
host-based firewall | A security control installed on individual devices that monitors and controls incoming and outgoing network traffic. |
incident response plans | Managerial controls that provide procedures and guidelines for responding to and recovering from security incidents. |
initial access | The phase of a cyberattack in which adversaries establish a foothold on a target's computer, often through social engineering or compromised credentials. |
insider adversaries | Threats with legitimate credentials and access to systems and data who can be recruited by malicious third parties and motivated by greed or revenge. |
integrity | The security principle ensuring that data remains accurate, complete, and unaltered by unauthorized parties. |
intellectual property | Proprietary information and creations of a company or organization that have commercial value. |
intimidation | A social engineering tactic that uses threats of negative consequences to create fear and compel targets to take action. |
intrusion detection systems | Detective controls that monitor network traffic and system activity to identify potential attacks or unauthorized access attempts. |
intrusion prevention systems | Corrective controls that detect and block malicious network traffic and attacks in real-time. |
lateral movement | The process by which an attacker moves from one compromised system to other systems on a network to gain access to more sensitive resources. |
likelihood | The probability that a vulnerability will be exploited, influenced by target value, skill required, and adversary motivation and capabilities. |
managerial controls | Security measures that provide rules, guidelines, policies, and procedures to specify what security should be in place, including password policies and incident response plans. |
network segmentation | The practice of dividing a network into separate segments or zones to improve security and contain potential breaches. |
open source intelligence (OSINT) | Freely available information that adversaries collect about a target during the reconnaissance phase of an attack. |
password policies | Managerial controls that establish rules and guidelines for creating and managing passwords to protect system access. |
persistence | The phase of a cyberattack in which adversaries establish mechanisms to maintain access to a compromised system without needing to regain entry. |
physical controls | Security measures that provide protection in the physical space, such as locks, fences, cameras, bollards, and security guards. |
pretexting | A social engineering tactic where adversaries create a believable reason to contact a target. |
preventative controls | Security controls that address potential vulnerabilities with the goal of stopping an adversary from attacking, such as locks and encryption. |
privilege escalation | The process of gaining higher-level access permissions to systems, services, and data during a cyberattack. |
qualitative risk assessment | A risk assessment method that uses descriptive categories rather than numeric values to rate risk levels. |
quantitative risk assessment | A risk assessment method that assigns numeric values to vulnerabilities based on a numeric scale or quantifiable financial impact. |
ransomware | Malicious software used to encrypt or block access to data or systems until a ransom is paid. |
reconnaissance | The first phase of a cyberattack in which adversaries gather information about their target, often using openly available sources. |
remote access trojan (RAT) | A type of malware that provides adversaries with remote access and control over a compromised device. |
residual risk | The risk that remains after an organization has implemented avoidance, transference, and mitigation strategies; the level of risk an organization is willing to accept. |
resilience | The ability of a security system to continue protecting data and systems even when one security control is bypassed, by having additional controls in place. |
risk | The potential for a threat to exploit a vulnerability and compromise an asset. |
risk acceptance | A risk management strategy that acknowledges and accepts the residual risk that remains after avoidance, transference, and mitigation efforts. |
risk assessment | A process that evaluates the likelihood and severity of potential attacks against vulnerabilities to determine overall risk to assets. |
risk avoidance | A risk management strategy that stops or eliminates the activity generating the risk. |
risk mitigation | A risk management strategy that implements security controls to reduce the likelihood or impact of a risk. |
risk transference | A risk management strategy that places the burden of risk on another entity, such as an insurance company, government, or consumers. |
rootkit | Sophisticated malware that embeds itself in a target computer's operating system and can control nearly every aspect of the system while remaining invisible to detection. |
scarcity | A social engineering tactic where adversaries create a sense of limited availability. |
script kiddies | Low-skilled adversaries who use tools developed by others without understanding how the tools work, often motivated by greed or a desire for recognition. |
security control | Measures or safeguards implemented to reduce the likelihood or impact of a risk. |
security incident and event management systems | Detective controls that collect and analyze security data from multiple sources to identify and respond to security incidents. |
severity | The extent of damage or impact that would result from a successful attack, measured by financial cost, reputational damage, or operational impact. |
social engineering attacks | Attacks that employ psychological tactics to manipulate users into revealing sensitive information, downloading malicious files, or clicking on malicious links. |
taking action | The phase of a cyberattack in which adversaries act on their objectives by collecting, exfiltrating, or destroying data and disrupting services. |
technical controls | Security measures implemented through technology to protect systems and data from unauthorized access. |
threat | A potential attack or harmful action that could exploit a vulnerability. |
transnational criminal organizations | Adversaries that seek financial gain primarily by deploying ransomware and stealing corporate intellectual property to sell in illegal markets. |
urgency | A social engineering tactic that creates a sense of time-sensitivity to pressure targets into acting quickly without careful consideration of safety or reasonableness. |
vulnerability | Weaknesses or flaws in systems, applications, or configurations that can be exploited by attackers to compromise security. |
vulnerability patching | A corrective control that applies updates to fix security weaknesses in software and systems. |