The Arsen Cyber Glossary is designed to help you improve your knowledge of the cybersecurity field and adopt best practices in your daily work.
Arsen is a platform that allows you to test your employees through phishing simulation campaigns.
When launching a campaign, you may realize that the security of your IT infrastructure, data, and production tools is potentially at risk due to certain employees clicking on phishing emails.
The goal of Arsen is to improve behavior by acting on three levers:
Theoretical lever: Do employees understand the risk and how it manifests?
Heuristic lever: Can employees apply their knowledge when faced with a threat?
Cultural lever: Are employees motivated to act as the first line of defense for the company, applying their knowledge to protect the organization, regardless of the circumstances when the threat reaches their inbox?
Summary
Types of Social Engineering Attacks
Key concepts:
☝️ Social Engineering – The use of psychological manipulation to trick a target into performing potentially dangerous actions or disclosing sensitive information. Phishing, smishing, spear phishing, and CEO fraud all rely on social engineering.
Example: An attacker posing as a security inspector wearing a high-visibility vest and carrying a notepad enters a facility without authorization, relying on the credibility of their appearance.
Arsen focuses on social engineering to minimize IT breaches caused by human manipulation.
🎣 Phishing – A fraudulent practice aimed at stealing personal information such as IDs, banking data, or passwords by impersonating a familiar company (e.g., Google, Facebook, Netflix, Amazon). Phishing usually occurs via email or a clickable link.
Example: You receive an email from “Netflix” offering a discount with a link to a fake login page to collect your credentials.
📲 Smishing – SMS-based phishing. Attackers use text messages (or instant messaging) to steal personal data.
Example: You get a text from your “bank” claiming an issue with your account, but it’s a scam attempting to steal your banking information.
🎯 Spear Phishing – Targeted phishing. The attacker personalizes the message for a specific individual, increasing realism and reducing the chance of detection.
Example: An email from “Netflix” referencing your favorite series to trick you into entering your credentials.
🗑️ Spam – Mass sending of unsolicited emails, either commercial or malicious. Unlike phishing, spam is typically not intended to compromise systems but may be harmful or annoying.
🗣️ Vishing (Voice Phishing) – Phishing via phone or voice messages. The attacker poses as someone offering a solution or alerting you to a fake problem to extract sensitive information.
Example: Receiving a call claiming you won a contest but must provide your credit card details to claim the prize.
Advanced attacks:
📌 APT (Advanced Persistent Threat) – Long-term, targeted cyberattacks, usually against organizations or states, aiming to steal sensitive data discreetly.
👔 CEO Fraud – The attacker impersonates a CEO or senior executive to request urgent transfers of funds.
🧮 Brute Force Attack – Trying multiple combinations (via dictionary, algorithm, or both) to crack a password. Strong passwords and multi-factor authentication reduce risk.
📭 Business Email Compromise (BEC) – Compromising a business email account to authorize fraudulent fund transfers.
👠 Catfishing – Using a fake identity online to manipulate and exploit a victim, often for financial gain.
👥 Deepfake – Using AI to create highly convincing fake content (video/audio) to manipulate a victim.
📟 Privilege Escalation – Gaining higher-level access after compromising a lower-level account.
📧 Email Spoofing – Faking the sender’s email address to appear legitimate. SPF and DKIM help mitigate this.
📡 Data Exfiltration – Unauthorized transfer of data outside the organization, either manually or via malware.
💽 Data Leak – Unintentional release of sensitive information, often due to human error.
💾 Malicious Insider – An employee, partner, or ex-employee misusing access to steal sensitive data.
💰 Ransomware – Malware encrypting systems and demanding payment for decryption keys.
📸 Sextortion – Extortion using private photos or videos.
🚚 Supply Chain Attack – Compromising a target via a vulnerable third-party provider.
🗝️ USB Drop – Leaving infected USB drives for unsuspecting victims to plug in.
🏝️ Watering Hole – Compromising a frequently visited site to target its users.
🐳 Whaling – Targeted attacks against high-profile individuals in an organization (“big fish”).
Protection and Mitigation
100% security doesn’t exist, so we focus on mitigation measures:
🔐 2FA / MFA – Multi-factor authentication validates identity using two or more factors (password + code).
🧰 MFA – Multi-factor authentication covering biometrics, codes, and other methods.
🔰 Antivirus / Anti-malware – Software detecting malicious programs through signatures, behavior analysis, or sandboxing.
🛡️ Firewall – Filters or blocks network traffic based on policies and suspicious activity.
🔵 Blue Team – Team responsible for internal cybersecurity defense.
🐞 Bug Bounty – Rewards for ethical hackers identifying security flaws.
⚔️ DKIM – Ensures email sender authenticity via cryptographic signatures.
➰ DLP (Data Loss Prevention) – Techniques to protect sensitive data and limit leaks.
🟩 DMARC – Standardizes email handling based on SPF/DKIM policies.
🧪 EDR – Endpoint Detection & Response, monitoring endpoints for threats.
📕 Business Continuity Plan (BCP) – Procedures ensuring business operations during incidents.
📯 Disaster Recovery Plan (DRP) – Procedures to resume business after full disruption.
🕳️ Sandbox – Isolated environment for safely executing suspicious programs or files.
🔍 SIEM – Security Information and Event Management, monitoring security events.
🔏 SPF – Sender Policy Framework prevents email spoofing by validating authorized mail servers.
🔴 Red Team – Team simulating attacks to test cybersecurity defenses.