User Awareness Key Takeaways

Sectricity User Awareness Key Takeaways

User Awareness & Social Engineering

Problem	Solution	Alternative Solution
Quishing (QR phishing)	Don't scan unknown QR codes	Forward suspicious ones to suspicious@safeonweb.be
Smishing (SMS phishing)	Don't click links in suspicious SMS	Verify directly via official app or website
Vishing (Voice phishing)	Don't trust unknown callers asking for sensitive info	Hang up and call back via official numbers
Phishing Emails	Check sender and hover over links	Report suspicious emails to IT
Phishing URL tricks using "." and "-"	Understand domain structure: login.paypal.com.evil.com = evil.com	Use browser extensions or email gateways to detect fake URLs
Subdomain spoofing	Attackers use subdomains like paypal.login.example.com	Only trust domains after the final dot before the TLD
Domain squatting	Misspelled or hyphenated domains like pay-pal.com or rnicrosoft.com	Manually type URLs or use bookmarks
TLD abuse	Using other TLDs like bank-login.net instead of .com	Use threat intelligence tools to block sketchy TLDs

Problem	Solution	Alternative Solution
Ransomware	Keep OS & software updated	Use anti-ransomware tools and offline backups
Macro malware (Office)	Block macros from internet files	Use web-based viewers (Office 365/Google Docs)
USB malware (USB drops)	Disable USB ports for unknown devices	Use endpoint detection to scan USB drives
Exploiting outdated software	Patch management & regular updates	Use application allowlisting

Problem	Solution	Alternative Solution
Evil Twin / Rogue APs	Verify network names; avoid auto-connect	Use VPNs or mobile data for sensitive activity
Deauth attacks (Wi-Fi disconnects)	Use WPA3 routers	Monitor with Wi-Fi intrusion detection
Man-in-the-Middle	Avoid logging in to accounts on public Wi-Fi	Use encrypted DNS (DoH/DoT) and HTTPS
Weak encryption (WEP/WPA)	Upgrade to WPA3	Disable WPS and use complex passphrases

Problem	Solution	Alternative Solution
Blind XSS	Sanitize all user input	Use CSP and secure cookies
Stored XSS in feedback forms or logs	Encode output in admin panels	Use input whitelisting and audit logs
XSS 2FA Bypass	Use WebAuthn or hardware tokens	Store tokens in HTTP-only cookies only
Malicious form injections	Validate on server side	Use security headers and frontend filtering

Problem	Solution	Alternative Solution
Azure misconfigurations	Audit Azure roles and permissions	Use Azure Defender & conditional access policies
Privilege escalation in cloud	Follow least privilege model	Monitor token activity and use alerts
Overprivileged service identities	Assign only required roles	Rotate credentials regularly and monitor usage
Public exposure of storage buckets	Restrict public access and enable logging	Use automation to scan for open buckets

Problem	Solution	Alternative Solution
Reused passwords	Use password manager	Enforce different passwords via policy
Weak passwords	Enforce complexity + MFA	Use passphrases instead of random characters
No MFA	Mandate MFA for all critical systems	Use hardware-based MFA like YubiKey
SMS-based 2FA phishing	Use app-based 2FA (TOTP) or push	Transition to phishing-resistant methods like WebAuthn

Problem	Solution	Alternative Solution
Default credentials on smart devices	Change passwords on first setup	Disable unused services and use VLANs
No firmware updates	Enable auto-update or manual schedule	Replace devices that no longer get updates
IoT exposed on public internet	Disable UPnP, port forwarding	Use internal firewall to block outbound access
Lack of monitoring on IoT	Use network monitoring tools	Segment devices from main network

Problem	Solution	Alternative Solution
Sharenting (oversharing kids' data online)	Educate about digital footprint	Set social media profiles to private
AI-generated deepfakes	Verify info with trusted sources	Use AI-detection plugins or manual checks
AI tools leaking company data	Restrict uploading to public LLMs	Use private or on-prem AI models
Voice cloning / impersonation	Avoid posting voice messages online	Use liveness detection for verification