Lesson Notes
Social Engineering & Your First Line of Defence
Module 1: Foundations. Pure theory—social engineering, why humans are the first line of defence, awareness and scepticism, how attackers exploit trust. Builds on the CIA triad and why security matters; sets up MFA and encryption before a dedicated MITM deep-dive.
Module 1: Foundations — Social Engineering & Your First Line of Defence
This lesson is pure theory—no labs or commands. It builds on What is Cybersecurity? and Why Cybersecurity Matters—the CIA triad and real-world impact—and introduces why humans are both the first line of defence and a major target. (You will study MITM in depth in Lesson 8 after MFA and encryption.) Social engineering exploits trust and habit; awareness and healthy scepticism are your first defence before any technical control.
1. Why “First Line of Defence” Starts With People
Passwords, MFA, and encryption are technical defences, but they only work if people use them correctly and do not give away credentials or bypass controls. Attackers often target people first: phishing, pretexting, baiting, and tailgating. A large share of breaches (e.g. Verizon DBIR) involve human error or social engineering. Your first line of defence is awareness: question unexpected requests, verify identities, and think before you click or share.
2. Social Engineering: What It Is and How It Works
Social engineering is the art of manipulating people rather than breaking systems. Attackers exploit trust, urgency, and authority. Phishing: fake emails or messages that trick you into revealing credentials or clicking malicious links. Pretexting: creating a false scenario (e.g. “I’m from IT, I need your password”) to gain trust. Baiting: leaving infected USB drives or tempting offers to trigger curiosity. Tailgating: following someone through a secure door without credentials. The goal is often to obtain passwords, install malware, or gain physical or logical access. No technical control is foolproof if a user is tricked into bypassing it.
3. Passwords in the Human Context
Passwords are a shared secret between you and the system. They fail when they are weak (dictionary attacks, brute-force), reused (one breach leaks many accounts), or captured (e.g. over unencrypted HTTP by a MITM). Users often choose weak or memorable passwords; attackers use leaked lists (e.g. rockyou.txt). Strong passwords (length, complexity, no reuse) and a password manager reduce risk. Hashing and salting on the server protect stored passwords; encryption in transit (HTTPS) protects them from eavesdropping. Your first line of defence includes choosing and protecting passwords so that technical controls (MFA, encryption) can do their job.
4. Defence in Depth: Awareness + Technical Controls
Together, awareness and technical controls form defence in depth. Be sceptical of unsolicited requests for credentials, links, or downloads. Verify the identity of anyone asking for sensitive information (call back on a known number, use official channels). Technical controls—strong passwords, MFA, encryption—protect you when someone tries to steal or guess credentials or intercept traffic. In ethical pentesting you will later test for weak passwords, missing MFA, and unencrypted channels; this lesson sets the stage by emphasising that the human is the first line of defence.
Key Takeaway for Lesson 3
Social engineering targets people to bypass technical controls. Your first line of defence is awareness: question unexpected requests, verify identities, and use strong passwords and safe habits. Technical defences (MFA, encryption) come next. Next: MFA and how a second factor blocks account takeover.