• Like
Module 3   social engineering-b
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Module 3 social engineering-b

  • 768 views
Published

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
768
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
20
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Module Objectives This module will familiarize you with the following: Investigating Computer Crime Policy and Procedure Development Warning Banners Shutdown the Computer Investigating a Company Policy Violation Accessing Policy Violation Case: Example Collecting the Evidence Implementing an investigation Methodology of investigation Evaluating the case Imaging the Evidence Disk Examining the Digital Evidence Investigation plan Obtaining Search Warrant Closing the case Evaluating the case
  • INTRODUCTION TO SOCIAL ENGINEERING. Trainer: Perhaps include a picture of people in your department with a person who is familiar to everyone in the audience . You cannot spot a social engineer just by looking at them, and it could be anyone. A social engineer is a person who will deceive or con others into divulging information that they wouldn’t normally share. This picture includes: Will Padilla, Norma Springsteen, Linda Caruso, Sabrina Ledesma, Pam Miramontes, David Nelson, Dave Edwards When taken all were Yolo County employees.
  • Help desks are particularly vulnerable because they are in place specifically to help , a fact that may be exploited by people who are trying to gain illicit information. Help desk employees are trained to be friendly and give out information, so this is a gold mine for social engineering. Use a shredder
  • Fake Id’s, human nature is to be helpful. Fake Id’s, human nature is to be helpful.

Transcript

  • 1. Module 3 Social Engineering Module 3
  • 2. Social Engineering Did you know that humans get Hacked as much as computers? It’s called social engineering and it has been happening long before computers ever existed!
  • 3. Module Objectives
    • This Module will cover the following:
    • What is Social Engineering
    • Background
    • Examples
    • Countermeasures
  • 4. Social Engineering Definition
    • Social Engineering: n.
    • Term used among hackers and security professionals for techniques that rely on weaknesses in people rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security.
    Source: The Hacker’s Jargon dictionary
  • 5. Social Engineering Definition
    • Impersonation and deception for the purpose of gathering information to obtain:
        • Network information
        • System access information
        • Personal information
        • Passwords
    • Impersonation and deception for the purpose of influencing action such as:
        • Establishing, moving, or canceling a service
        • Making a commitment or scheduling an engagement for which someone else is responsible
  • 6. Social Engineering
      • Can you spot a “Social Engineer” in this group?
  • 7. Social Engineering Methods
  • 8. Social Engineering Methods
    • Social Engineering by Phone
    • The most prevalent type of social engineering attack.
    • Callers may be male or female
    • The caller may appear to know the make and model of your equipment.
    • The caller is after equipment serial numbers on devices such as printers, copiers, and computers.
    • The caller will attempt to gain as much ‘extra' information as possible, such as phone numbers, fax numbers, employee titles, addresses and other employee information.
    • The caller uses a ‘private' or spoofed phone number.
    • Demonstration
  • 9. Social Engineering Methods
    • Social Engineering in Person
    • Dumpster Diving- A huge amount of information can be collected through company dumpsters and trash.
    • Examples include: Company phone books, organizational charts, memos, company policy manuals, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.
    • Impersonation- A repairman, trusted third party, fellow employee, anyone in uniform.
    • Example: the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him, dressed in corporate uniform, fake ID…
  • 10. Social Engineering Methods
    • Social Engineering by Internet
    • Fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers, social security numbers, etc.
    • Phishing attacks use email or malicious web sites to solicit personal, often financial, information or login/password information.
    • Email attachments sent from someone of authenticity can carry viruses, worms and Trojan horses.
    • Because these emails look “official”, over 5% of recipients may respond to them, resulting in financial losses, identity theft, release of sensitive information or other fraudulent activity.
  • 11. Social Engineering Methods
    • Social Engineering by Mail or E-mail
    • • E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code.
    • • He or she (the victim) is motivated to open the message because it appears to: • Offer useful information, such as security notices or verification of a purchase • Promise a diversion, such as jokes, gossip, cartoons or photographs. • Give away something for nothing, such as music, videos or software downloads.
  • 12. Social Engineering Countermeasures
    • Social engineering countermeasures
    • Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
    • Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information.
    • Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
  • 13. Social Engineering Countermeasures
    • How to avoid being a victim?
    • Don't send or provide sensitive information over the Internet, over the phone, or in person before checking authenticity.
    • Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
    • If you are unsure whether an email or “snail mail” request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request.
  • 14. Exercise
    • Social engineering
    • Name 3 Companies
      • ________________
      • ________________
      • ________________