Social Engineering:Exploiting the HumanBehaviorAuthor: James KrusicIASC 1100
“You could spend a fortune purchasing technology andservices...and your network infrastructure could still remainvulnerable to old-fashioned manipulation.” -Kevin Mitnick
What is Social Engineering?• Is the technique used by attackers to gain the trust of employee’s, in efforts to get information.• A companies greatest threat are themselves.• Two categories of attacks • Technical • Non-Technical
Technical Attacks• Are those that deceive the user into believing that the application in use is truly providing them with security. • Example would be logging into Facebook and a random pop-up window is wanting your credentials. Once you supply the pop-up window with your username/password, the attack has access to your Facebook account. • Once the attacker has your password, most of the time that same password is used for bank accounts, network access and more.
Technical Attacks cont.• Examples of technical attacks: • Phishing • Usually sent via e-mail, indicating to the victim that something has happened. Once the victim opens the payload the attacker has access to the network. • Pop-up Window • Spam-Emails • This is a mass e-mail system. Which hundreds and thousands of e- mails are sent out to individuals. Tightly related with phishing attempts.
Non-Technical Attacks• Are attacks that are purely perpetrated through the art of deception. (Peer-to-Peer interaction)• Examples: • Dumpster Diving • Support Staff • Hoaxing • Authoritative Voice
Human Behavior Manipulations• Curiosity• Fear• Thoughtlessness
CuriosityWhy would exploiting curiosity be such an effective method? - It is like saying, “Why do people go into the woodswhen its dark?” - People always want to know what’s behind the door. - So when people receive an e-mail saying they won$5,000 and all they need to do is follow the link, they more thanlikely will.
Fear• Fear is such a strong behavior, because once a person experiences it, they do not want that feeling again. • Example: Hoax’s are used to falsify information in-order to scare the victim.
Thoughtlessness• Is a human behavior that is done without thought. To not think when doing.• Example: Dumpster Diving • When a person throws old credit cards away without first cutting them up, or when they throw away bank account statements that have your social security number on them, or credit card information. • An attackers gold mine, is to find personal information such as; SSN, Account Number, Addresses and more.
How to help mitigate againstpromising attacks of SocialEngineering- Educate the users/employee’s- Well-rounded policy- Audit and ensure compliance- Proper hardware mitigation - E-mail filters - Firewalls
User Education/Awareness• User education is an important role to mitigate against social engineering tasks.• Simple education such as: • Ensure employee’s check the person/s ID • Ensure employee’s verify they have appointment with management • Ensure employee’s do not divulge company secrets, personal information, and network information over the phone
Motivate the Users• Self Interest- Most people tend to retain facts better when they can personally identify with or use that information personally• Memory Persistence- Current news stories, or recent situations that effect the organization.• Perceived Importance- Effectively communicate the need for stated security policies.• Understanding- People are more inclined to follow procedures that they fully understand.
Well Rounded Security Policy• Why do we need a good security policy? • It provides a framework for best practice • Helps turn employee’s into participants in the company’s efforts to secure its information assets. • Shows internally and externally that assets are important
Audits & Compliance• Why does a company need to audit and ensure compliance of a security policy? • Companies need to audit the security policy to ensure that employee’s at all levels are following the policy • Top-Down approach is good when auditing • Most of the time upper management want more access to network resources than standard employee’s • This is a good place to start because if an attacker decides to do a spear phishing attack they usually start high, because they do not believe that they need to follow policy.
Hardware/Software Mitigation• Employ multiple firewalls using different platforms • This is security by obscurity, meaning that multiple platforms or multiple setups ensures that by getting by one firewall doesn’t mean an attacker can get by the second, or third.• Deploy E-mail Filters • Types of E-mail Filters: • Bayesian Spam Filters: Work by scanning the e-mail for tokens (usually words), and then calculating the probability that the e-mail is spam. • Very powerful, low false positives • Spam Assassin: Uses rule sets to scan body and header of e-mail messages. Can be very granular (extensive rules). • Can be ran for all e-mail or can be ran by individual users.
Additional Resources• www.mattslifebytes.com • Can find a video about social engineering. • Can find a experiment on dumpster diving • Also can find images of servers that can help you understanding hardening Linux. From IT-Adventures.• End User Security Awareness Presentation • http://www.slideshare.net/frostinel/end-user-security- awareness-presentation-presentation• Policy Enforcement • http://www.sans.org/reading_room/whitepapers/policyissues/inf ormation-security-policy-development-guide-large-small- companies_1331