SOCIAL ENGINEERING By Muhanned Alaqili , CCNA, ACE, Security+ Lewis University
• “ It’s human nature to trust our fellow man, especially when the request meets the test of being reasonable. Social engineers use this knowledge to exploit their victims and to achieve their goals.”- Kevin Mitnick
WHAT ?• What is Social Engineering?It is the tactic or trick of gaining sensitive information by exploiting the basic human naturesuch as: Trust Fear Desire to help
WHY ?Social engineers attempt to gather information such as: Sensitive information Authorization access Access details
APPROACHES• Human-based Social Engineering Gathers sensitive information by interaction Attacks of this category exploits trust, fear and helping nature of humans• Computer-based Social Engineering Carried out with the aid of computers to secretly install spyware or other malicious software or to trick you into handing over your passwords, sensitive financial or personal information
HUMAN-BASED SOCIAL ENGINEERING• Posing as a legitimate End user Gives identity and asks for sensitive information• Posing as an important user CEO, project manager,..,etc• Posing as a Technical support• Eavesdropping• Shoulder surfing• Dumpster diving• Tailgating• Piggybacking a social engineer appears as a legitimate employee and walks into a secure building by following behind someone who has access.
COMPUTER-BASED SOCIAL ENGINEERING• USB Drive / Memory Stick, CD/DVD Malware• Mail• Instance Chat Messenger Gathering of personal information by chatting with a selected online user to attempt to get information such as birth dates and maiden names• Pop-up Windows ask for users’ information to login/sing in• Websites / Sweepstakes• Spam mail• Phishing An illegitimate email falsely claiming to be from a legitimate site attempts to acquire user’s personal or account information
COMMON TARGETS• Receptionists• Help desk personnel• Vendors of targeted organization• System Administrator• End users
VECTORSMajor attack vectors that social engineers use:• Online• Telephone• Personal approaches• Reverse social engineering
REVERSE SOCIAL ENGINEERINGMore advance method of Social Engineering and required a great deal of research and preparation.It’s when the hacker create a persona that appears to be in a position of authority so that employeesin the target organization will ask him for information, rather than the other way around !!Reverse Engineering attack involves three parts: Marketing/advertising Sabotage Assisting/providing support
RSE EXAMPLE• The hacker sabotages a network (e.g. switch) , causing a problem arise. That hacker then advertises that he is the appropriate contact to fix the problem, and then, when he comes to fix the network problem, he requests certain bits of information from the employees and gets what he really came for. They never know it was a hacker, because their network problem goes away and everyone is happy.• The hacker marketing himself as a problem solver or an expert in networking for example. Then, sabotage the network (e.g. switch) of targeted organization causing a problem arise, and then, when he called to fix the problem, he request certain bits of information (Server passwords, Network infrastructure, etc.).
CONCLUSIONSocial Engineering is the hardest form of attack to defend against.No matter what hardware / software you have or how much money did you spend so farPEOPLE still the weakest link in the security chain.