SlideShare a Scribd company logo

077 socialengineering

Download as PPT, PDF
M
MotasembyGOD

way to study social engineering

Technology
1 of 36
Social Engineering: A Test of Your Common Sense By Frederick Gallegos, CISA, CGFM, CDE Computer Info Systems Dept
Social Engineering • Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week. • Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.
Social Engineering • You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD- ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.
And so • The Game Is In Play: People Are The Easiest Target You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
Let's Take A Step Back In Time • The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of Security Consulting employees. • You see, a firm has been hired to perform a Network Security Assessment on your company. • In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
Bingo - Gotcha • The spreadsheet you opened was not the only thing executing on your computer. • The moment you open that file you caused a script to execute which installed a few files on your computer. • Those files were designed to call home and make a connection to one of our servers on the Internet. Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer. • Tools designed to give the team complete control of your computer. Now they have a platform, inside your company's network, where they can continue to hack the network. And, they can do it from inside without even being there.
This is what we call a 180 degree attack. • Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet. • You took care of that for us. • Many organizations give their employees unfettered access (or impose limited control) to the Internet. • Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network. • All we had to do is get someone inside to do it for us.
Welcome to Social Engineering • What would you have done if you found a CD with this type of information on it? • Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
Phisher Site Basics •Thief sends e-mail to customer claiming to be a legitimate company which has lost the customer’s personal information •Customer reads e-mail and goes to fake website •Customer enters credit card or other personal information on website •Thief steals personal information
Phisher Site E-mail Example (part 1) From: EarthLink <billing@earthlink.net> To: <thecustomer@earthlink.net> Date: 7/6/2003 11:50:02 AM Subject: Billing Department Dear EarthLink User, We regret to inform you, but due to a recent system flush, the billing/personal information for your account is temporally unavailable, and we need to verify your identity. <cont.>
Phisher Site E-mail Example (part 2) In order to continue using your EarthLink account and keeping it active, you must provide us with your full information within 24 hours of receiving this message. To re-enter your account information and keep your account active visit: www.billingdepartment-el.net Sincerely, Sean Wright EarthLink Billing Department
Phisher Site Example
The Real EarthLink Web Site
How to Spot Phisher Sites TRICKS TIP-OFFS • E-mail looks legit • Claims of “lost” (at first) information • Prompts you to act • Unfamiliar URL quickly to keep • Asks for credit card or service other personal info • Website, html or fax • No log in or not secure form looks legit • Most companies will not do this
Tips for Avoiding Phisher Sites • Be suspicious of email asking for credit card or other personal info • URL should be familiar • Should require log-in • Should be a SECURE SITE • Call the company when in doubt • Always report spam/fraud to your ISP
Federal Trade Commission Federal Trade Commission Identity Theft Data Clearinghouse Complaints1 250 CY- CY-2000 CY-2001 CY-2002 CY-20032 1999 Projected Cumulative Complaint Count 1999-2003: 490,000 Projected Total: 200 210,000 (in thousands) Total: 161,886 150 n je ctio Pro 100 Total: 86,197 50 Total: 31,117 Total: 1,380 0 1 Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General. 2 Projections for calendar year 2003 are based on complaints received from January through June 2003.
Federal Trade Commission Consumer Sentinel Complaints1 Federal Trade Commission 380,170 400 - Identity Theft Complaints - Fraud Complaints 161,886 300 43% 220,088 (in thousands) 200 86,197 139,007 39% 31,117 218,284 22% 100 57% 133,891 78% 107,890 61% 0 CY-2000 CY-2001 CY-2002 1 Percentages are based on the total number of Consumer Sentinel complaints by calendar year.
Federal Trade Commission 1-877-FTC-HELP www.consumer.gov/sentinel 1-877-IDTHEFT www.consumer.gov/idtheft
And Another • The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it.
The Beginning • Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
In Reality • social engineering is probably as old as speech, and goes back to the first lie. • It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent. • No amount of technology can protect you against a social engineering attack.
So How Do You Protect Yourself from Yourself? • Recognizing an Attack – You can prepare your organization by teaching people how to recognize a possible social engineering attack. Do we have a Cyber Security & Ethics 101 Class? • Prevent a successful attack – You can prepare a defense against this form of social engineering by including instructions in your security policy for handling it.
So How Do You Protect Yourself from Yourself? • Create a response plan – Your response plan should include instructions on how to deal with inquiries relating to passwords or other classified information. • Implement and Monitor the response plan and continue to reinforce with Training
Target And Attack • The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. • Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. • The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.
And Another • One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. • How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises.
And so on… • For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
And so on… • The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. • They dug through the corporate trash, finding all kinds of useful documents. • They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. • The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
Common Techniques • Social Engineering by Phone • Dumpster Diving • On-line Social Engineering • Persuasion • Reverse Social Engineering • And many more….
Defining The Term "Social Engineering" • In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information. • Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible. • Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task. • The prey is not just you but your children and elders as well
A Challenge to the CSU • This is the 21st Century The Time of CyberSpace • Why is their No Formal GE Requirement for CyberSecurity and Ethics which can not only be taught at the CSU level but the CC level as well? • Why don’t we extend this education to K- 12 and Senior Centers as well?
Mt. SAC and Cal Poly Efforts • NSF Grant Project – Establishment of a Regional Information Systems Security Center (RISSC see http://rissc.mtsac.edu/RISSC_NEW/default.asp ) • Cal Poly’s Participation in the Title V Grant and development of Network Security curriculum • Cal Poly Pomona’s Establishment of a Center for Information Assurance (see http://www.bus.csupomona.edu/cfia.asp )
Please join US for • Information Assurance Symposium Building Information Assurance Capacity and Improving Infrastructure at Minority Serving Institutions December 8 - 10, 2005 Cal Poly Pomona 8:30 a.m. - 5:00 p.m.
Contribute to: • Information Sharing • Curriculum Development • Awareness, Knowledge and Development of initiatives to help others around us be better at practicing good security techniques • Our thanks to Educause, ISACA, ISSA, IIA and HTCIA for their support

Recommended

colorado.gov cms forms dor-tax dr5785f
colorado.gov cms forms dor-tax dr5785fcolorado.gov cms forms dor-tax dr5785f
colorado.gov cms forms dor-tax dr5785ftaxman taxman
 
Credit for Refund of Property Taxes
Credit for Refund of Property TaxesCredit for Refund of Property Taxes
Credit for Refund of Property Taxestaxman taxman
 
Teoria del juego
Teoria del juegoTeoria del juego
Teoria del juegocountcero77
 
Social Web 2016
Social Web 2016Social Web 2016
Social Web 2016countcero77
 
Midesemanamuseos
MidesemanamuseosMidesemanamuseos
Midesemanamuseoscountcero77
 
7 principios transmedia
7 principios transmedia7 principios transmedia
7 principios transmediacountcero77
 
Ed
EdEd
Edcountcero77
 
Pervasive revisado
Pervasive revisado Pervasive revisado
Pervasive revisado countcero77
 

Recommended

colorado.gov cms forms dor-tax dr5785f
colorado.gov cms forms dor-tax dr5785fcolorado.gov cms forms dor-tax dr5785f
colorado.gov cms forms dor-tax dr5785ftaxman taxman
 
Credit for Refund of Property Taxes
Credit for Refund of Property TaxesCredit for Refund of Property Taxes
Credit for Refund of Property Taxestaxman taxman
 
Teoria del juego
Teoria del juegoTeoria del juego
Teoria del juegocountcero77
 
Social Web 2016
Social Web 2016Social Web 2016
Social Web 2016countcero77
 
Midesemanamuseos
MidesemanamuseosMidesemanamuseos
Midesemanamuseoscountcero77
 
7 principios transmedia
7 principios transmedia7 principios transmedia
7 principios transmediacountcero77
 
Ed
EdEd
Edcountcero77
 
Pervasive revisado
Pervasive revisado Pervasive revisado
Pervasive revisado countcero77
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Alan Percy
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?TelcoBridges Inc.
 
E sanchar-ver-4 presentation
E sanchar-ver-4 presentationE sanchar-ver-4 presentation
E sanchar-ver-4 presentationshivmandowara
 
How to Rebuild the Controls and Confidence after Data Exfiltration Occurs
How to Rebuild the Controls and Confidence after Data Exfiltration OccursHow to Rebuild the Controls and Confidence after Data Exfiltration Occurs
How to Rebuild the Controls and Confidence after Data Exfiltration OccursInnoTech
 
IC-DISC Presentation by Steve Ragow
IC-DISC Presentation by Steve RagowIC-DISC Presentation by Steve Ragow
IC-DISC Presentation by Steve RagowBronwen Elizabeth Madden
 
Outsource tax preparation guide
Outsource tax preparation guideOutsource tax preparation guide
Outsource tax preparation guideCogneesol
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxParasSehgal12
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxbiswajitghosal4
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCAlan Percy
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCTelcoBridges Inc.
 
Worldcom and enron
Worldcom and enron Worldcom and enron
Worldcom and enron Abhishek Bansal
 
ATSI Reports Annual Results for FY2010
ATSI Reports Annual Results for FY2010ATSI Reports Annual Results for FY2010
ATSI Reports Annual Results for FY2010digerati-inc
 
Buisness combination
Buisness combinationBuisness combination
Buisness combinationمحمد صلاح الصادق
 
Ec elim purch
Ec elim purchEc elim purch
Ec elim purchOnkar Sule
 
Sample Lead Generation Report
Sample Lead Generation ReportSample Lead Generation Report
Sample Lead Generation ReportSherri Orwick Ogden
 
Aon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsAon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsCSNP
 
Executive summary
Executive summaryExecutive summary
Executive summaryThomas Liquori
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

More Related Content

Similar to 077 socialengineering

Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Alan Percy
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?TelcoBridges Inc.
 
E sanchar-ver-4 presentation
E sanchar-ver-4 presentationE sanchar-ver-4 presentation
E sanchar-ver-4 presentationshivmandowara
 
How to Rebuild the Controls and Confidence after Data Exfiltration Occurs
How to Rebuild the Controls and Confidence after Data Exfiltration OccursHow to Rebuild the Controls and Confidence after Data Exfiltration Occurs
How to Rebuild the Controls and Confidence after Data Exfiltration OccursInnoTech
 
Outsource tax preparation guide
Outsource tax preparation guideOutsource tax preparation guide
Outsource tax preparation guideCogneesol
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxParasSehgal12
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxbiswajitghosal4
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCAlan Percy
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCTelcoBridges Inc.
 
ATSI Reports Annual Results for FY2010
ATSI Reports Annual Results for FY2010ATSI Reports Annual Results for FY2010
ATSI Reports Annual Results for FY2010digerati-inc
 
Aon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsAon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsCSNP
 

Similar to 077 socialengineering (17)

Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
 
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?Will STIR/SHAKEN Solve the Illegal Robocall Problem?
Will STIR/SHAKEN Solve the Illegal Robocall Problem?
 
E sanchar-ver-4 presentation
E sanchar-ver-4 presentationE sanchar-ver-4 presentation
E sanchar-ver-4 presentation
 
How to Rebuild the Controls and Confidence after Data Exfiltration Occurs
How to Rebuild the Controls and Confidence after Data Exfiltration OccursHow to Rebuild the Controls and Confidence after Data Exfiltration Occurs
How to Rebuild the Controls and Confidence after Data Exfiltration Occurs
 
IC-DISC Presentation by Steve Ragow
IC-DISC Presentation by Steve RagowIC-DISC Presentation by Steve Ragow
IC-DISC Presentation by Steve Ragow
 
Outsource tax preparation guide
Outsource tax preparation guideOutsource tax preparation guide
Outsource tax preparation guide
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptx
 
cyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptxcyber-protect-may-17-law-society-presentation.pptx
cyber-protect-may-17-law-society-presentation.pptx
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBC
 
Robocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBCRobocall Mitigation with YouMail and ProSBC
Robocall Mitigation with YouMail and ProSBC
 
Worldcom and enron
Worldcom and enron Worldcom and enron
Worldcom and enron
 
ATSI Reports Annual Results for FY2010
ATSI Reports Annual Results for FY2010ATSI Reports Annual Results for FY2010
ATSI Reports Annual Results for FY2010
 
Buisness combination
Buisness combinationBuisness combination
Buisness combination
 
Ec elim purch
Ec elim purchEc elim purch
Ec elim purch
 
Sample Lead Generation Report
Sample Lead Generation ReportSample Lead Generation Report
Sample Lead Generation Report
 
Aon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber CriminalsAon - Cyber Insurance in the World of Cyber Criminals
Aon - Cyber Insurance in the World of Cyber Criminals
 
Executive summary
Executive summaryExecutive summary
Executive summary
 

Recently uploaded

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Recently uploaded (20)

Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

077 socialengineering

  • 1. Social Engineering: A Test of Your Common Sense By Frederick Gallegos, CISA, CGFM, CDE Computer Info Systems Dept
  • 2. Social Engineering • Monday morning, 6am; the electric rooster is telling you it's time to start a new work week. A shower, some coffee, and you're in the car and off. On the way to work you're thinking of all you need to accomplished this week. • Then, on top of that there's the recent merger between your company and a competitor. One of your associates told you, you better be on your toes because rumors of layoff's are floating around.
  • 3. Social Engineering • You arrive at the office and stop by the restroom to make sure you look your best. You straighten your tie, and turn to head to your cube when you notice, sitting on the back of the sink, is a CD- ROM. Someone must have left this behind by accident. You pick it up and notice there is a label on it. The label reads "2005 Financials & Layoff's". You get a sinking feeling in your stomach and hurry to your desk. It looks like your associate has good reasons for concern, and you're about to find out for your self.
  • 4. And so • The Game Is In Play: People Are The Easiest Target You make it to your desk and insert the CD-ROM. You find several files on the CD, including a spreadsheet which you quickly open. The spreadsheet contains a list of employee names, start dates, salaries, and a note field that says "Release" or "Retain". You quickly search for your name but cannot find it. In fact, many of the names don't seem familiar. Why would they, this is pretty large company, you don't know everyone. Since your name is not on the list you feel a bit of relief. It's time to turn this over to your boss. Your boss thanks you and you head back to your desk.
  • 5. Let's Take A Step Back In Time • The CD you found in the restroom, it was not left there by accident. It was strategically placed there by me, or one of Security Consulting employees. • You see, a firm has been hired to perform a Network Security Assessment on your company. • In reality, they have been contracted to hack into your company from the Internet and have been authorized to utilize social engineering techniques.
  • 6. Bingo - Gotcha • The spreadsheet you opened was not the only thing executing on your computer. • The moment you open that file you caused a script to execute which installed a few files on your computer. • Those files were designed to call home and make a connection to one of our servers on the Internet. Once the connection was made the software on the Security firms servers responded by pushing (or downloading) several software tools to your computer. • Tools designed to give the team complete control of your computer. Now they have a platform, inside your company's network, where they can continue to hack the network. And, they can do it from inside without even being there.
  • 7. This is what we call a 180 degree attack. • Meaning, the security consulting team did not have to defeat the security measures of your company's firewall from the Internet. • You took care of that for us. • Many organizations give their employees unfettered access (or impose limited control) to the Internet. • Given this fact, the security firm devised a method for attacking the network from within with the explicit purpose of gaining control of a computer on the private network. • All we had to do is get someone inside to do it for us.
  • 8. Welcome to Social Engineering • What would you have done if you found a CD with this type of information on it? • Yes it is people who are the weakest link in any security system and Social Engineering Exploits that ---
  • 9.
  • 10. Phisher Site Basics •Thief sends e-mail to customer claiming to be a legitimate company which has lost the customer’s personal information •Customer reads e-mail and goes to fake website •Customer enters credit card or other personal information on website •Thief steals personal information
  • 11. Phisher Site E-mail Example (part 1) From: EarthLink <billing@earthlink.net> To: <thecustomer@earthlink.net> Date: 7/6/2003 11:50:02 AM Subject: Billing Department Dear EarthLink User, We regret to inform you, but due to a recent system flush, the billing/personal information for your account is temporally unavailable, and we need to verify your identity. <cont.>
  • 12. Phisher Site E-mail Example (part 2) In order to continue using your EarthLink account and keeping it active, you must provide us with your full information within 24 hours of receiving this message. To re-enter your account information and keep your account active visit: www.billingdepartment-el.net Sincerely, Sean Wright EarthLink Billing Department
  • 14. The Real EarthLink Web Site
  • 15. How to Spot Phisher Sites TRICKS TIP-OFFS • E-mail looks legit • Claims of “lost” (at first) information • Prompts you to act • Unfamiliar URL quickly to keep • Asks for credit card or service other personal info • Website, html or fax • No log in or not secure form looks legit • Most companies will not do this
  • 16. Tips for Avoiding Phisher Sites • Be suspicious of email asking for credit card or other personal info • URL should be familiar • Should require log-in • Should be a SECURE SITE • Call the company when in doubt • Always report spam/fraud to your ISP
  • 17. Federal Trade Commission Federal Trade Commission Identity Theft Data Clearinghouse Complaints1 250 CY- CY-2000 CY-2001 CY-2002 CY-20032 1999 Projected Cumulative Complaint Count 1999-2003: 490,000 Projected Total: 200 210,000 (in thousands) Total: 161,886 150 n je ctio Pro 100 Total: 86,197 50 Total: 31,117 Total: 1,380 0 1 Since February 2001, complaint data have also been provided to the Clearinghouse by the Social Security Administration-Office of Inspector General. 2 Projections for calendar year 2003 are based on complaints received from January through June 2003.
  • 18. Federal Trade Commission Consumer Sentinel Complaints1 Federal Trade Commission 380,170 400 - Identity Theft Complaints - Fraud Complaints 161,886 300 43% 220,088 (in thousands) 200 86,197 139,007 39% 31,117 218,284 22% 100 57% 133,891 78% 107,890 61% 0 CY-2000 CY-2001 CY-2002 1 Percentages are based on the total number of Consumer Sentinel complaints by calendar year.
  • 19. Federal Trade Commission 1-877-FTC-HELP www.consumer.gov/sentinel 1-877-IDTHEFT www.consumer.gov/idtheft
  • 20.
  • 21.
  • 22. And Another • The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it.
  • 23. The Beginning • Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
  • 24. In Reality • social engineering is probably as old as speech, and goes back to the first lie. • It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent. • No amount of technology can protect you against a social engineering attack.
  • 25. So How Do You Protect Yourself from Yourself? • Recognizing an Attack – You can prepare your organization by teaching people how to recognize a possible social engineering attack. Do we have a Cyber Security & Ethics 101 Class? • Prevent a successful attack – You can prepare a defense against this form of social engineering by including instructions in your security policy for handling it.
  • 26. So How Do You Protect Yourself from Yourself? • Create a response plan – Your response plan should include instructions on how to deal with inquiries relating to passwords or other classified information. • Implement and Monitor the response plan and continue to reinforce with Training
  • 27. Target And Attack • The basic goals of social engineering are the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network. • Typical targets include telephone companies and answering services, big-name corporations and financial institutions, military and government agencies, and hospitals. • The Internet boom had its share of industrial engineering attacks in start-ups as well, but attacks generally focus on larger entities.
  • 28. And Another • One morning a few years back, a group of strangers walked into a large shipping firm and walked out with access to the firm’s entire corporate network. • How did they do it? By obtaining small amounts of access, bit by bit, from a number of different employees in that firm. First, they did research about the company for two days before even attempting to set foot on the premises.
  • 29. And so on… • For example, they learned key employees’ names by calling HR. Next, they pretended to lose their key to the front door, and a man let them in. Then they "lost" their identity badges when entering the third floor secured area, smiled, and a friendly employee opened the door for them.
  • 30. And so on… • The strangers knew the CFO was out of town, so they were able to enter his office and obtain financial data off his unlocked computer. • They dug through the corporate trash, finding all kinds of useful documents. • They asked a janitor for a garbage pail in which to place their contents and carried all of this data out of the building in their hands. • The strangers had studied the CFO's voice, so they were able to phone, pretending to be the CFO, in a rush, desperately in need of his network password. From there, they used regular technical hacking tools to gain super-user access into the system.
  • 31. Common Techniques • Social Engineering by Phone • Dumpster Diving • On-line Social Engineering • Persuasion • Reverse Social Engineering • And many more….
  • 32. Defining The Term "Social Engineering" • In the world of computers and technology, social engineering is a technique used to obtain or attempt to obtain secure information by tricking an individual into revealing the information. • Social engineering is normally quite successful because most targets (or victims) want to trust people and provide as much help as possible. • Victims of social engineering typically have no idea they have been conned out of useful information or have been tricked into performing a particular task. • The prey is not just you but your children and elders as well
  • 33. A Challenge to the CSU • This is the 21st Century The Time of CyberSpace • Why is their No Formal GE Requirement for CyberSecurity and Ethics which can not only be taught at the CSU level but the CC level as well? • Why don’t we extend this education to K- 12 and Senior Centers as well?
  • 34. Mt. SAC and Cal Poly Efforts • NSF Grant Project – Establishment of a Regional Information Systems Security Center (RISSC see http://rissc.mtsac.edu/RISSC_NEW/default.asp ) • Cal Poly’s Participation in the Title V Grant and development of Network Security curriculum • Cal Poly Pomona’s Establishment of a Center for Information Assurance (see http://www.bus.csupomona.edu/cfia.asp )
  • 35. Please join US for • Information Assurance Symposium Building Information Assurance Capacity and Improving Infrastructure at Minority Serving Institutions December 8 - 10, 2005 Cal Poly Pomona 8:30 a.m. - 5:00 p.m.
  • 36. Contribute to: • Information Sharing • Curriculum Development • Awareness, Knowledge and Development of initiatives to help others around us be better at practicing good security techniques • Our thanks to Educause, ISACA, ISSA, IIA and HTCIA for their support