Social engineering - Ingeniería social

617 views
496 views

Published on

Ingeniería social
http://www.cse.unr.edu/~mgunes/cs450/cs450sp11/student/

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
617
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social engineering - Ingeniería social

  1. 1. Social Engineering Training Jan-Willem Bullee
  2. 2. 2 Cyber-crime Science Background  Effectiveness of authority on compliance  We can get some of the answers from » Literature (Meta-analysis) » Attacker stories/interviews  But the answers are inconclusive » Different context » Hard to measure human nature » Difficult to standardize behaviour. 2
  3. 3. 3 Cyber-crime Science Persuasion Principles  Authority  Conformity  Commitment  Liking  Reciprocity  Scarcity 3
  4. 4. 4 Cyber-crime Science Authority  Titles: Professionals vs Lay people  Clothing: Formal vs Casual  Trappings: Status vs Insignificance 4 [Cia01] R. B. Cialdini. The science of persuasion. Scientific American Mind, 284:76-81, Feb 2001. http://dx.doi.org/10.1038/scientificamerican0201-76
  5. 5. 5 Cyber-crime Science Literature on Authority  Classical Milgram Shock Experiment » 66% full compliance  Nurse-Physician relationship » 95% compliance  Login credentials » 47% compliance 5 [Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378.
  6. 6. 6 Cyber-crime Science Success factors of Authority  Sense of duty  Obedience to authority 6
  7. 7. 7 Cyber-crime Science Attacker Stories  Books about Social Engineering  Six Principles of Persuasion  Provisionally Results: » 4 books » 100 cases. 7 [Mit02] K. Mitnick, W. L. Simon, and S. Wozniak. The Art of Deception: Controlling the Human Element of Security. Wiley, Oct 2002. http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html
  8. 8. 8 Cyber-crime Science Mitnick Analysis 8
  9. 9. 9 Cyber-crime Science Nurse Study: Design  Attacker: Doctor  Target: Nurse  Goal: Violating policy » Maximum dose of medicine  Interface: Phone  Persuasion Principle: Authority 9 [Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.
  10. 10. 10 Cyber-crime Science Stealing a key  What is the influence on compliance on a request of: » Social Engineering (e.g. Authority)  You are the researchers! 10
  11. 11. 11 Cyber-crime Science Our: Design  Attacker: You (Student)  Target: Employee  Goal: Violating policy » Sharing office key with 3rd party  Interface: Face 2 Face  Persuasion Principle: Authority 11
  12. 12. 12 Cyber-crime Science Method : Our design  Dependent and Independent variables  4 experimental conditions » Intervention / No Intervention » Authority / No Authority  Dependent variable » Compliance / No Compliance to request. 12 Request Comply [Fie09] A. Field. Discovering statistics using SPSS. Sage, London, 3rd edition, Jan 2009. http://www.uk.sagepub.com/field3e/main.htm
  13. 13. 13 Cyber-crime Science Method : Our procedure  Subjects from the Carré building » 14 research groups » 4 conditions  Intervention vs No intervention  Authority: Suite vs Casual  Randomized sample  Attack in 1 day 13
  14. 14. 14 Cyber-crime Science Method : Our procedure  Attack targets » Impersonate facility manager, and ask for the key of the employee » Short Questionnaire » Note date, time, location, condition, compliance, difficulty, etc.  More details on the course-site 14
  15. 15. 15 Cyber-crime Science What to do on Wed 11 Sep  Attacker training in the morning CR2022  Execute experiment individually (or in duo’s) » One or two attackers per area » Condition and area allocation: Jan-Willem Bullee On the course-site soon » Debrief directly after attack 15
  16. 16. 16 Cyber-crime Science What to do on Wed 11 Sep  We have permission to do this only at » UT: Carré  Enter your data in SPSS » Directly after the attack » Come to me ZI4047  Earn 0.5 (out of 10) bonus points 16
  17. 17. 17 Cyber-crime Science Ethical issues  Informed consent not possible  Zero risk for the subjects  Approved by facility management  Consistent with data protection (PII form)  Approved by ethical committee, see http://www.utwente.nl/ewi/en/research/ethics_protocol/ 17
  18. 18. 18 Cyber-crime Science Conclusion  Designing research involves: » Decide what data are needed » Decide how to collect the data » Use validated techniques where possible » Experimental Design, pilot, evaluate and improve » Training, data gathering » Start again... 18
  19. 19. 19 Cyber-crime Science Further Reading 19 [Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895 [Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996. http://doi.acm.org/10.1145/228292.228295

×