Your SlideShare is downloading. ×
Airport IT&T 2013 John McCarthy
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Airport IT&T 2013 John McCarthy


Published on

Published in: Technology, Business

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Social Engineering Managing the Human Element Dr John McCarthy Cyber Research Fellow Cranfield University, UK Defence Academy & Vice President of Cyber Security, ServiceTec Global Services
  • 2. Social Engineering Managing the Human Element Dr John McCarthy Ph.D. B.Sc. (hons) MBCS Vice President of Cyber Security ServiceTec International Inc./ServiceTec Research Fellow at Cranfield University / UK Defence Academy
  • 3. Partners  Cyber-Physical Systems Research Centre based at Cranfield and sponsored by ServiceTec  University of Nebraska  Federal Aviation Authority  Joint Information Operations Warfare Centre, Vulnerability Assessment Branch (JVAB) USA
  • 4. The Problem
  • 5. What is Social Engineering  Social engineering is a methodology that allows an attacker to bypass technical controls by attacking the human element in an organisation.  Social engineering attacks are likely to increase, and it is becoming increasingly important for organizations to address this issue.
  • 6. Phishing to Honeypots  In the context of cybersecurity we often think of complex computer systems, sophisticated hackers and hacking techniques.  All too often the human element in cybersecurity is overlooked. Many criminal gangs utilize social engineering techniques and the crossover from traditional criminal activities into the cyber world is increasingly common
  • 7. Social Engineering Attacks Cost  In the past two years, 48% of large businesses have suffered from socially engineered attacks at least 25 times, resulting in losses of between $25,000 and $100,000 per incident  Attackers' primary motivation is stealing financial information, Extracting trade secrets, or revenge
  • 8. Who is the enemy?  Cyber terrorist  Disgruntled employees  Hacktivists  Kiddies  Cyber criminals  Foreign governments  Organised crime
  • 9. Cultural Background It wont happen to me………
  • 10. Catch Me If You Can  Frank Abagnale, who, before his 19th birthday, successfully performed cons worth millions of dollars by posing as a Pan American World Airways pilot, a Georgia doctor, and a Louisiana parish prosecutor.  His primary crime was check fraud; he became so skilful that the FBI eventually turned to him for help in catching other check forgers
  • 11. Everyday Social Engineering
  • 12. Stereotypes Dorothea Puente  At the age of sixty, police discovered Puente was killing off her boarders and collecting the insurance money.  Seven bodies buried in her back yard.
  • 13. Are you easily persuaded?
  • 14. Attack Vectors
  • 15. Phishing Attacks  Nigerian 419 email scam  DHL delivery  Tax refund  An other bank notice  PayPal  Cracking websites of companies or organizations and destroying their reputation (twitter etc)
  • 16. Socially Open to all……….  The primary tool used for social engineering attacks is the phishing email  Followed by using social networking sites that disclose employees' personal details
  • 17. Targeted Malware  Targeted malware that is, in some cases, just hours old  Found a USB drive in the car park, great! A freebie!  Combating this type of APT can be incredibly difficult, because all it takes is one employee to open a seemingly innocuous--yet really malicious--attachment, and the business can be compromised
  • 18. Common Attack Entry Points  Customer Service  Tech Support  Delivery Person  Tailgating
  • 19. Information Gathering Techniques  Research  Professional gangs can spend months gathering information from the web and employees  Dumpster Diving  Poor disposal of confidential data
  • 20. Traditional Sources Websites  You can find information about the company, what they do, the products and services they provide, physical locations, job openings, contact numbers, bios on the executives or board of directors. Public Servers  A company's publicly reachable servers. Fingerprinting servers for their OS, application, and IP information can tell you a great deal about their infrastructure.
  • 21. Traditional Sources  Social media is a technology that many companies have recently embraced. User sites such as blogs, wikis, and online videos may provide information about the target company  A disgruntled employee that's blogging about his company's problems may be susceptible to a sympathetic ear from someone with similar opinions or problems  Public data may be generated by entities inside and outside the target company. This data can consist of quarterly reports, government reports, analyst reports, earnings posted for publicly traded companies, etc.
  • 22. Non-Traditional  Industry experts or subject matter experts can provide detailed information about an area without providing anything regarding the target company  "When in Rome, do what the Romans do" Engaging in activities or frequenting places that employees from the target company also do/visit is an excellent opportunity to elicit information. Proximity to the employees provides opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards
  • 23. Influencing Others  Reciprocity, Obligation, Concession  Want a bar of chocolate?  Scarcity, Authority, Commitment and Consistency, Liking, Consensus or Social Proof, Framing  In his book, "Influence: The Psychology of Persuasion", Dr. Robert Cialdini states, "Social Proof - People will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment aborted, as so many people were looking up that they stopped traffic."  Manipulation of Incentive  Financial Social Ideological
  • 24. Towards a Solution
  • 25. Lets build a bigger better wall
  • 26. Just Say No……………..
  • 27. We cannot live in isolation  Social media has become a necessary part of business  Sharing of information and the access to information is now expected  We need to understand the risks
  • 28. Cybersecurity Culture  Mitigation of social engineering begins with good policy and awareness training  Most important of which is creating a cybersecurity culture within an organization  This must start at the top and work down
  • 29. Countermeasures  Establishing frameworks of trust on an employee/personnel level (i.e., specify and train personnel when/where/why/how sensitive information should be handled)  Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)  Establishing security protocols, policies, and procedures for handling sensitive information  Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person's identity cannot be verified, then employees must be trained to politely refuse.)
  • 30. Countermeasures  Performing unannounced, periodic tests of the security framework  Reviewing the above steps regularly: no solutions to information integrity are perfect  Using a waste management service that has dumpsters with locks on them, with keys to them limited only to the waste management company and the cleaning staff  Locating the dumpster either in view of employees such that trying to access it carries a risk of being seen or caught or behind a locked gate or fence where the person must trespass before they can attempt to access the dumpster
  • 31. “ (As) the media characterizes social engineering, hackers will call up and ask for a password. I have never asked anyone for their password Kevin Mitnick Email: Airport Cyber Security Podcast ”