The Seven Social Engineering Vices

Like this? Share it with your network

Share

The Seven Social Engineering Vices

  • 2,998 views
Uploaded on

Cybercrime has gone "pro". The bad guys send you spear-phishing attacks and try to trick you into clicking on phishing links or open infected attachments. These slides explain today's hidden IT......

Cybercrime has gone "pro". The bad guys send you spear-phishing attacks and try to trick you into clicking on phishing links or open infected attachments. These slides explain today's hidden IT vulnerability and what the seven social engineering vices are that let the bad guys into an organization's network.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,998
On Slideshare
2,911
From Embeds
87
Number of Embeds
11

Actions

Shares
Downloads
19
Comments
0
Likes
5

Embeds 87

http://local.vipecloud.com 44
http://www.google.com 14
https://twitter.com 10
https://www.rebelmouse.com 5
http://ap7.vipecloud.com 4
http://www.linkedin.com 3
https://www.linkedin.com 2
http://pinterest.com 2
http://www.pulse.me 1
http://pulse.me&_=1371846172409 HTTP 1
http://www.pinterest.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. You may not be aware that there is a scale of seven deadlyvices connected to social engineering. The deadliest socialengineering attacks are the ones that have the highestsuccess rates, often approaching 100%.What is the secret of these attacks, how come theysucceed so well?
  • 2. Your own observations show you that people are verydifferent. Some are always enthusiastic and willing to learnsomething new. Others are more conservative butcourteous to their co-workers.A bit further down this scale are people that always lookslike they are bored with life and then at the bottom arethose who just dont care and basically are in apathy abouteverything.
  • 3. Successful social engineers first determine where theirtarget is on this scale, and then select an attack that willhave the highest degree of success with that person, tryingto closely match their targets look on life.
  • 4. This scale of vices can be approached from either anegative or positive side. You can either call it gullibility oryou can call it trust, call it greed or self-interest, but sincewere talking vices here well stick to the negative labels.Here are seven social engineering attacks that I hope are agood example of each one of the deadly vices, but notethere is always overlap and things are not that clear-cut.We are dealing with humans after all!
  • 5. Curiosity:The attacker left a USB stick next to the washing basin inthe restroom of the floor that had the executive offices andtheir administrative assistants. It was clearly marked Q1Salary Updates.The USB drive had modified malware on it that installeditself and called home from any workstation it was pluggedinto. This attack was 90% effective.1
  • 6. Courtesy:The attacker focused in on the CEO of his target company.He did his research, found the CEO had a relative battlingcancer and was active in an anti-cancer charity. Theattacker spoofed someone from the charity, asked the CEOfor his feedback on a fund-raising campaign and attachedan infected PDF.Mission achieved, the CEOs PC was owned and thenetwork followed shortly after. And of course holding thedoor open for a stranger with his hands full of boxes is aclassic Courtesy piggybacking example that we all know.2
  • 7. Gullibility:Attackers identified the proper managers at two separatebranches of their targeted bank. They bought a domainname that looked very similar to the banks domain.They spoofed the bank execs emails and sent bogusemails to the manager authorizing transaction. Theywalked in with a counterfeit check and a fake driverslicense, and walked out with 25,000 in cash...repeatedly!3
  • 8. Greed:Did you know that the Nigerian 419 scams these days usethe word Nigeria on purpose to qualify their targets upfront?Its now utilized as a filter to weed out people and grab theuneducated ones that are greedy enough to take a risk andanswer the 26 year old orphan girl that has $12,500,000 inthe bank, needs a guardian and some help transferring thefunds...4
  • 9. Thoughtlessness:The combined U.S. and Israeli intelligence arms createdthe Stuxnet malware which sabotaged Irans Natanzuranium enrichment centrifuges. It was carried in via asimple USB attack on one of their scientists.The Mossad slipped a USB drive to the scientist whoplugged the stick in his laptop at his house, went to workand there connected the laptop to the internal Natanznetwork. Social Engineering jumped the air-gap due to ascientist who should have known better.5
  • 10. Shyness:A Brad Pitt look-alike walks up to the internal reception ofthe Human Resources Department of a Frenchmultinationals Boston office. He profusely apologizes forbeing a few minutes late and shows a piece of paper withcoffee stains. He explains he spilled coffee over his resumeand if the receptionist "pretty please with sugar" can print afresh copy for his interview?He hands over the USB drive, the shy receptionist does notconfront him with the company policy that no foreigndevices are allowed on the network, quickly prints a newcopy and hands him the stick back. The young mandisappears to the rest rooms and the network is so owned.6
  • 11. Apathy:Q: Which is the most useful to a social engineer? Ignoranceor apathy?A: I don’t know and I don’t careThe three employees of the shipping department all got thesame generic phishing email from UPS popping into theirinbox more or less at the same time. None of them took thetime to hover their mouse over the link and see that the linkreally went to a Slovak site with .cz at the end.Furthermore, not one of them prairie-dogged up from theircubicle to warn the others. Two of the three clicked on thelink and got their workstation infected with nasty malwarethat required a wipe-and-rebuild of their machines.7
  • 12. As you can see the genie is out of the bottle. Cybercrime has taken the conceptof social engineering and its out in the wild. So, what to do?1.Publish and distribute comprehensive security policy.2.Understand that policy is the start of dealing with the problem.3.Acknowledge that there is no effective implementation of policy which doesn’tinclude a degree of education.4.Be realistic. Education doesn’t mean making end-users security experts. Itmeans teaching them all they need to know to use computers safely.5.Have a look at Kevin Mitnick Security Awareness Training.Hat Tip to David Harley, Kevin Mitnick, Chris Hadnagy, SANS, and many others. For more info and useful links aboutSocial Engineering check out the WikiPedia page, and a great article by David Harley over at the cluestick site.
  • 13. www.KnowBe4.com