• Save
Social Engineering: "The Cyber-Con"
Upcoming SlideShare
Loading in...5
×
 

Social Engineering: "The Cyber-Con"

on

  • 2,084 views

A detailed look at the growing threat of social engineering, examples of such attacks, and recommendations for effective prevention in the workplace.

A detailed look at the growing threat of social engineering, examples of such attacks, and recommendations for effective prevention in the workplace.

Statistics

Views

Total Views
2,084
Views on SlideShare
2,015
Embed Views
69

Actions

Likes
3
Downloads
0
Comments
0

6 Embeds 69

http://burakinaru7.blogspot.com 48
http://fenfaivaan.blogspot.com 11
http://www.slideshare.net 4
http://burakinaru7.blogspot.sg 2
http://www.linkedin.com 2
http://www.slideee.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Social Engineering: "The Cyber-Con" Social Engineering: "The Cyber-Con" Presentation Transcript

  • Social Engineering: “The Cyber-Con” Stephen Schell ISDS 418 Dr. Sherif Cal-State Fullerton Spring 2006
  • Overview
    • Define Social Engineering
    • Demonstrate Popular Methods of Attack
    • Discuss Severity and Success Rates
    • Discuss Methods to Counter Attacks
  • Define Social Engineering
  • Define Social Engineering
    • Social Engineering – “the practice of obtaining confidential information by manipulation of legitimate users.”
    • (from Wikipedia.com)
    • Attackers “trick” employees into revealing sensitive information, usually to gain access to a computer system: user-ID, password, IP address, etc.
  • Define Social Engineering
    • A Social Engineer is basically the new breed of “Con-Man” (Confidence Man).
    • Historically Con-Men have been highly successful at convincing victims to give them valuable items (money, jewelry, etc.)
    • Social Engineers employ similar methods aided by modern technology to obtain valuable data from system users.
  • Define Social Engineering
    • Con-Men and social engineers see their attacks as an art form or a social trade.
      • They pride themselves in their ability to manipulate a person’s natural tendency to trust others.
      • They are highly skilled and use very effective psychological methods.
      • Some work for personal edification; others work for personal profit.
  • Define Social Engineering
    • Profile of a Social Engineer, Kevin Mitnick:
      • Mitnick is one of the most notorious social engineers ever prosecuted.
      • Joined the Roscoe “Phreak” phone scam gang at age 15 (1978).
      • Social engineered his way into PacBell headquarters at age 18 (1981).
  • Define Social Engineering
    • Profile of a Social Engineer, Kevin Mitnick : (continued)
      • Hacked into the National Security Agency (NSA) system using Hughes Aircraft’s network in 1985.
      • Convicted in 1995 of theft and fraud on over 20,000 credit cards, and for hacking into systems at Motorola & Sun Microsystems.
      • Sentenced to 5 years in prison, 8 months of which he was held in solitary confinement; lifetime probation from using computers.
  • Popular Methods of Attack
  • Popular Methods of Attack
    • Social Engineers use a variety of methods:
      • “ Dumpster Diving”
      • “ Shoulder Surfing”
      • Malicious E-mail Attachments
      • Deception and Manipulation
      • “ Phishing”
      • “ Pharming”
      • Reverse Social Engineering
      • PBX Disguise
  • Popular Methods of Attack
    • “ Dumpster Diving” – searching through a company’s trash bins for sensitive/internal documents:
      • Memos
      • Company Directories
      • Account Statements
  • Popular Methods of Attack
    • “ Shoulder Surfing” – observing an employee using his/her computer:
      • Witness user-ID and/or password entry.
      • Observe system resources.
      • Obtain customer information.
  • Popular Methods of Attack
    • Malicious E-mail Attachments – e-mail messages carefully written to entice readers to download malicious files.
      • Usually sent as “spam” to multiple employees listed in a company directory or e-mail list, but can target a specific employee.
      • Messages appear to be harmless, sometimes using common names to pose as a coworker or friend: John, Richard, Judy, Cindy, etc.
  • Popular Methods of Attack
    • Malicious E-mail Attachments: (continued)
      • Attachments can be downloaded directly by the user’s request or automatically through embedded images.
      • Malicious files may include keystroke recorders, password stealers, viruses, worms, and/or trojan horses.
  • Popular Methods of Attack
    • Example of a malicious e-mail attachment:
  • Popular Methods of Attack
    • Deception and Manipulation :
      • Impersonation – pretending to be a customer, Tech Support Specialist, manager, etc.
      • Ingratiation – motivating the victim to comply in order to improve or protect their reputation with management.
  • Popular Methods of Attack
    • Deception and Manipulation : (continued)
      • Conformity – motivating the victim to comply because it is a standard practice.
      • Peer Pressure – motivating the victim through flattery, flirtation, intimidation, and/or guilt.
  • Popular Methods of Attack
    • Deception and Manipulation Example :
    • “ Hi Jim, this is Steve from tech support. I’m showing your boss, Rick, has a virus on his desktop computer. I understand Rick is on a business trip and I can’t seem to get a hold of him at the hotel. You wouldn’t happen to have his user ID handy, would you? I’d like to clean his computer before he gets back. I’m sure he’d appreciate your help.”
  • Popular Methods of Attack
    • “ Phishing” – an e-mail, program, instant message and/or website created to obtain personal information from its recipients.
      • An e-mail is usually sent to multiple recipients.
      • Websites usually mirror those of legitimate financial institutions.
  • Popular Methods of Attack
    • E-mail phishing example:
  • Popular Methods of Attack
    • Website phishing example:
  • Popular Methods of Attack
    • “ Pharming” – an in-depth phishing scheme involving:
      • Cracking into a local DNS server.
      • Changing the IP routing information of a popular website to a phishing website.
    • Users trust the phishing website because the internet address has been requested directly and shows correctly (http://www.citibank.com).
  • Popular Methods of Attack
    • Reverse Social Engineering – a method used to get the user to seek the social engineer for help.
    • Employs a three step process:
      • Sabotage
      • Advertising
      • Assisting
  • Popular Methods of Attack
    • Reverse Social Engineering : (continued)
      • Sabotage – attacker causes an application on the victim’s computer to fail.
      • Advertising – attacker advertises his/her phone number for the victim to call for help.
      • Assisting – the attacker asks for personal or sensitive information while pretending to assist the user.
  • Popular Methods of Attack
    • PBX Disguise – (Public Business eXchange) an attacker manipulates the company’s internal caller-ID system to impersonate someone of authority.
    • PBX system can be cracked/hacked to generate a false caller-ID for the attacker.
    • Usually done by convincing someone of authority to “blind transfer” the attacker’s call to the victim.
  • Popular Methods of Attack
    • PBX disguise example:
    • “ Hello? Who is this? Tech support? Oh, I’m sorry. I’m trying to reach Terry Simpson at extension 24667. Can you transfer me, please? I’m in a hurry.”
    • <Tech support blind transfers the call.>
    • “ Hi Terry, this is Jim from Tech Support. You can verify my identity from the caller-ID. Yes, I need to reset your password…”
  • Popular Methods of Attack
    • Any combination of methods are strategically employed by the social engineer for each situation.
    • Attacks usually follow four steps:
      • Preparation
      • Confidence Build
      • Exploitation
      • Retrieval
  • Popular Methods of Attack
      • Preparation – attacker researches information that will build credibility with the victim.
      • Confidence Build – attacker uses research to gain the victim’s confidence.
      • Exploitation – attacker motivates the victim to divulge sensitive information.
      • Retrieval – attacker uses sensitive information for profit or to prepare for a higher level attack.
  • Popular Methods of Attack
    • An example of the Four-Step Process:
      • Preparation – attacker dumpster-dives for an old copy of the company directory from a trash bin behind the company’s main headquarters; collects names and phone numbers to impersonate and target.
      • Confidence Build – attacker uses deception to pose as a department manager, mentioning names of other coworkers in the field (from the directory) to buy credibility.
  • Popular Methods of Attack
    • An example of the Four Step Process: (continued)
      • Exploitation – attacker manipulates a victim business manager from another location to unwittingly reveal the physical location of a data center holding a customer information database.
      • Retrieval – attacker uses this information to target employees at the data center, who further reveal information used to gain access to the database; customer information is later used to commit credit fraud for personal profit.
  • Severity and Success Rates
  • Severity and Success Rates
    • Computer users are the weakest link to a company’s security plan.
      • Security hardware and software are cold, logical and discriminating – therefore, difficult to overcome.
      • On the other hand, system users are generally friendly, emotional and overly-trusting – therefore, easy to manipulate.
  • Severity and Success Rates
      • Kevin Mitnick is now a leading consultant on information security:
    • “ As developers invent continually better security technologies … attackers will turn more and more to exploiting the human element.” *
    *“The Art of Deception” by Kevin Mitnick, Chapter 1
    • Social Engineering is destined to be the future’s greatest security concern.
  • Severity and Success Rates
      • The United States Department of the Treasury reported 35% of managers and employees of the Internal Revenue Service (IRS) provided their login names and passwords to treasury agents posing as IT helpdesk personnel during a security audit.*
    *March 2005 report #2005-20-042
    • IRS Example:
  • Severity and Success Rates
    • In 2005, the Computer Security Institute conducted a survey of information security managers from major U.S. corporations:
      • Results show direct financial costs of security breeches total over $130 million between the 639 responding companies.
      • The average direct financial cost was over $200,000 per year , per respondent company.
  • Severity and Success Rates
    • 2005 Computer Security Institute Survey: (continued)
      • “ Unauthorized Access” and “Theft of Proprietary Information” constituted 24% of total costs each .
      • “ Computer Virus Infections” made up 32% of total costs.
      • Together the three problems represent 79% of all reported cases.
  • Severity and Success Rates
  • Severity and Success Rates
    • More than financial costs, companies must be concerned with the potential loss of reputation.
      • Customers are less likely to do business with companies known for security problems.
      • In fact, the 2005 FBI Computer Crime Survey shows only 9% of its respondents dare to report security breeches to law enforcement.
        • This may indicate how serious companies see this potential threat.
  • Methods to Counter Attacks
  • Methods to Counter Attacks
    • “ Dumpster Diving” Prevention:
      • Educate employees to recognize documents and digital media with sensitive information.
      • Establish secure procedures for disposal of sensitive documents vs. regular trash:
        • Daily disposal of documents into secure bins.
        • Well-locked and guarded storage and transport.
        • Consider using a document destruction contractor with secure processing methods.
  • Methods to Counter Attacks Secure Collection Bins Secure Transport Complete Document Shredding Materials Recycling
    • Example of Secure Document Destruction Procedures:
    Recall Document Management Services at Recall.com
  • Methods to Counter Attacks
    • “ Dumpster Diving” Prevention : (continued)
      • Move your company toward a “digital library” process to limit and control sensitive documents:
        • Scan documents into an image database.
        • Establish a hierarchy of security levels for users.
        • Discourage printed, “hard” copies to avoid the need for document destruction.
  • Methods to Counter Attacks
    • Example of Digital Document Library:
  • Methods to Counter Attacks
    • “ Shoulder Surfing” Prevention:
      • Educate employees to be protective of their workspaces; lockdown workstations when not in use.
      • Establish a rigorous password renewal policy consistent with the relative sensitivity of the work area.
  • Methods to Counter Attacks
    • “ Shoulder Surfing” Prevention: (continued)
      • Use secure Radio Frequency ID (RFID) cards and readers to control employee access to areas housing sensitive resources.
      • Provide courteous security escorts for all outside visitors.
  • Methods to Counter Attacks
    • Examples of RFID badges and readers:
  • Methods to Counter Attacks
    • Prevention of Malicious E-mail Attachments:
      • Educate employees to be wary of sending and downloading attachments; try to send all your messages as text instead.
      • Use company e-mail only for business purposes.
        • Forwarding personal messages to outsiders can actually advertise your e-mail address to potential spammers and social engineers.
  • Methods to Counter Attacks
    • Prevention of Malicious E-mail Attachments:
      • Disable the image preview feature within the company’s e-mail agent for all accounts.
      • Assess the need to view images against the potential risk of infection; possibly disable all image-viewing features of your e-mail agent.
  • Methods to Counter Attacks
    • Preventing Deception and Manipulation:
      • Support a strong corporate culture to build employee loyalty and vigilance.
      • Educate employees of their duty to protect the company’s physical and informational assets against intruders.
      • Teach employees how to recognize and avoid common methods of deception and manipulation, especially telephone operators.
  • Methods to Counter Attacks
    • Preventing Deception and Manipulation: (continued)
      • Establish a corporate-wide identification system to authenticate employees and verify their authorized level of access :
        • Issue verbal security key lists to employees responsible for communicating information.
        • Authorize communications according to an appropriate hierarchy of security keys.
        • Regularly change security keys based on the relative sensitivity of the information.
  • Methods to Counter Attacks
    • Example scenario of security key use:
    • “ Hello? Yes, this is Steve. Jim from tech support? Sure, I can help you with Rick’s user-ID. First may I verify your authorization with today’s management level security key, row C, column 8? Oh, you don’t have today’s security key matrix. Well, I’m sorry Jim, but I will need to know you have authorization to this information before I can help you. Yes, please do call back when you can.”
  • Methods to Counter Attacks
    • “ Phishing” Prevention:
      • Consider disabling hyperlinks within your company’s e-mail agent.
      • Heavily educate employees, customers and venders to NEVER provide sensitive information via instant messages.
      • Employ a contractor to monitor inappropriate use of your company’s brand on the internet, such as MarkMonitor.com.
  • Methods to Counter Attacks
    • “ Phishing” Prevention : (continued)
      • Establish Secure Socket Layer (SSL) Certificates for all websites and e-mails requesting personal information.
        • Uses a high level of encryption (128-bit/256-bit).
        • Allows third-party verification of websites by a trusted certificate authority (CA), such as Verisign.
      • Educate your employees, customers and venders to always look for and use authentic SSL certificates..
  • Methods to Counter Attacks
    • Example of an authenticated SSL Certificate:
  • Methods to Counter Attacks
    • “ Pharming” Prevention:
      • Although SSL Certificates establish good security, further authentication may be recommended to curb stronger attacks.
      • “ Site keys” are now being used to establish such extended authentication.
        • Uses unique images and/or phrases for each registered visitor to identify the website’s authenticity.
  • Methods to Counter Attacks
    • “ Site key” Example:
  • Methods to Counter Attacks
    • Reverse Social Engineering Prevention:
      • Establish an effective and professional on-site tech support group.
        • Build relationships and high visibility with users.
        • Respond quickly so users are less tempted to seek outside sources of help.
      • Tech support should religiously follow all corporate procedures to appropriately identify themselves and their users; educate users to expect the same.
  • Methods to Counter Attacks
    • PBX Disguise Prevention:
      • Be involved in the security of the phone system as with any other computer network.
      • Require all phone users to introduce the calls they transfer; no “blind transfers.”
  • Methods to Counter Attacks
    • “Red flags” -- employees should be observant for potential social engineering attacks:
      • A caller refuses to give a call-back number.
      • A request that is unusual or odd.
      • The requestor claims significant authority.
      • The requestor pushes for an urgent response.
  • Methods to Counter Attacks
    • Standard Computer Security Methods:
      • Establish a security incident reporting channel, such as a widely distributed 800 number.
      • Update anti-virus, intrusion detection, firewall and anti-spyware software regularly.
      • Conduct frequent network scans for malicious software.
  • Methods to Counter Attacks
    • Standard Computer Security Methods:
      • (continued)
      • Configure firewall, intrusion detection and virtual private network (VPN) hardware.
      • Closely monitor your network logging and auditing software reports.
  • Conclusion
  • Conclusion
    • Social Engineering promises to be the most significant threat for the future of information security.
    • Today’s social engineer is well-armed with cutting-edge computer technology and a proven history of confidence schemes.
  • Conclusion
    • Businesses must be prepared to protect their informational assets and their invaluable reputation from these attackers.
    • The most preventative measures are reasonable, affordable and easy-to-implement with discipline.
  • Conclusion
    • Most importantly, companies must invest in Social Engineering Prevention Training for their employees and managers, but also for their customers and external venders.
      • “ The threat is constant; the reminders must be constant as well.”
      • -- Kevin Mitnick, The Art of Deception , Chapter 15
  • Questions from the Audience
  • References
    • Mitnick, Kevin D. & Simon, William L. (2002). The Art of Deception.
    • http://www.hackemate.com.ar/textos/taod/Kevin%20Mitnick%20-%20The%20Art%20of%20Deception.pdf
    • Social Engineering (computer security). (April 26, 2006). Wikipedia.com.
    • http://en.wikipedia.org/wiki/Social_engineering_(computer_security )
    • Phishing. (May 1, 2006). Wikipedia.com.
    • http://en.wikipedia.org/wiki/Phishing
    • Granger, Sarah. (December 18, 2001). Social Engineering Fundamentals, Part I: Hacker Tactics.
    • http://www.securityfocus.com/infocus/1527
    • Granger, Sarah. (January 9, 2002). Social Engineering Fundamentals, Part II: Combat Strategies.
    • http://www.securityfocus.com/infocus/1533
    • Smith Barney Benefit Access Client Security E-mail Fraud and Identity Theft. (2006).
    • http://www.benefitaccess.com/phish.html#phish
    • Edmead, Mark T. (November 18, 2002). Social Engineering Attacks: What we can learn form Kevin Mitnick. http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci865450,00.html
  • References
    • Catledge, Blane. (circa 2005). Social Engineering Overview.
    • http://www.chem.sc.edu/support/publicSocialEngineering.pdf#search='social%20engineering%20steps`
    • Harley, David. (circa 1997). Re-Floating the Titanic: Dealing with Social Engineering Attacks.
    • http://cluestick.me.uk/hoax/harley_eicar98.htm
    • Gordon, Lawrence A., Loeb, Martin P., Lucyshyn, William, and Richardson, Robert. (2005). 2005 CSI/FBI Computer Crime and Security Survey.
    • http://www.cpppe.umd.edu/Bookstore/Documents/2005CSISurvey.pdf#search='computer%20security%20institute%20survey`
    • Violino, Bob. (October 2005). After Phishing? Pharming! CSOOnline.com.
    • http://www.csoonline.com/read/100105/pharm.html
    • Martin, Kelly. (January 18, 2006). FBI publishes 2005 computer crime survey. SecurityFocus.com
    • http://www.securityfocus.com/brief/109
    • New FBI Computer Crime Survey. (January 18, 2006). FBI.gov.
    • http://www.fbi.gov/page2/jan06/computer_crime_survey011806.htm
  • References
    • SSL Information Center . (2006). VeriSign.com.
    • http://www.verisign.com/products-services/security-services/ssl/ssl-information-center/ecommerce-trust-ssl/index.html
    • Verisign Secured Seal . (2006). VeriSign.com.
    • https://seal.verisign.com/splash?form_file=fdf/splash.fdf&dn=WWW.VERISIGN.COM&lang=en
    • Secure Destruction Services. (2005). Recall.com.
    • http://www.recall.com/Recall/NorthAmerica/EN/Find_a_Service/DocumentDestruction#
    • Kevin Mitnick. (May 2006). Wikipedia.com.
    • http://en.wikipedia.org/wiki/Kevin_Mitnick
    • Kevin Mitnick: Timeline . (circa 1995). Takedown.com.
    • http://www.takedown.com/coverage/mitnick-timeline.html
    • Timeline of Hacker History . (April 2006). Wikipedia.com
    • http://en.wikipedia.org/wiki/Timeline_of_hacker_history
  • References
    • “ Knight Lightning”. (Date NA). Phrack World News. Volume II, Issue XXIII, Part 1. Armed with a Keyboard and Considered Dangerous.
    • http://www.phrack.org/phrack/23/P23-11