Social Engineering is a kind of advance persistent threat (APT) that gains private and sensitive information through social networks or other types of communication

1. Masoud Khademi
Amirkabir University of Technology
- Tehran Polytechnic

2.  Human-based techniques: impersonation
 Computer-based techniques: malware and
scams

3.  Manipulates legitimate users into
undermining their own security system
 Abuses trusted relationships between
employees
 Very cheap for the attacker
 Attacker does not need specialized
equipment or skills

4.  Impersonation
 Help Desk
 Third-party Authorization
 Tech Support
 Roaming the Halls
 Repairman
 Trusted Authority Figure
 Snail Mail

5.  Computer-Based Techniques
 Pop-up windows
 Instant Messaging and IRC
 Email Attachments
 Email Scams
 Chain Letters and Hoaxes
 Websites

6.  Hacker pretends to be an employee
 Recovers “forgotten” password
 Help desks often do not require adequate
authentication

7.  Targeted attack at someone who has
information
 Access to assets
 Verification codes
 Claim that a third party has authorized the
target to divulge sensitive information
 More effective if the third party is out of town

8.  Hacker pretends to be tech support for the
company
 Obtains user credentials for troubleshooting
purposes.
 Users must be trained to guard credentials.

9.  Hacker dresses to blend in with the
environment
 Company uniform
 Business attire
 Looks for sensitive information that has been
left unattended
 Passwords written down
 Important papers
 Confidential conversations

10.  Hacker wears the appropriate uniform
 Often allowed into sensitive environments
 May plant surveillance equipment
 Could find sensitive information

11.  Hacker pretends to be someone in charge of
a company or department
 Similar to “third-party authorization” attack
 Examples of authority figures
 Medical personnel
 Home inspector
 School superintendent
 Impersonation in person or via telephone

12.  Hacker sends mail that asks for personal
information
 People are more trusting of printed words
than webpages
 Examples
 Fake sweepstakes
 Free offers
 Rewards programs
 More effective on older generations

13.  Window prompts user for login credentials
 Imitates the secure network login
 Users can check for visual indicators to verify
security

14.  Hacker uses IM, IRC to imitate technical
support desk
 Redirects users to malicious sites
 Trojan horse downloads install surveillance
programs.

15.  Hacker tricks user into downloading
malicious software
 Programs can be hidden in downloads that
appear legitimate
 Examples
 Executable macros embedded in PDF files
 Camouflaged extension: “NormalFile.doc” vs.
“NormalFile.doc.exe”
 Often the final extension is hidden by the email
client.

16.  More prevalent over time
 Begins by requesting basic information
 Leads to financial scams

17.  More of a nuisance than a threat
 Spread using social engineering techniques
 Productivity and resource cost

18.  Offer prizes but require a created login
 Hacker capitalizes on users reusing login
credentials
 Website credentials can then be used for
illegitimate access to assets

19.  Never disclose passwords
 Limit IT Information disclosed
 Limit information in auto-reply emails
 Escort guests in sensitive areas
 Question people you don't know
 Talk to employees about security
 Centralize reporting of suspicious behavior

20.  Remind employees to keep passwords secret
 Don’t make exceptions
 It’s not a grey area!

21.  Only IT staff should discuss details about the
system configuration with others
 Don’t answer survey calls
 Check that vendor calls are legitimate

22.  Keep details in out-of-office messages to a
minimum
 Don’t give out contact information for
someone else.
 Route requests to a receptionist

23.  Guard all areas with network access
 Empty offices
 Waiting rooms
 Conference rooms
 This protects against attacks
 “Repairman”
 “Trusted Authority Figure”

24.  All employees should have appropriate
badges
 Talk to people who you don’t recognize
 Introduce yourself and ask why they are there

25.  Regularly talk to employees about common
social engineering techniques
 Always be on guard against attacks
 Everyone should watch what they say and do.

26.  Designate an individual or group
 Social engineers use many points of contact
 Survey calls
 Presentations
 Help desk calls
 Recognizing a pattern can prevent an attack

27. Davidson, Justin. "Best Practices to Prevent Social Engineering
Attacks." Spiceworks Community Global. N.p., n.d. Web. 26 Mar.
2013. <http://community.spiceworks.com/how_to/show/666-best-
practices-to-prevent-social-engineering-attacks>.
Information, Network & Managed IT Security Services. "Social
Engineering." SecureWorks. Dell, 2013. Web. 26 Mar. 2013.
<http://www.secureworks.com/consulting/security_testing_and_a
ssessments/social_engineering/>.
"Types of Social Engineering." NDPN.org. National Plant Diagnostic
Network, 2013. Web. 26 Mar. 2013.
<http://www.npdn.org/social_engineering_types>.