Your SlideShare is downloading. ×

Social engineering-Sandy Suhling

307

Published on

Social engineering: Case Study & attack implications

Social engineering: Case Study & attack implications

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
307
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Social Engineering Attacks: Case Studies & Security Implications By Sandy Suhling INFO 644--Fall 2013
  • 2. What is social engineering? ● “gaining of information from legitimate users for illegitimate access (Dhillon, 2013).” ● generally involves manipulating someone to take action or give information that may or may not be in the target’s best interests (Hadnagy, 2010).
  • 3. Social Engineering techniques ● dumpster diving (Brody, Brizzee, & Cano, 2012) ● shoulder surfing ● tailgating/piggybacking ● phishing ● pretexting ● intimidation (Orlando, 2007) ● bribery
  • 4. Case Study: Wayland Fruit Company http://world-beautifulwallpapers.blogspot.com/2013/02/beautiful-fruits-wallpapers.html
  • 5. Case Study: Holes in Security ● company policy violations ○ vulnerable to blackmail, coercion ● hacker use of pretexting to get information ○ pretended to be EW IT Technician ○ knew information about the company & Mr. Farmer ● Lack of awareness/education ● use of same login ID and password for multiple accounts
  • 6. Social & Technical Vulnerabilities ● Walmart: good customer service vs. giving out business information (Cowley, 2012). ● Human tendencies = vulnerabilities: ○ want to be helpful ○ make assumptions ○ reluctance to question authorities ○ people take shortcuts, security vs. usabilitiy (Hadnagy, 2010). ○ overconfidence
  • 7. Implications for attacks ● can have high costs ○ financial costs $25,000-$100,000/incident ○ loss of trust in employees ○ loss of business ● difficult to prevent because of natural human tendencies
  • 8. Preventing social engineering attacks ● include 4th generation security measures (Dhillon, 2013). ● education and awareness about social engineering for all employees ● use a combination of informal, formal, and technical controls/security measures ● make use of penetration testing ● don’t make it easy! ○ ex: proper disposal of trash/important documents (Brody, Brizzee, & Cano, 2012)
  • 9. Class Question What other security measures can businesses use to prevent social engineering attacks? How are these security measures different from those instituted to protect from other types of attacks?
  • 10. References ● Brody, R.G., Brizzee, W.B., and Cano, L. (2012). Flying under the radar: Social engineering. International Journal of Accounting and Information Management, 20(4). Retrieved from http://www.emeraldinsight.com.proxy.library.vcu.edu/ journals.htm?articleid=17058136&show=abstract. ● Cowley, S. (2012). How a lying 'social engineer' hacked Wal-Mart. CNN. Retrieved from http://money.cnn.com/2012/08/07/technology/walmart-hack-defcon/index.htm. ● Dhillon, G. (2013). Enterprise Cyber Security: Principles and Practice. Washington, DC: Paradigm Books. ● Hadnagy, C. (2010). Social Engineering: The Art of Human Hacking. Indianapolis, IN: John Wiley & Sons. Retrieved from http://proquest.safaribooksonline.com.proxy.library.vcu.edu/9780470639535 ● Orlando, J. (2007). Social engineering in penetration testing: Cases. Security Strategies Alert. Retrieved from http://www.networkworld.com/newsletters/2007/1022sec2.html?page=1

×