Information Systems 365/765Information Systems Security and Strategy                Lecture 7                   Lecture 7 ...
Today’s Chocolate Bar• Nestle Crunch,  created in 1938• Current slogan is  “For the kid in  you”….BORING• Bunch-a-crunch  ...
Warning
WARNING• I use REAL people as  examples in this presentation• I do this not to mock them, or  intimidate them, but to  imp...
Social Engineering• No matter how many security  measures you introduce, there  is one which proves to be the  most challe...
Social Engineering Defined• The use of psychological tricks  in order to get useful  information about a system• Using psy...
Kevin Mitnick• World’s most famous Social  Engineer• “The weakest link in the  security chain is the human  element”• Half...
Social Engineering• Social Engineering goes back  to the first lie ever told and  will continue into the future.• Social E...
Three Primary Methods of Social          Engineering• Flattery• Authority Impersonation• Threatening Behavior
Helpful By Default• We don’t see a motive to hack  our network. “If I see it  everyday, it can’t be  important.“• Industri...
How Does It Happen?• “An ounce of prevention is  worth a pound of cure!”• The Social Engineer uses  simple information fou...
Let’s Setup a Case Scenario       Using a Method Called             Pretexting• Meet Angry Cow• Computer Science Student a...
Case Continued – Simple Public     Information is Found• Angry Cow lives at the  Regent• The Regent’s website  indicates t...
Next – Finding A Way In…• Facebook is Angry Cow’s first  weapon of choice because it is an  unofficial source of informati...
Let’s See – Danielle Treu• Born July 24, 1988• Enjoys playing in the rain,  drinking coffee and spending  money• Works at ...
Let’s See – David Klabanoff• Born April 21, 1979• Likes Star Wars and  The Muppet Movie• Is a Concierge for  Steve Brown  ...
Let’s See – Andrew Baldinger –  I think I might know this guy!• March 30, 1986• Likes kayaking,  exploring, and  getting l...
Let’s Start with Danielle Treu• Her Facebook profile is public,  but she is intelligent. She  keeps her contact informatio...
The Research, Phase II• I’m so thankful for the UW  Whitepages!• Remember, this is PUBLIC  information!• I got her email a...
Primary Contact
Establishing the Trust• Danielle talks to David, and  since David trusts Danielle as  an “insider”, this trust  transfers ...
The Hack• Angry Cow, gets physical  access to server, uses  Ophcrack (just like we did in  class to get Admin username)• A...
Summary of This Example• Search for public information  about your target, using both  official and unofficial sources• Bu...
Let’s Watch Another Example• Silence of the Lambs Movie  scene• Notice how they both establish  trust through the use of  ...
How to Keep Social Engineering        From Working• Administrators need to:• Establish Policies• Train Employees• Run Dril...
Let’s Watch the AT@T Internal     Social Engineering Training                Video• Which Social Engineering  techniques c...
Pretexting• Pretexting is the  act of creating  and using an  invented scenario  (the pretext) to  persuade a  targeted vi...
Pretexting• Its more than a simple lie as it  most often involves some prior  research or set up and the use of  pieces of...
Is This Really a Threat to     Businesses? PRETEXTING• So far, this just looks  like a technique  employed by angry  indiv...
Pretexting Will Likely Continue• As most U.S. companies still  authenticate a client by asking  only for a Social Security...
Phishing• Phishing is the use of email as a  means to extract personal  information from a user• A variant is called IVR P...
Phishing Continued• Direct you towards bogus  (fake) websites• Purpose is to harvest  information• PayPal example – I don’...
TROJAN HORSE• Is a virus or malware, disguised in  such as way as to appeal to a  person’s curiosity or greed• Usually arr...
Road Apples• Road Apples are also known as  Baiting• Uses physical media and relies on  the curiosity or greed of the  vic...
Quid Pro Quo• Means “something for  something”• A person contacts people one  by one, until he/she finds a  person with a ...
Summary – Today’s Take Aways• Social Engineering involves  manipulating others to get  access• Main techniques are: Flatte...
Ways to Combat Social         Enginering• Good security policy• Make sure your employees  understand dangers and  threats•...
Most Important Gem of Wisdomin Defeating Social Engineering• Never, Never give out username,  password, account number, SS...
Social engineering
Upcoming SlideShare
Loading in …5
×

Social engineering

1,048 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,048
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
51
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Social engineering

  1. 1. Information Systems 365/765Information Systems Security and Strategy Lecture 7 Lecture 7 Social Engineering
  2. 2. Today’s Chocolate Bar• Nestle Crunch, created in 1938• Current slogan is “For the kid in you”….BORING• Bunch-a-crunch controversy• "Betcha Cant Crunch This!"
  3. 3. Warning
  4. 4. WARNING• I use REAL people as examples in this presentation• I do this not to mock them, or intimidate them, but to impress upon them in the most real way I know of, the importance of sharing information about themselves only on a “need to know basis” in public forums
  5. 5. Social Engineering• No matter how many security measures you introduce, there is one which proves to be the most challening…• How do we secure human beings?
  6. 6. Social Engineering Defined• The use of psychological tricks in order to get useful information about a system• Using psychological tricks to build inappropriate trust relationships with insiders
  7. 7. Kevin Mitnick• World’s most famous Social Engineer• “The weakest link in the security chain is the human element”• Half of his exploits involved using social engineering• See the master in action!
  8. 8. Social Engineering• Social Engineering goes back to the first lie ever told and will continue into the future.• Social Engineering is successful because people are generally helpful, especially to those who are:• Nice• Knowledgeable• Insistent
  9. 9. Three Primary Methods of Social Engineering• Flattery• Authority Impersonation• Threatening Behavior
  10. 10. Helpful By Default• We don’t see a motive to hack our network. “If I see it everyday, it can’t be important.“• Industrial Espionage• Revenge• Just for fun
  11. 11. How Does It Happen?• “An ounce of prevention is worth a pound of cure!”• The Social Engineer uses simple information found online, or by making a basic phone call into the office• That stuff really isn’t that easy to get…Don’t be dramatic!
  12. 12. Let’s Setup a Case Scenario Using a Method Called Pretexting• Meet Angry Cow• Computer Science Student at UW-Madison• Angry Cow just got an eviction notice
  13. 13. Case Continued – Simple Public Information is Found• Angry Cow lives at the Regent• The Regent’s website indicates that it is owned by Steve Brown Properties• Angry Cow wants to “fix” Steve Brown’s record keeping spreadsheet to show that rent has been paid
  14. 14. Next – Finding A Way In…• Facebook is Angry Cow’s first weapon of choice because it is an unofficial source of information• Poor controls over data sharing• Lots of important information there that might not seem important, but could be his first step in…• Go to Facebook and search:“Steve Brown Apartments” to find an appropriate unknowing accomplice
  15. 15. Let’s See – Danielle Treu• Born July 24, 1988• Enjoys playing in the rain, drinking coffee and spending money• Works at Subway and as a Resident Assistant for Steve Brown Apartments
  16. 16. Let’s See – David Klabanoff• Born April 21, 1979• Likes Star Wars and The Muppet Movie• Is a Concierge for Steve Brown Apartments
  17. 17. Let’s See – Andrew Baldinger – I think I might know this guy!• March 30, 1986• Likes kayaking, exploring, and getting lost• Lives at the Regent• Works as a Technology Support Specialist for Steve Brown Apartments!
  18. 18. Let’s Start with Danielle Treu• Her Facebook profile is public, but she is intelligent. She keeps her contact information private• But, her profile does say that she attends UW-Madison…• I wonder if they have some more public information about her
  19. 19. The Research, Phase II• I’m so thankful for the UW Whitepages!• Remember, this is PUBLIC information!• I got her email address!
  20. 20. Primary Contact
  21. 21. Establishing the Trust• Danielle talks to David, and since David trusts Danielle as an “insider”, this trust transfers to the fake Andrew• Angry Cow shows up later that day, David is expecting him• Angry Cow identifies himself as Andrew and asks David for key to server room
  22. 22. The Hack• Angry Cow, gets physical access to server, uses Ophcrack (just like we did in class to get Admin username)• Angry Cow logs into server and alters accounting files to indicate that his rent has been paid
  23. 23. Summary of This Example• Search for public information about your target, using both official and unofficial sources• Build a trust ladder, Julie trusts Andrew and David trusts Julie, therefore David will trust Andrew—even if “Andrew” really is Angry Cow!• Built a credible story• Based on PRETEXTING
  24. 24. Let’s Watch Another Example• Silence of the Lambs Movie scene• Notice how they both establish trust through the use of kindness or perceived kindness
  25. 25. How to Keep Social Engineering From Working• Administrators need to:• Establish Policies• Train Employees• Run Drills• Office Workers:• Need to be aware of Social Engineering tactics• Follow policies
  26. 26. Let’s Watch the AT@T Internal Social Engineering Training Video• Which Social Engineering techniques can you identify in the video? (Flattery, Authority, Threats)• How would you CLASSIFY this video (remember Data Classification)• What is going on at AT&T?
  27. 27. Pretexting• Pretexting is the act of creating and using an invented scenario (the pretext) to persuade a targeted victim to release information or perform an action and is typically done over the telephone.
  28. 28. Pretexting• Its more than a simple lie as it most often involves some prior research or set up and the use of pieces of known information (e.g. for impersonation: date of birth, Social Security Number, last bill amount) to establish legitimacy in the mind of the target.
  29. 29. Is This Really a Threat to Businesses? PRETEXTING• So far, this just looks like a technique employed by angry individuals.• Did you know that Hewlett Packard regularly engaged in Social Engineering?• They used the method of PRETEXTING in order to get phone records• Let’s watch the testimony of Patricia Dunn, Director of HP
  30. 30. Pretexting Will Likely Continue• As most U.S. companies still authenticate a client by asking only for a Social Security Number, date of birth, or mothers maiden name, the method is effective in many criminal situations and will likely continue to be a security problem in the future.• Pretexting is the most common form of Social Engineering
  31. 31. Phishing• Phishing is the use of email as a means to extract personal information from a user• A variant is called IVR Phone Phishing
  32. 32. Phishing Continued• Direct you towards bogus (fake) websites• Purpose is to harvest information• PayPal example – I don’t even have a PayPal account!• Use common sense!• Don’t click on links directly!• Phishing Filter!
  33. 33. TROJAN HORSE• Is a virus or malware, disguised in such as way as to appeal to a person’s curiosity or greed• Usually arrives in the form of an email with an attachment• ILOVEYOU virus is an example of a Trojan Horse• Adware hiding inside downloads is another example
  34. 34. Road Apples• Road Apples are also known as Baiting• Uses physical media and relies on the curiosity or greed of the victim• USB drives or CDs found in the parking lot, with label: 3M Executive Salaries• Autorun on inserted media
  35. 35. Quid Pro Quo• Means “something for something”• A person contacts people one by one, until he/she finds a person with a problem• When they find a person, they “fix” their problem by introducing malware to their machine
  36. 36. Summary – Today’s Take Aways• Social Engineering involves manipulating others to get access• Main techniques are: Flattery, Authority, Threatening• Main types are: Pretexting, Phishing, Trojan Horses and Quid Pro Quo
  37. 37. Ways to Combat Social Enginering• Good security policy• Make sure your employees understand dangers and threats• Make sure employees understand what Data Classification means and what type of information you publicly give away
  38. 38. Most Important Gem of Wisdomin Defeating Social Engineering• Never, Never give out username, password, account number, SSN, etc over the same channel used to initiate the request• For example, if a phone call comes in, asking for a SSN, send the SSN via email or regular mail

×