Social Engineering


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Engineering

  1. 1. Social Engineering Wali Memon1 Wali Memon
  2. 2. “You could spend a fortune purchasing technology and services...and your network infrastructure could still remain vulnerable to old-fashioned manipulation.” -Kevin Mitnick2 Wali Memon
  3. 3. What is Social Engineering? Uses Psychological Methods Exploits human tendency to trust Goals are the Same as Hacking3 Wali Memon
  4. 4. Why Social Engineering? Easier than technical hacking Hard to detect and track4 Wali Memon
  5. 5. The Mind of a Social Engineer More like actors than hackers Learn to know how people feel by observing their actions can alter these feelings by changing what they say and do make the victim want to give them the information they need5 Wali Memon
  6. 6. Approaches Carelessness Comfort Zone Helpfulness Fear6 Wali Memon
  7. 7. Careless Approach Victim is Careless Does not implement, use, or enforce proper countermeasures Used for Reconnaissance Looking for what is laying around7 Wali Memon
  8. 8. Careless Examples Dumpster Diving/Trashing Huge amount of information in the trash Most of it does not seem to be a threat The who, what and where of an organization Knowledge of internal systems Materials for greater authenticity Intelligence Agencies have done this for years8 Wali Memon
  9. 9. Careless Examples (cont.) Building/Password Theft Requires physical access Looking for passwords or other information left out in the open Little more information than dumpster diving9 Wali Memon
  10. 10. Careless Examples (cont.) Password Harvesting Internet or mail-in sweepstakes Based on the belief that people don’t change their passwords over different accounts10 Wali Memon
  11. 11. Comfort Zone Approach Victim organization members are in a comfortable environment Lower threat perception Usually requires the use of another approach11 Wali Memon
  12. 12. Comfort Zone Examples Impersonation Could be anyone Tech Support Co-Worker Boss CEO User Maintenance Staff Generally Two Goals Asking for a password Building access - Careless Approach12 Wali Memon
  13. 13. Comfort Examples (cont.) Shoulder Surfing Direct Theft Outside workplace Wallet, id badge, or purse stolen Smoking Zone Attacker will sit out in the smoking area Piggy back into the office when users go back to work13 Wali Memon
  14. 14. Comfort Examples (cont) Insider Threats Legitimate employee Could sell or use data found by “accident” Result of poor access control Asking for favors from IT staff for information Usually spread out over a long period of time14 Wali Memon
  15. 15. Helpful Approach People generally try to help even if they do not know who they are helping Usually involves being in a position of obvious need Attacker generally does not even ask for the help they receive15 Wali Memon
  16. 16. Helpful Examples Piggybacking Attacker will trail an employee entering the building More Effective: Carry something large so they hold the door open for you Go in when a large group of employees are going in Pretend to be unable to find door key16 Wali Memon
  17. 17. Helpful Examples (cont.) Troubled user Calling organization numbers asking for help Getting a username and asking to have a password reset17 Wali Memon
  18. 18. Fear Approach Usually draws from the other approaches Puts the user in a state of fear and anxiety Very aggressive18 Wali Memon
  19. 19. Fear Examples Conformity The user is the only one who has not helped out the attacker with this request in the past Personal responsibility is diffused User gets justification for granting an attack.19 Wali Memon
  20. 20. Fear Examples (cont) Time Frame Fictitious deadline Impersonates payroll bookkeeper, proposal coordinator Asks for password change20 Wali Memon
  21. 21. Fear Examples (cont) Importance Classic boss or director needs routine password reset Showing up from a utility after a natural occurrence (thunderstorm, tornado, etc)21 Wali Memon
  22. 22. Advanced Attacks Offering a Service Attacker contacts the user Uses viruses, worms, or trojans User could be approached at home or at work Once infected, attacker collects needed information22 Wali Memon
  23. 23. Advanced Attacks (cont) Reverse Social Engineering Attacks puts themselves in a position of authority Users ask attacker for help and information Attacker takes information and asks for what they need while fixing the problem for the user23 Wali Memon
  24. 24. Combating Social Engineers User Education and Training Identifying Areas of Risk Tactics correspond to Area Strong, Enforced, and Tested Security Policy24 Wali Memon
  25. 25. User Education and Training Security Orientation for new employees Yearly security training for all employees Weekly newsletters, videos, brochures, games and booklets detailing incidents and how they could have been prevented Signs, posters, coffee mugs, pens, pencils, mouse pads, screen savers, etc with security slogans (I.e. “Loose lips sink ships”).25 Wali Memon
  26. 26. Areas of Risk Certain areas have certain risks What are the risks for these areas? Help Desk, Building entrance, Office, Mail Room, Machine room/Phone Closet, Dumpsters, Intranet/Internet, Overall26 Wali Memon
  27. 27. Security Policy Management should know the importance of protecting against social engineering attacks Specific enough that employees should not have to make judgment calls Include procedure for responding to an attack27 Wali Memon
  28. 28. Conclusions Social Engineering is a very real threat Realistic prevention is hard Can be expensive Militant Vs. Helpful Helpdesk Staff Reasonable Balance28 Wali Memon
  29. 29. References Psychological Based Social Engineering, Charles Lively. December 2003. SANS Institute. 10 September 2005. /3547.php Sarah Granger, “Social Engineering Fundamentals: Part I”. Security Focus. December 2001. 10 September 2005. Sarah Granger, “Social Engineering Fundamentals: Part II”. Security Focus. January 2002. 10 September 2005. Wali Memon