Social Engineering and
What To Do About It
Aleksandr Yampolskiy, Ph.D.
Director of Security and Compliance, Gilt Groupe
 Security decisions are based on risk, not
just threats and vulnerabilities.
 The roadmap aims to mitigate top risks.
 ...
Social engineering in person
See anything wrong?
Social engineering in person
 Types of social engineering
– In person
– Phone
– Email
– Websites
– …the list doesn’t end there…
Social Engineering
• It’s an old-fashioned manipulation of people.
• The goal is to obtain sensitive information about a
company (password, f...
 Social engineering is not as glamorous as it
sounds and requires lots of groundwork
1. Information gathering
2. Idle chi...
 Four categories of attacks:
1. Direct request
– Usually the least likely to succeed
2. Contrived situation
– Additional ...
 Bold impersonation
– Impersonate another employee.
 Learn the lingo
– Sound like an employee, using company
jargon and ...
 Social Engineering’s goal is to influence
the victim to reveal sensitive information!
Caldini’s Six Principles of Influe...
 Six elements to influence in social
engineering:
1. Authority = “Wearing uniform, …” “People highly responsive
without q...
 Social engineer tricks you into asking him
for help.
 Sabotage
– Create a paper jam on a printer.
 Advertising
– Leave...
From: Alan Davis <alan@acrne.com>
To: Cheryl Hines <cheryl.hines@example.com>
Cheryl,
I just called Bob on his cell phone ...
Yet another example. Is your organization safe?
• Yes, hi – Gilt Customer Support?
• This is Aleksandr Yampolskiy. I am on vacation in Dominican and I can’t log
in to Gil...
 All people are naturally helpful and
especially Customer Support… since their
job is to help!
 Generally not trained to...
• You must have at least 1.5 points to verify the identity of a customer if they
have previously placed an order.
• You mu...
 Recognize when the situation comes.
 Don’t be afraid to say “NO!”
 Incident response policy.
Defenses
 Spear phishing. Targeted email which
appears to be coming from your colleague
or a friend.
 Nigerian scam aka 419 scam....
Security Awareness
E-Mail Usage:
• What do suspicious E-Mails look like?
Security Awareness
E-Mail Usage:
• What do suspicious E-Mails look like?
Security Awareness
E-Mail Usage:
• What do suspicious E-Mails look like?
Original
Response 1
Response 2
 Some advice to stay safe:
1. Don’t assume that email is legit even if you get it from a colleague or a
friend.
2. Compan...
Social engineering via websites
 Many of these viruses spread through
social sites (a user is 10x more likely to
open them than via email)
Malware has ma...
 A concrete example: Erin Andrews is an ESPN
sportscaster, who was secretly videotaped through
hotel peephole in July 09....
 Spear Phishing – a highly targeted
phishing attack
 Disguised as a legitimate communication
 Giltcorp.com is not owned...
Social Engineering
 Incident response policy, outlining steps to
take if a phishing website resembling Gilt
is detected.
 Buy similar-sound...
Any questions?
Upcoming SlideShare
Loading in...5
×

Social Engineering and What to do About it

2,787

Published on

Talk given at SC world congress

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,787
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Social Engineering and What to do About it

  1. 1. Social Engineering and What To Do About It Aleksandr Yampolskiy, Ph.D. Director of Security and Compliance, Gilt Groupe
  2. 2.  Security decisions are based on risk, not just threats and vulnerabilities.  The roadmap aims to mitigate top risks.  Heavily based on policy and user education.  “Onion security” – multiple protections at each layer.  Achieve “essential”, then worry about “excellent”.  Be a “how team” instead of a “no team”. Our Approach to Security
  3. 3. Social engineering in person See anything wrong?
  4. 4. Social engineering in person
  5. 5.  Types of social engineering – In person – Phone – Email – Websites – …the list doesn’t end there… Social Engineering
  6. 6. • It’s an old-fashioned manipulation of people. • The goal is to obtain sensitive information about a company (password, financials, customer info, etc.) • Organizations are too focused on technological security controls, but often the weakest link is people! What is Social Engineering? Gartner 2002
  7. 7.  Social engineering is not as glamorous as it sounds and requires lots of groundwork 1. Information gathering 2. Idle chit-chat 3. Assuming different personas 4. Getting what you want.  It can be very easy or very hard and yields largest rewards. What is Social Engineering? (cont.) Gartner 2002
  8. 8.  Four categories of attacks: 1. Direct request – Usually the least likely to succeed 2. Contrived situation – Additional factors the victim must consider 3. Walking the walk, talking the talk – Service person, employee, carry clipboard 4. Personal persuasion – Make victim believe she is in control Types of Social Engineering Attacks
  9. 9.  Bold impersonation – Impersonate another employee.  Learn the lingo – Sound like an employee, using company jargon and dropping names of other employees.  Fragmentation – Gather info one piece at a time across multiple conversations.  Avoid detection – Different callers Building Blocks
  10. 10.  Social Engineering’s goal is to influence the victim to reveal sensitive information! Caldini’s Six Principles of Influence
  11. 11.  Six elements to influence in social engineering: 1. Authority = “Wearing uniform, …” “People highly responsive without question to those with authority”. 2. Scarcity = “Sense of urgency” 3. Similarity = “People are comfortable with those similar to themselves”. “Same problems at work, same interests, political frustrations, etc.” 4. Reciprocation = “Something for something” “But you agreed!” 5. Commitment = “What people do today they will likely do tomorrow” 6. Social proof = “He knows William’s cell, so he must be important” Caldini’s Six Principles of Influence
  12. 12.  Social engineer tricks you into asking him for help.  Sabotage – Create a paper jam on a printer.  Advertising – Leave a business card, advertising attacker’s services to fix PCs.  Assisting – Attacker assists a victim with the solution. Reverse Social Engineering
  13. 13. From: Alan Davis <alan@acrne.com> To: Cheryl Hines <cheryl.hines@example.com> Cheryl, I just called Bob on his cell phone to ask if he could send me a copy of the press release that is to go later today. He was picking up his daughter Jennifer from school and he asked me to reach out to you. Can you please send me a copy right away? It’s a little urgent, as you can imagine. • Bob was enjoying his lunch with coworkers in a Thai place next to the office. • He casually mentioned that today a press release for Acme will be issued, and that he’ll be taking off early to pick up his daughter Jen from school. • At 2:15 pm, his secretary Cheryl received an email followed up by a frantic call from Alan. Since Bob was away, she promptly sent him the release. Real Example. Names have been changed.
  14. 14. Yet another example. Is your organization safe?
  15. 15. • Yes, hi – Gilt Customer Support? • This is Aleksandr Yampolskiy. I am on vacation in Dominican and I can’t log in to Gilt site. Could you reset my password? • Sure, my email is ayampolskiy@gilt.com and address is 135 East 50th Street, NY, NY • Thank you so much! Yet another example.
  16. 16.  All people are naturally helpful and especially Customer Support… since their job is to help!  Generally not trained to question validity of each call.  That makes them prime targets for social engineering. Customer Support
  17. 17. • You must have at least 1.5 points to verify the identity of a customer if they have previously placed an order. • You must have at least 1 point if no orders were placed. • Do not provide information unrelated to the user’s account (users calling regarding spending habits of children, spouse, etc. cannot be discussed). • Password resets can be requested over the phone, but first verify the identity, then send the password by e-mail. Customer Identification
  18. 18.  Recognize when the situation comes.  Don’t be afraid to say “NO!”  Incident response policy. Defenses
  19. 19.  Spear phishing. Targeted email which appears to be coming from your colleague or a friend.  Nigerian scam aka 419 scam. Forward money in hopes of financial gain.  PDF, JPEG, EXE attachments with greeting cards, images, documents. Social Engineering by Email Lovebug virus
  20. 20. Security Awareness E-Mail Usage: • What do suspicious E-Mails look like?
  21. 21. Security Awareness E-Mail Usage: • What do suspicious E-Mails look like?
  22. 22. Security Awareness E-Mail Usage: • What do suspicious E-Mails look like? Original Response 1 Response 2
  23. 23.  Some advice to stay safe: 1. Don’t assume that email is legit even if you get it from a colleague or a friend. 2. Companies, like PayPal, always address their customers by their username in emails, so if an email addresses a user in a generic fashion ("Dear PayPal customer") it is likely to be an attempt at phishing. 3. Be cautious about posting your e-mail address on public web sites. 4. Disguise your e-mail address when you post it to a newsgroup, chat room, bulletin board 5. Use multiple e-mail addresses for different purposes. E.g. use one to correspond with friends, colleagues and another for public forums. 6. Do not reply to spam 7. If you have a website or blog use an encoded, e-mail address on the site. 8. Use your common judgment or ask security@ Stay Safe - Phishing
  24. 24. Social engineering via websites
  25. 25.  Many of these viruses spread through social sites (a user is 10x more likely to open them than via email) Malware has many shapes and forms
  26. 26.  A concrete example: Erin Andrews is an ESPN sportscaster, who was secretly videotaped through hotel peephole in July 09.  Shortly thereafter, a site video.report-cnn.com hosting the tape appeared. Fake Youtube videos LIVE VIDEO PLAYER BLOCKED Your popup blocker has blocked access to the Video Player. To view your video, please launch the Live Video Player below.
  27. 27.  Spear Phishing – a highly targeted phishing attack  Disguised as a legitimate communication  Giltcorp.com is not owned or operated by Gilt Social Engineering
  28. 28. Social Engineering
  29. 29.  Incident response policy, outlining steps to take if a phishing website resembling Gilt is detected.  Buy similar-sounding domains.  Block these sites at firewall level.  Education. Test your users if they fall for it! Preventing social engineering on the web
  30. 30. Any questions?

×