Module 3 social engineering-b


Published on

  • Be the first to comment

  • Be the first to like this

Module 3 social engineering-b

  1. 1. Module 3 Social Engineering Module 3
  2. 2. Social Engineering Did you know that humans get Hacked as much as computers? It’s called social engineering and it has been happening long before computers ever existed!
  3. 3. Module Objectives <ul><li>This Module will cover the following: </li></ul><ul><li>What is Social Engineering </li></ul><ul><li>Background </li></ul><ul><li>Examples </li></ul><ul><li>Countermeasures </li></ul>
  4. 4. Social Engineering Definition <ul><li>Social Engineering: n. </li></ul><ul><li>Term used among hackers and security professionals for techniques that rely on weaknesses in people rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. </li></ul>Source: The Hacker’s Jargon dictionary
  5. 5. Social Engineering Definition <ul><li>Impersonation and deception for the purpose of gathering information to obtain: </li></ul><ul><ul><ul><li>Network information </li></ul></ul></ul><ul><ul><ul><li>System access information </li></ul></ul></ul><ul><ul><ul><li>Personal information </li></ul></ul></ul><ul><ul><ul><li>Passwords </li></ul></ul></ul><ul><li>Impersonation and deception for the purpose of influencing action such as: </li></ul><ul><ul><ul><li>Establishing, moving, or canceling a service </li></ul></ul></ul><ul><ul><ul><li>Making a commitment or scheduling an engagement for which someone else is responsible </li></ul></ul></ul>
  6. 6. Social Engineering <ul><ul><li>Can you spot a “Social Engineer” in this group? </li></ul></ul>
  7. 7. Social Engineering Methods
  8. 8. Social Engineering Methods <ul><li>Social Engineering by Phone </li></ul><ul><li>The most prevalent type of social engineering attack. </li></ul><ul><li>Callers may be male or female </li></ul><ul><li>The caller may appear to know the make and model of your equipment. </li></ul><ul><li>The caller is after equipment serial numbers on devices such as printers, copiers, and computers. </li></ul><ul><li>The caller will attempt to gain as much ‘extra' information as possible, such as phone numbers, fax numbers, employee titles, addresses and other employee information. </li></ul><ul><li>The caller uses a ‘private' or spoofed phone number. </li></ul><ul><li>Demonstration </li></ul>
  9. 9. Social Engineering Methods <ul><li>Social Engineering in Person </li></ul><ul><li>Dumpster Diving- A huge amount of information can be collected through company dumpsters and trash. </li></ul><ul><li>Examples include: Company phone books, organizational charts, memos, company policy manuals, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware. </li></ul><ul><li>Impersonation- A repairman, trusted third party, fellow employee, anyone in uniform. </li></ul><ul><li>Example: the hacker will study a real individual in an organization and wait until that person is out of town to impersonate him, dressed in corporate uniform, fake ID… </li></ul>
  10. 10. Social Engineering Methods <ul><li>Social Engineering by Internet </li></ul><ul><li>Fraudulent messages are designed to fool the recipients into divulging personal authentication data such as account usernames and passwords, credit card numbers, social security numbers, etc. </li></ul><ul><li>Phishing attacks use email or malicious web sites to solicit personal, often financial, information or login/password information. </li></ul><ul><li>Email attachments sent from someone of authenticity can carry viruses, worms and Trojan horses. </li></ul><ul><li>Because these emails look “official”, over 5% of recipients may respond to them, resulting in financial losses, identity theft, release of sensitive information or other fraudulent activity. </li></ul>
  11. 11. Social Engineering Methods <ul><li>Social Engineering by Mail or E-mail </li></ul><ul><li>• E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code. </li></ul><ul><li>• He or she (the victim) is motivated to open the message because it appears to: • Offer useful information, such as security notices or verification of a purchase • Promise a diversion, such as jokes, gossip, cartoons or photographs. • Give away something for nothing, such as music, videos or software downloads. </li></ul>
  12. 12. Social Engineering Countermeasures <ul><li>Social engineering countermeasures </li></ul><ul><li>Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company. </li></ul><ul><li>Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person's authority to have the information. </li></ul><ul><li>Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email. </li></ul>
  13. 13. Social Engineering Countermeasures <ul><li>How to avoid being a victim? </li></ul><ul><li>Don't send or provide sensitive information over the Internet, over the phone, or in person before checking authenticity. </li></ul><ul><li>Pay attention to the URL of a web site. Malicious web sites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). </li></ul><ul><li>If you are unsure whether an email or “snail mail” request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a web site connected to the request. </li></ul>
  14. 14. Exercise <ul><li>Social engineering </li></ul><ul><li>Name 3 Companies </li></ul><ul><ul><li>________________ </li></ul></ul><ul><ul><li>________________ </li></ul></ul><ul><ul><li>________________ </li></ul></ul>