Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Social Engineering Training
Jan-Willem Bullee
2 Cyber-crime Science
Background
 Effectiveness of authority on compliance
 We can get some of the answers from
» Litera...
3 Cyber-crime Science
Persuasion Principles
 Authority
 Conformity
 Commitment
 Liking
 Reciprocity
 Scarcity
3
4 Cyber-crime Science
Authority
 Titles: Professionals vs Lay people
 Clothing: Formal vs Casual
 Trappings: Status vs ...
5 Cyber-crime Science
Literature on Authority
 Classical Milgram Shock Experiment
» 66% full compliance
 Nurse-Physician...
6 Cyber-crime Science
Success factors of Authority
 Sense of duty
 Obedience to authority
6
7 Cyber-crime Science
Attacker Stories
 Books about Social Engineering
 Six Principles of Persuasion
 Provisionally Res...
8 Cyber-crime Science
Mitnick Analysis
8
9 Cyber-crime Science
Nurse Study: Design
 Attacker: Doctor
 Target: Nurse
 Goal: Violating policy
» Maximum dose of me...
10 Cyber-crime Science
Stealing a key
 What is the influence on compliance on a
request of:
» Social Engineering (e.g. Au...
11 Cyber-crime Science
Our: Design
 Attacker: You (Student)
 Target: Employee
 Goal: Violating policy
» Sharing office ...
12 Cyber-crime Science
Method : Our design
 Dependent and Independent variables
 4 experimental conditions
» Interventio...
13 Cyber-crime Science
Method : Our procedure
 Subjects from the Carré building
» 14 research groups
» 4 conditions
 Int...
14 Cyber-crime Science
Method : Our procedure
 Attack targets
» Impersonate facility manager, and ask for the key of
the ...
15 Cyber-crime Science
What to do on Wed 11 Sep
 Attacker training in the morning CR2022
 Execute experiment individuall...
16 Cyber-crime Science
What to do on Wed 11 Sep
 We have permission to do this only at
» UT: Carré
 Enter your data in S...
17 Cyber-crime Science
Ethical issues
 Informed consent not possible
 Zero risk for the subjects
 Approved by facility ...
18 Cyber-crime Science
Conclusion
 Designing research involves:
» Decide what data are needed
» Decide how to collect the...
19 Cyber-crime Science
Further Reading
19
[Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins,...
Upcoming SlideShare
Loading in …5
×

Social engineering - Ingeniería social

736 views

Published on

Ingeniería social
http://www.cse.unr.edu/~mgunes/cs450/cs450sp11/student/

Published in: Education
  • Be the first to comment

  • Be the first to like this

Social engineering - Ingeniería social

  1. 1. Social Engineering Training Jan-Willem Bullee
  2. 2. 2 Cyber-crime Science Background  Effectiveness of authority on compliance  We can get some of the answers from » Literature (Meta-analysis) » Attacker stories/interviews  But the answers are inconclusive » Different context » Hard to measure human nature » Difficult to standardize behaviour. 2
  3. 3. 3 Cyber-crime Science Persuasion Principles  Authority  Conformity  Commitment  Liking  Reciprocity  Scarcity 3
  4. 4. 4 Cyber-crime Science Authority  Titles: Professionals vs Lay people  Clothing: Formal vs Casual  Trappings: Status vs Insignificance 4 [Cia01] R. B. Cialdini. The science of persuasion. Scientific American Mind, 284:76-81, Feb 2001. http://dx.doi.org/10.1038/scientificamerican0201-76
  5. 5. 5 Cyber-crime Science Literature on Authority  Classical Milgram Shock Experiment » 66% full compliance  Nurse-Physician relationship » 95% compliance  Login credentials » 47% compliance 5 [Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378.
  6. 6. 6 Cyber-crime Science Success factors of Authority  Sense of duty  Obedience to authority 6
  7. 7. 7 Cyber-crime Science Attacker Stories  Books about Social Engineering  Six Principles of Persuasion  Provisionally Results: » 4 books » 100 cases. 7 [Mit02] K. Mitnick, W. L. Simon, and S. Wozniak. The Art of Deception: Controlling the Human Element of Security. Wiley, Oct 2002. http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0471237124.html
  8. 8. 8 Cyber-crime Science Mitnick Analysis 8
  9. 9. 9 Cyber-crime Science Nurse Study: Design  Attacker: Doctor  Target: Nurse  Goal: Violating policy » Maximum dose of medicine  Interface: Phone  Persuasion Principle: Authority 9 [Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.
  10. 10. 10 Cyber-crime Science Stealing a key  What is the influence on compliance on a request of: » Social Engineering (e.g. Authority)  You are the researchers! 10
  11. 11. 11 Cyber-crime Science Our: Design  Attacker: You (Student)  Target: Employee  Goal: Violating policy » Sharing office key with 3rd party  Interface: Face 2 Face  Persuasion Principle: Authority 11
  12. 12. 12 Cyber-crime Science Method : Our design  Dependent and Independent variables  4 experimental conditions » Intervention / No Intervention » Authority / No Authority  Dependent variable » Compliance / No Compliance to request. 12 Request Comply [Fie09] A. Field. Discovering statistics using SPSS. Sage, London, 3rd edition, Jan 2009. http://www.uk.sagepub.com/field3e/main.htm
  13. 13. 13 Cyber-crime Science Method : Our procedure  Subjects from the Carré building » 14 research groups » 4 conditions  Intervention vs No intervention  Authority: Suite vs Casual  Randomized sample  Attack in 1 day 13
  14. 14. 14 Cyber-crime Science Method : Our procedure  Attack targets » Impersonate facility manager, and ask for the key of the employee » Short Questionnaire » Note date, time, location, condition, compliance, difficulty, etc.  More details on the course-site 14
  15. 15. 15 Cyber-crime Science What to do on Wed 11 Sep  Attacker training in the morning CR2022  Execute experiment individually (or in duo’s) » One or two attackers per area » Condition and area allocation: Jan-Willem Bullee On the course-site soon » Debrief directly after attack 15
  16. 16. 16 Cyber-crime Science What to do on Wed 11 Sep  We have permission to do this only at » UT: Carré  Enter your data in SPSS » Directly after the attack » Come to me ZI4047  Earn 0.5 (out of 10) bonus points 16
  17. 17. 17 Cyber-crime Science Ethical issues  Informed consent not possible  Zero risk for the subjects  Approved by facility management  Consistent with data protection (PII form)  Approved by ethical committee, see http://www.utwente.nl/ewi/en/research/ethics_protocol/ 17
  18. 18. 18 Cyber-crime Science Conclusion  Designing research involves: » Decide what data are needed » Decide how to collect the data » Use validated techniques where possible » Experimental Design, pilot, evaluate and improve » Training, data gathering » Start again... 18
  19. 19. 19 Cyber-crime Science Further Reading 19 [Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895 [Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996. http://doi.acm.org/10.1145/228292.228295

×