Data Security Concepts
COUNTERACTING SOCIAL ENGINEERING EXPLOITS
BY NICKKISHA FARRELL BSc IT, DIP Ed
January 2014
2

IN THIS PRESENTATION

What is Social Engineering
Identifying Social Engineering Exploits
Counteracting Social Engineeri...
3

INTRODUCTION



During the last 15 years, software makers have improved
their security practices.



Enterprises have...
4

INTRODUCTION
5

SOCIAL ENGINEERING


The art of gaining access to buildings, systems or data by
exploiting or manipulating human psych...
6

ORIGINS OF SOCIAL ENGINEERING



Social Engineering attcks usually originate from one of three zones:



Trusted


...
7

ORIGINS OF SOCIAL ENGINEERING



Trusted threats come from other individuals who are formally
associated with your org...
8

HOW SOCIAL ENGINEERS WORK


Criminals will often take weeks and months getting to know a place before
even coming in t...
9

SOCIAL ENGINEERING TACTICS


Tactic 1: Ten degrees of separation
The number one goal of a social engineer who uses the...
10

SOCIAL ENGINEERING TACTICS


Tactic 2: Learning your corporate language
A social engineering criminal will study that...
11

SOCIAL ENGINEERING TACTICS


Tactic 3: Borrowing your 'hold' music
Another successful technique involves recording th...
12

SOCIAL ENGINEERING TACTICS


Tactic 4: Phone-number spoofing
Criminals often use phone-number spoofing to make a diff...
13

SOCIAL ENGINEERING TACTICS


Tactic 5: Using the news against you
"Whatever is going on in the headlines, the bad guy...
14

SOCIAL ENGINEERING TACTICS


Tactic 6: Abusing faith in social networking sites
People have a lot of faith in social ...
15

SOCIAL ENGINEERING TACTICS


Tactic 7: Typo Squatting
On the Web, scammers also bank on the common mistakes people
ma...
16

IDENTIFY SOCIAL ENGINEERING EXPLOITS


On the phone:
A social engineer might call and pretend to be a fellow employee...
17

IDENTIFY SOCIAL ENGINEERING EXPLOITS


-- Online:
Social networking sites have opened a whole new door for social
eng...
COUNTERACTING SOCIAL ENGINEERING
EXPLOITS

18



Awareness is the number one defensive measure.
Employees should be aware...
COUNTERACTING SOCIAL ENGINEERING
EXPLOITS

19
COUNTERACTING SOCIAL ENGINEERING
EXPLOITS
 Design

20

an in-house social engineering penetration test



Although it's ...
COUNTERACTING SOCIAL ENGINEERING
EXPLOITS

21



A number of vendors offer tools or services to help conduct
social engin...
EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES


22

1. Appeal to personal lives: Get people interested in security by...
EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES

23



3. Provide treats: Have an occasional celebration where Security...
EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES

24



5. Bring it to their computer screen: If you have a company news...
•

EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES

25

 Do background checks when hiring employees.
 Screen temporary...
EVOLVING SOCIAL ENGINEERING
ORGANIZATION POLICIES

26

Lock out terminated employees immediately.
Create a positive work...
27

SUMMARY






Social Engineers increasingly employ elusive social engineering
attack tactics to exploit natural hum...
28

REFERENCES



http://www.csoonline.com/article/514063/socialengineering-the-basics#1



http://www.csoonline.com/art...
Upcoming SlideShare
Loading in …5
×

Data security concepts chapter 2

440 views

Published on

An introductory look at Social Engineering and some measure to counteracting Social Engineering Exploits.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Data security concepts chapter 2

  1. 1. Data Security Concepts COUNTERACTING SOCIAL ENGINEERING EXPLOITS BY NICKKISHA FARRELL BSc IT, DIP Ed January 2014
  2. 2. 2 IN THIS PRESENTATION What is Social Engineering Identifying Social Engineering Exploits Counteracting Social Engineering Exploits Evolving Social Engineering Organization Policies
  3. 3. 3 INTRODUCTION  During the last 15 years, software makers have improved their security practices.  Enterprises have deployed better security defenses.  These improvements have pushed cybercriminals to target vulnerable humans rather than vulnerable code.
  4. 4. 4 INTRODUCTION
  5. 5. 5 SOCIAL ENGINEERING  The art of gaining access to buildings, systems or data by exploiting or manipulating human psychology, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.
  6. 6. 6 ORIGINS OF SOCIAL ENGINEERING  Social Engineering attcks usually originate from one of three zones:   Trusted   Internal External Internal threats come from employees who manipulate other employees to gather sensitive information and access to IT systems. May include disgruntled employees, temporary employees, employees with criminal tendencies, and ancillary workers such as housekeeping and maintenance staff.
  7. 7. 7 ORIGINS OF SOCIAL ENGINEERING  Trusted threats come from other individuals who are formally associated with your organization on a regular basis but are not on your payroll. These can include contractors and consultants, as well as partner organizations.  External threats come from people who are not associated with your organization. This category can include recreational hackers, competitors wanting to uncover confidential information, or criminals wanting to steal something.  This document focuses on the external attacker.
  8. 8. 8 HOW SOCIAL ENGINEERS WORK  Criminals will often take weeks and months getting to know a place before even coming in the door or making a phone call. Their preparation might include finding a company phone list or org chart and researching employees on social networking sites like LinkedIn or Facebook.  Once a social engineer is ready to strike, knowing the right thing to say, knowing whom to ask for, and having confidence are often all it takes to gain access to a facility or sensitive data.
  9. 9. 9 SOCIAL ENGINEERING TACTICS  Tactic 1: Ten degrees of separation The number one goal of a social engineer who uses the telephone as his modus operandi is to convince his target that he is either    1) a fellow employee 2) a trusted outside authority (such as law enforcement or an auditor). According to Sal Lifrieri, a 20-year veteran of the New York City Police Department there might be ten steps between a criminal's target and the person he or she can start with in the organization. "The common technique [for the criminal] is to be friendly," said Lifrieri. "To act like: 'I want to get to know you. I want to get to know stuff that is going on in your life.' Pretty soon they are getting information you wouldn't have volunteered a few weeks earlier."
  10. 10. 10 SOCIAL ENGINEERING TACTICS  Tactic 2: Learning your corporate language A social engineering criminal will study that language and be able to rattle it off with the best of them.  "It's all about surrounding cues, If I'm speaking a language you recognize, you trust me. You are more willing to give me that information I'm looking to get out of you if I can use the acronyms and terms you are used to hearing."
  11. 11. 11 SOCIAL ENGINEERING TACTICS  Tactic 3: Borrowing your 'hold' music Another successful technique involves recording the "hold" music a company uses when callers are left waiting on the phone.  "The criminal gets put on hold, records the music and then uses it to their advantage. When he or she calls the intended victim, they talk for a minute and then say "Oh, my other line is ringing, hold on," and put them on hold. "The person being scammed hears that familiar company music and thinks: 'Oh, he must work here at the company. That is our music.' It is just another psychological cue."
  12. 12. 12 SOCIAL ENGINEERING TACTICS  Tactic 4: Phone-number spoofing Criminals often use phone-number spoofing to make a different number show up on the target's caller ID.  The criminal could be sitting in an apartment calling you, but the number that shows up on the caller ID appears to come from within the company.  Of course, unsuspecting victims are more than likely to give private information, like passwords, over the phone if the caller ID legitimizes it. And, of course, the crime is often undetectable after because if you dial the number back, it goes to an internal company number.
  13. 13. 13 SOCIAL ENGINEERING TACTICS  Tactic 5: Using the news against you "Whatever is going on in the headlines, the bad guys are using that information as social engineering lures for spam, phishing and other scams.  Marcus said Avert has seen a rise in the number of presidential campaign-related and economic crunch-based spam emails lately.  “The email will say 'Your bank is being bought by this bank. Click here to make sure you update information before the sale closes.'
  14. 14. 14 SOCIAL ENGINEERING TACTICS  Tactic 6: Abusing faith in social networking sites People have a lot of faith in social networking sites like facebook and linkedin. A recent spear-phishing incident targeted Linked In users, and the attack was surprising to many.  Emails are usually worded like this : “ site is doing maintenance, click here to update your information.” Of course, when you click on the link, you go to the bad guys' site."  One solution is to type in web addresses manually to avoid malicious links. And also to keep in mind that it is very rare for a site to send out a request for a password change or an account update.
  15. 15. 15 SOCIAL ENGINEERING TACTICS  Tactic 7: Typo Squatting On the Web, scammers also bank on the common mistakes people make when they type. When you type in a URL that's just one letter off, suddenly you can end up on a completely different site looking just like the one you intended.  Instead of going where they wanted, unsuspecting users who make typing mistakes end up on a fake site that either intends to sell something, steal something, or push out malware.
  16. 16. 16 IDENTIFY SOCIAL ENGINEERING EXPLOITS  On the phone: A social engineer might call and pretend to be a fellow employee or a trusted outside authority (such as law enforcement or an auditor).  In the office: "Can you hold the door for me? I don't have my key/access card on me." How often have you heard that in your building? While the person asking may not seem suspicious, this is a very common tactic used by social engineers.
  17. 17. 17 IDENTIFY SOCIAL ENGINEERING EXPLOITS  -- Online: Social networking sites have opened a whole new door for social engineering scams. A common scam is to pose as a Facebook "friend."  Criminals are stealing passwords, hacking accounts and posing as friends for financial gain.  One popular tactic used recently involved scammers hacking into Facebook accounts and sending a message on Facebook claiming to be stuck in a foreign city and they say they need money.  Social engineers also take advantage of current events and holidays to lure victims.
  18. 18. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 18  Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.  Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws.  Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
  19. 19. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 19
  20. 20. COUNTERACTING SOCIAL ENGINEERING EXPLOITS  Design 20 an in-house social engineering penetration test  Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish.  Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
  21. 21. COUNTERACTING SOCIAL ENGINEERING EXPLOITS 21  A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.  Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download.  The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, etc.
  22. 22. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES  22 1. Appeal to personal lives: Get people interested in security by arming them with techniques to secure their personal information; if they securely tend to their own business, they're more likely to tend to their employers. ► 2. Make the message visible: Put posters up at copy machines, bulletin boards, and lunchrooms. Make them eye-catching but simple; something anyone walking by can read and interpret without breaking stride— they're more likely to remember the content
  23. 23. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 23  3. Provide treats: Have an occasional celebration where Security thanks the staff for doing their part.  4. Use their desk: Implement a clean desk policy and, perform random desk checks after hours.  Reward those who have no sensitive material out by leaving a small treat like a piece of candy or pack of gum and a "Thanks for Doing your Part" note, or enter them in a monthly drawing for a prize.  For those who aren’t meeting the criteria, leave a gentle reminder with specifics about what needs to be corrected. Repeat offenders should be discussed with management.
  24. 24. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 24  5. Bring it to their computer screen: If you have a company newsletter, be certain to include a security article in each edition and provide information on the latest incidents that have occurred, particularly in your industry.  6. Require training: Training programs will be more effective if you include interactive exercises, contests, games, or give-aways.  7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security. If it looks to be important at the top, you can bet it'll be important at the bottom.
  25. 25. • EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 25  Do background checks when hiring employees.  Screen temporary and ancillary workers.  Set up a clear reporting process for security problems.  Open the lines of communication between physical security and the IT department.  Monitor employee behavior patterns for abnormal activities and access violations.
  26. 26. EVOLVING SOCIAL ENGINEERING ORGANIZATION POLICIES 26 Lock out terminated employees immediately. Create a positive work environment, which will cut down on disgruntled employees. Publish a formal written company policy stating that the IT department will never ask for a user's password. Require ID badges for employees and mandate that an employee with a badge accompany visitors.
  27. 27. 27 SUMMARY    Social Engineers increasingly employ elusive social engineering attack tactics to exploit natural human predispositions with the goal of bypassing defenses. These attacks can have very damaging consequences for an organization, but you can take a number of steps to mitigate such attacks. Remember that your employees can make or break your security program—keep them engaged in the process by soliciting feedback and suggestions. A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced.
  28. 28. 28 REFERENCES  http://www.csoonline.com/article/514063/socialengineering-the-basics#1  http://www.csoonline.com/article/460135/socialengineering-eight-common-tactics  http://www.techrepublic.com/article/change-yourcompanys-culture-to-combat-social-engineering-attacks/

×