Social Engineering
Managing the Human Element
Dr John McCarthy
Cyber Research Fellow Cranfield University,
UK Defence Acad...
Social Engineering
Managing the
Human Element
Dr John McCarthy Ph.D. B.Sc. (hons) MBCS
Vice President of Cyber Security Se...
Partners
 Cyber-Physical Systems Research Centre based at
Cranfield and sponsored by ServiceTec

 University of Nebraska...
The Problem
What is Social Engineering
 Social engineering is a methodology that allows an
attacker to bypass technical controls by a...
Phishing to Honeypots
 In the context of cybersecurity we often think of
complex computer systems, sophisticated hackers ...
Social Engineering Attacks Cost
 In the past two years, 48% of large businesses have
suffered from socially engineered at...
Who is the enemy?
 Cyber terrorist

 Disgruntled employees

 Hacktivists

 Kiddies

 Cyber criminals

 Foreign gover...
Cultural Background
It wont happen to me………
Catch Me If You Can
 Frank Abagnale, who,
before his 19th birthday,
successfully performed
cons worth millions of
dollars...
Everyday Social Engineering
Stereotypes
Dorothea Puente
 At the age of sixty,
police discovered
Puente was killing off
her boarders and
collecting th...
Are you easily persuaded?
Attack Vectors
Phishing Attacks
 Nigerian 419 email
scam
 DHL delivery

 Tax refund
 An other bank notice
 PayPal
 Cracking website...
Socially Open to all……….
 The primary tool used
for social engineering
attacks is the phishing
email
 Followed by using ...
Targeted Malware
 Targeted malware that is,
in some cases, just hours
old
 Found a USB drive in the
car park, great! A
f...
Common Attack Entry Points
 Customer Service
 Tech Support
 Delivery Person
 Tailgating
Information Gathering
Techniques

 Research

 Professional gangs can spend months gathering
information from the web and...
Traditional Sources
Websites
 You can find information
about the company,
what they do, the
products and services
they pr...
Traditional Sources
 Social media is a technology that many companies
have recently embraced. User sites such as blogs, w...
Non-Traditional
 Industry experts or subject matter
experts can provide detailed
information about an area
without provid...
Influencing Others
 Reciprocity, Obligation, Concession
 Want a bar of chocolate?

 Scarcity, Authority, Commitment and...
Towards a Solution
Lets build a bigger better
wall
Just Say No……………..
We cannot live in isolation
 Social media has
become a necessary
part of business
 Sharing of information
and the access...
Cybersecurity Culture
 Mitigation of social engineering begins with good
policy and awareness training
 Most important o...
Countermeasures
 Establishing frameworks of trust on an
employee/personnel level (i.e., specify and train
personnel when/...
Countermeasures
 Performing unannounced, periodic tests of the security
framework
 Reviewing the above steps regularly: ...
“

(As) the media characterizes social
engineering, hackers will call up and ask
for a password. I have never asked
anyone...
Upcoming SlideShare
Loading in …5
×

Airport IT&T 2013 John McCarthy

964 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
964
On SlideShare
0
From Embeds
0
Number of Embeds
242
Actions
Shares
0
Downloads
27
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Airport IT&T 2013 John McCarthy

  1. 1. Social Engineering Managing the Human Element Dr John McCarthy Cyber Research Fellow Cranfield University, UK Defence Academy & Vice President of Cyber Security, ServiceTec Global Services
  2. 2. Social Engineering Managing the Human Element Dr John McCarthy Ph.D. B.Sc. (hons) MBCS Vice President of Cyber Security ServiceTec International Inc./ServiceTec Research Fellow at Cranfield University / UK Defence Academy
  3. 3. Partners  Cyber-Physical Systems Research Centre based at Cranfield and sponsored by ServiceTec  University of Nebraska  Federal Aviation Authority  Joint Information Operations Warfare Centre, Vulnerability Assessment Branch (JVAB) USA
  4. 4. The Problem
  5. 5. What is Social Engineering  Social engineering is a methodology that allows an attacker to bypass technical controls by attacking the human element in an organisation.  Social engineering attacks are likely to increase, and it is becoming increasingly important for organizations to address this issue.
  6. 6. Phishing to Honeypots  In the context of cybersecurity we often think of complex computer systems, sophisticated hackers and hacking techniques.  All too often the human element in cybersecurity is overlooked. Many criminal gangs utilize social engineering techniques and the crossover from traditional criminal activities into the cyber world is increasingly common
  7. 7. Social Engineering Attacks Cost  In the past two years, 48% of large businesses have suffered from socially engineered attacks at least 25 times, resulting in losses of between $25,000 and $100,000 per incident  Attackers' primary motivation is stealing financial information, Extracting trade secrets, or revenge
  8. 8. Who is the enemy?  Cyber terrorist  Disgruntled employees  Hacktivists  Kiddies  Cyber criminals  Foreign governments  Organised crime
  9. 9. Cultural Background It wont happen to me………
  10. 10. Catch Me If You Can  Frank Abagnale, who, before his 19th birthday, successfully performed cons worth millions of dollars by posing as a Pan American World Airways pilot, a Georgia doctor, and a Louisiana parish prosecutor.  His primary crime was check fraud; he became so skilful that the FBI eventually turned to him for help in catching other check forgers
  11. 11. Everyday Social Engineering
  12. 12. Stereotypes Dorothea Puente  At the age of sixty, police discovered Puente was killing off her boarders and collecting the insurance money.  Seven bodies buried in her back yard.
  13. 13. Are you easily persuaded?
  14. 14. Attack Vectors
  15. 15. Phishing Attacks  Nigerian 419 email scam  DHL delivery  Tax refund  An other bank notice  PayPal  Cracking websites of companies or organizations and destroying their reputation (twitter etc)
  16. 16. Socially Open to all……….  The primary tool used for social engineering attacks is the phishing email  Followed by using social networking sites that disclose employees' personal details
  17. 17. Targeted Malware  Targeted malware that is, in some cases, just hours old  Found a USB drive in the car park, great! A freebie!  Combating this type of APT can be incredibly difficult, because all it takes is one employee to open a seemingly innocuous--yet really malicious--attachment, and the business can be compromised
  18. 18. Common Attack Entry Points  Customer Service  Tech Support  Delivery Person  Tailgating
  19. 19. Information Gathering Techniques  Research  Professional gangs can spend months gathering information from the web and employees  Dumpster Diving  Poor disposal of confidential data
  20. 20. Traditional Sources Websites  You can find information about the company, what they do, the products and services they provide, physical locations, job openings, contact numbers, bios on the executives or board of directors. Public Servers  A company's publicly reachable servers. Fingerprinting servers for their OS, application, and IP information can tell you a great deal about their infrastructure.
  21. 21. Traditional Sources  Social media is a technology that many companies have recently embraced. User sites such as blogs, wikis, and online videos may provide information about the target company  A disgruntled employee that's blogging about his company's problems may be susceptible to a sympathetic ear from someone with similar opinions or problems  Public data may be generated by entities inside and outside the target company. This data can consist of quarterly reports, government reports, analyst reports, earnings posted for publicly traded companies, etc.
  22. 22. Non-Traditional  Industry experts or subject matter experts can provide detailed information about an area without providing anything regarding the target company  "When in Rome, do what the Romans do" Engaging in activities or frequenting places that employees from the target company also do/visit is an excellent opportunity to elicit information. Proximity to the employees provides opportunities for conversation, eavesdropping, or possibly even covert cloning of RFID cards
  23. 23. Influencing Others  Reciprocity, Obligation, Concession  Want a bar of chocolate?  Scarcity, Authority, Commitment and Consistency, Liking, Consensus or Social Proof, Framing  In his book, "Influence: The Psychology of Persuasion", Dr. Robert Cialdini states, "Social Proof - People will do things that they see other people are doing. For example, in one experiment, one or more confederates would look up into the sky; bystanders would then look up into the sky to see what they were seeing. At one point this experiment aborted, as so many people were looking up that they stopped traffic."  Manipulation of Incentive  Financial Social Ideological
  24. 24. Towards a Solution
  25. 25. Lets build a bigger better wall
  26. 26. Just Say No……………..
  27. 27. We cannot live in isolation  Social media has become a necessary part of business  Sharing of information and the access to information is now expected  We need to understand the risks
  28. 28. Cybersecurity Culture  Mitigation of social engineering begins with good policy and awareness training  Most important of which is creating a cybersecurity culture within an organization  This must start at the top and work down
  29. 29. Countermeasures  Establishing frameworks of trust on an employee/personnel level (i.e., specify and train personnel when/where/why/how sensitive information should be handled)  Identifying which information is sensitive and evaluating its exposure to social engineering and breakdowns in security systems (building, computer system, etc.)  Establishing security protocols, policies, and procedures for handling sensitive information  Training employees in security protocols relevant to their position. (e.g., in situations such as tailgating, if a person's identity cannot be verified, then employees must be trained to politely refuse.)
  30. 30. Countermeasures  Performing unannounced, periodic tests of the security framework  Reviewing the above steps regularly: no solutions to information integrity are perfect  Using a waste management service that has dumpsters with locks on them, with keys to them limited only to the waste management company and the cleaning staff  Locating the dumpster either in view of employees such that trying to access it carries a risk of being seen or caught or behind a locked gate or fence where the person must trespass before they can attempt to access the dumpster
  31. 31. “ (As) the media characterizes social engineering, hackers will call up and ask for a password. I have never asked anyone for their password Kevin Mitnick Email: john.mccarthy@servicetec.com www.airportcybersecurity.com Airport Cyber Security Podcast ”

×