Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Hacking the
Helpdesk: Social
Engineering Risks
(AND HOW TO AVOID THEM)
CRAIG CLARK MSC, SDI(A), ITIL, MTA
Overview
This presentation will cover
• What is Social Engineering?
• Why are Helpdesks targeted?
• What are the most comm...
What is Social Engineering
In a security context, Social Engineering (SE) can be defined as:
A combination of social, psyc...
Why are Helpdesks Targeted?
The Helpdesk function plays a key role within the Service Delivery
structure of an organisatio...
Why are Helpdesks Targeted
But:
Number of Resolved Requests x Speed of Resolution = SECURITY RISK
Helpdesk agents strive t...
Why are Helpdesks Targeted
Examples of information that can be accessed by a Helpdesk include:
Building Opening
Times
Phon...
Common Attack Types
Whaling: Whaling refers to using SE techniques to obtain information
relating to the activities, objec...
Common Attack Types
Pretexting: Pretexting refers to an attacker assuming a position of
authority to illicit information. ...
Cost of a Successful Attack
The cost of a successful attack especially one that remains
undetected, can have a wide reachi...
Cost of a Successful Attack
Litigation: The Information Commissioners Office is responsible for
investigating data breache...
Attack Prevention
With a robust Information Security strategy, the risks to the Helpdesk
from SE attacks can be significan...
Attack Prevention
Technology: Using the appropriate call handling technology that
displays both internal and external numb...
Attack Prevention
Information Security Policy: Ensuring that your organisation has an in depth
Information Security policy...
Summary
• Helpdesks, while essential to Service Delivery are a valuable target
to Social Engineering attacks due to the ra...
Upcoming SlideShare
Loading in …5
×

1

Share

Download to read offline

Hacking the Helpdesk, Craig Clark

Download to read offline

What is Social Engineering? What risk does it pose to your organisation and how can you protect the service desk from being attacked? Craig Clark explains.

Related Books

Free with a 30 day trial from Scribd

See all

Hacking the Helpdesk, Craig Clark

  1. 1. Hacking the Helpdesk: Social Engineering Risks (AND HOW TO AVOID THEM) CRAIG CLARK MSC, SDI(A), ITIL, MTA
  2. 2. Overview This presentation will cover • What is Social Engineering? • Why are Helpdesks targeted? • What are the most common attack types? • What is the cost of a successful attack? • How to prevent an attack
  3. 3. What is Social Engineering In a security context, Social Engineering (SE) can be defined as: A combination of social, psychological and information gathering techniques that are used to manipulate people for nefarious purposes. In other words, SE targets humans rather then technology to exploit weaknesses in an organisations security. By exploiting this human element, it is possible to gain access to vast amounts of sensitive information often without the victims knowledge. This information can then be used for nefarious purposes including: • Identity/Data Theft • Corporate Espionage • Financial Gain • Unauthorised Access to Buildings or Systems
  4. 4. Why are Helpdesks Targeted? The Helpdesk function plays a key role within the Service Delivery structure of an organisation. Key functions often include:  Being a first point of contact for an array of queries  Being the professional (and hopefully helpful) face of an organisation  Providing quick fixes to a range of common problems such as password resets, application queries or complaints Measurement of how well a Helpdesk can deliver these functions is often measured by the number of resolved queries or the speed at which they are resolved
  5. 5. Why are Helpdesks Targeted But: Number of Resolved Requests x Speed of Resolution = SECURITY RISK Helpdesk agents strive to meet their key functions quickly and as efficiently as possible. They are trained to give the best service possible as quickly as possible which means that in most cases “I’m sorry I cannot do that for you” is not a response that is even considered Social Engineers know this, and exploit it to gain access to a variety of information that can be used in a variety of ways.
  6. 6. Why are Helpdesks Targeted Examples of information that can be accessed by a Helpdesk include: Building Opening Times Phone Numbers or Extensions Application status User Names Passwords Password Expiry Dates Management Structure Personal Identifiable Information Payment Information Infrastructure Status Employee Calendar Information Corporate Information Email Addresses Guest Account Login Details Print System Access Purchase Order and Invoicing Queries Account History including pervious incident numbers Active Directory Container Names
  7. 7. Common Attack Types Whaling: Whaling refers to using SE techniques to obtain information relating to the activities, objectives or corporate information held by high level employees including directors and executives. Examples include financial reports, global contact lists, and sensitive corporate information. A whaling strategy can be facilitated over a number of months and the rewards can be extremely high. Impersonating: Impersonation is one of the most common and effective tactics used by Social Engineers when calling a Helpdesk. In many organisations, a security check to verify identity consists of a name and a date of birth, both of which are easily obtainable from many places including social networks, profiles on corporate pages, discarded rubbish etc.
  8. 8. Common Attack Types Pretexting: Pretexting refers to an attacker assuming a position of authority to illicit information. A common example is for attackers to pose as IT technicians in order to gain an agents username or password. Once obtained, these details can be used to breach a network and collect large amounts of data Quid Pro Quo: This attack uses a promise of a reward, in exchange for information. As an example, an attacker can call an agent claiming to be from the HR department and in exchange for filling in a quick survey delivered by email (which will contain a malicious link) the attacker gives the agent information on an upcoming promotion.
  9. 9. Cost of a Successful Attack The cost of a successful attack especially one that remains undetected, can have a wide reaching impact on business operations Financial Loss: According to a the latest Government Survey, the average cost of a data breach is now £3.14 million per breach. The cost is attributed to business disruption, loss of assets and intellectual property and costs associated with restoring service and implementing increased security measures. Reputation Damage: Following a breach, the damage to an organisations reputation can be catastrophic. Ashley Madison, Hatton Garden Safe Deposit Ltd., and Thompson Holidays have all received negative publicity following recent security breaches.
  10. 10. Cost of a Successful Attack Litigation: The Information Commissioners Office is responsible for investigating data breaches which contravene the Data Protection Act and other UK legislation that protects personal data. There is a legal obligation on companies operating in the UK to declare personal data breaches. The ICO can then issue a range of punishments depending on the circumstances. Since 2005, the ICO has issued close to £8million in fines and issued over 1000 compulsory audit and improvement notices. In addition, investigation findings are periodically published and distributed across media platforms.
  11. 11. Attack Prevention With a robust Information Security strategy, the risks to the Helpdesk from SE attacks can be significantly reduced. Training: Alerting staff to the dangers of SE, and training them to spot attack types is one of the most cost effective strategies. Training should be included as part of the initial induction period with periodic refreshers as new threats develop. Several training methods can be employed including: • Online courses • Role Playing Scenarios • Workshops • Call Monitoring and Feedback
  12. 12. Attack Prevention Technology: Using the appropriate call handling technology that displays both internal and external numbers (including those that have been withheld) can alert an agent to a possible SE attack. Call monitoring and recording facilities are also highly recommended due to their use as evidence in any breach investigation. Software: Advances in Cloud Storage (Dropbox, iCloud, OneDrive etc.) capabilities are reducing the need for USB storage, which is a major attack vector for malware and keylogging. A robust antivirus, antimalware and email screening platform will offer significant protection against many current malicious threats that may arrive via email or instant message.
  13. 13. Attack Prevention Information Security Policy: Ensuring that your organisation has an in depth Information Security policy can prevent SE attacks originating from the Helpdesk and beyond. Things to consider within the policy include: • Can people access only what they need to do their job? • How is confidential waste destroyed? • Are calls recorded? • Can security checks be easily passed (is name, DOB and address sufficient to grant access/password changes etc?) • What physical security is in place to prevent people obtaining information in person? • What security training is provided to agents • How are breaches investigated? • Are USB sticks permitted or necessary? • What email, antivirus, antimalware screening is in place?
  14. 14. Summary • Helpdesks, while essential to Service Delivery are a valuable target to Social Engineering attacks due to the range of information they can access. • A successful attack can take many forms including in person, over the phone or via technology • Social Engineers can use this information to facilitate a range of activities that can be extremely costly and damaging to an organisation • There are many ways that an organisation can reduce social engineering risks
  • SergioMirandaMontoya

    Nov. 28, 2018

What is Social Engineering? What risk does it pose to your organisation and how can you protect the service desk from being attacked? Craig Clark explains.

Views

Total views

1,741

On Slideshare

0

From embeds

0

Number of embeds

435

Actions

Downloads

11

Shares

0

Comments

0

Likes

1

×