Successfully reported this slideshow.

Social engineering


Published on

  • Be the first to comment

Social engineering

  1. 1. Social Engineering<br />“Amateurs hack computers<br />Professionals hack people”<br />Alexander Zhuravlev MSLU 2010<br />
  2. 2. Contenst<br />Security issues today<br />What is social engineering?<br />Why social engineering?<br />Categories of social engineering<br />How to safeguard against social engineering?<br />Conclusion<br />
  3. 3. Security issues today<br />Security has never been as important as it is today. The essential need for information security is not only apparent in every country and organization, but also for the individual. Consequently, victims of these crimes can be left with debt, bad credit, higher interest rates, and possibly criminal charges against them until they are able to prove themselves innocent.As a result, it could take years or even a lifetime, to recover from these wrongdoings.<br />According to a survey released on May 15, 2008 by the United States Department of Justice “An estimated 3.6 million--or 3.1 percent-of American households became victims of identity theft in 2007<br />
  4. 4. What is social engineering?<br />Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or a simple fraud, the term typically applies to trickery for information gathering or computer system access. In most of the cases the attacker never comes face-to-face with the victims and the latter seldom realize that they have been manipulated.<br />They prey on human behavior, such as the desire to be helpful, the attitude to trust people and the fear of getting in trouble. The sign of truly successful social engineers is that they receive the information without any suspicion.<br />By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible. <br />
  5. 5. Why social engineering?<br />Social Engineering uses human error or weakness to gain access to any system despite the layers of defensive security controls that may have been implemented. A hacker may have to invest a lot of time & effort in breaking an access control system, but he or she will find it much easier in persuading a person to allow admittance to a secure area or even to disclose confidential information. Despite the automation of machines and networks today, there is no computer system in the world that is not dependent on human operators at one point in time or another. <br />
  6. 6. Behaviors Vulnerable to Social Engineering Attacks<br />Social Engineering has always been prevailing in some form or the other; primarily because of the some very natural facets of human behavior. A social engineer exploits these behavior patterns to drive the target towards becoming a victim in the attack. Common human behaviors that are exploited by social engineers are shown in the image provided.<br />Exploitation of human behavior<br />
  7. 7. Categories of Social Engineering<br />There are two main categories under which all social engineering attempts could be classified :<br /><ul><li>The technology-based approach is to deceive the user into believing that he is interacting with a 'real' application or system and get him to provide confidential information
  8. 8. Attacks based on non-technical approach are perpetrated purely through deception; i.e. by taking advantage of the victim's human behavior weaknesses (as described earlier). </li></ul>For instance, the user gets a popup window, informing him that the computer application has a problem, and the user will need to re-authenticate in order to proceed. Once the user provides his ID and password on that pop up window, the damage is done. <br />For instance, the attacker impersonates a person having a big authority; places a call to the help desk, and pretends to be a senior Manager, and says that he / she has forgotten his password and needs to get it reset right away.<br />
  9. 9. <ul><li>Phishing</li></ul>This term applies to an email appearing to have come from a legitimate business, a bank, or credit card company requesting "verification" of information and warning of some dire consequences if it is not done. <br /><ul><li>Vishing</li></ul>It is the practice of leveraging Voice over Internet Protocol (VoIP) technology to trick private personal and financial information from the public for the purpose of financial reward. This term is a combination of "voice" and phishing. Vishing exploits the public's trust in landline telephone services.<br /><ul><li>Spam Mails</li></ul>E-mails that offer friendships, diversion, gifts and various free pictures and information take advantage of the anonymity and camaraderie of the Internet to plant malicious code. <br /><ul><li>Popup Window</li></ul>The attacker's rogue program generates a pop up window, saying that the application connectivity was dropped due to network problems, and now the user needs to reenter his id and password to continue with his session. <br /><ul><li>Interesting Software</li></ul>In this case the victim is convinced to download and install a very useful program or application which might be 'window dressed' .<br />
  10. 10. Non – Technical Approach<br />Pretexting / Impersonation<br />This is the act of creating and using an invented scenario (the pretext) to persuade a target to release information. It's more than a simple lie as it most often involves some prior research or set up and makes use of pieces of known information (e.g. date of birth, mother's maiden name, billing address etc.) to establish legitimacy in the mind.<br />Dumpster Diving<br />If the junk mail contains personal identification information, a 'dumpster diver' can use it in<br /> carrying out an identity theft.A hacker can retrieve confidential Information from the hard<br /> disk of a computer as there are numerous ways to retrieve information from disks, even<br /> if the user thinks the data has been 'deleted' from the disk.<br />Spying and Eavesdropping<br />A clever spy can determine the id and password by observing a user typing it in (Shoulder Surfing). All that needs to be done is to be there behind the user and be able to see his fingers on the keyboard.<br />Acting as a Technical Expert<br />This is the case where an intruder pretends to be a support technician working <br />on a network problem requests the user to let him access the workstation and<br /> 'fix' the problem. <br />Support Staff<br />Here a hacker may pose as a member of a facility support staff and do the trick.<br /> A man dressed like the cleaning crew, walks into the work area, carrying cleaning<br /> equipment. In the process of appearing to clean your desk area, he can snoop<br /> around and get valuable information - such as passwords, or a confidential file<br /> that you have forgotten to lock up.<br />
  11. 11. How to safeguard from social engineering?<br />Well Documented Security Policy - associated standards and guidelines form the foundation of a good security strategy. <br /><ul><li>Acceptable usage policy - for acceptable business usage of email, computer systems etc
  12. 12. Information classification and handling - for identifying critical information assets
  13. 13. Personnel security - screening prospective employees, contractors to ensure that they do not pose a security threat to the organization, if employed
  14. 14. Physical security - to secure the facility from unauthorized physical access with the help of sign in procedures
  15. 15. Information access control - password usage and guidelines for generating secure passwords
  16. 16. Protection from viruses - to secure the systems and information from viruses and similar threats
  17. 17. Information security awareness training - to ensure that employees are kept informed of threats
  18. 18. Compliance monitoring - to continually ensure that the security policy is being complied with.</li></li></ul><li>Conclusion<br />Social engineering is a technique used by hackers and other criminals to persuade people to divulge confidential information for their personal gain or for malicious purposes. Although social engineering attacks are difficult to defend against because they involve the human element, it is possible for organizations and individuals to protect themselves by being trained on the importance of security and gaining awareness of the possible social engineering attacks that they may encounter.<br />
  19. 19. Thank you for attention<br />Alexander Zhuravlev MSLU 2010<br />