Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Social Engineering
An attack vector most intricate to handle!
Introduction
What is 'Social Engineering'?
Social Engineering is probably most succinctly described by Harl in 'People
Hac...
An example at a glance,
“In 1994, a French hacker named Anthony Zboralski called the
FBI office in Washington, pretending ...
How does Social Engineering attack cycle works?
1. Information gathering
There could be variety of techniques which is used by the
aggressor to gather sensitive informati...
2. Developing Relationship
An aggressor will first try to build up a good bonding with the
target. He makes sure that he g...
General Attack vector Facts and figures
There are two types of Social Engineering attacks
Technical attacks
Non-technical attacks.
“Technical attacks are those at...
The most Technical attacks
Phishing
Phishing is a new term of the century which is used to take over a private
information...
Example
Spam e-mails
This is a mass e-mail system. Hundreds and thousands of e-mails are
sent to the victim. This is tightly relat...
The non- technical attacks
“Non technical attacks are those attacks that are purely perpetrated through
the art of decepti...
Authoritative Voice
The attacker can call up to the organization’s computer help
desk and pretend to have trouble accessin...
Countermeasures to prevent Social Engineering
The question might arise in your mind. How can you fully protect against
Soc...
Usernames
Passwords
ID numbers
PIN numbers
Server names
System information
Credit card numbers
Schedules
Sensitiv...
Summary
The skilled application of Social Engineering can be a danger to
the protection of any organization. As a security...
Thank you
Social engineering presentation
Social engineering presentation
Social engineering presentation
Upcoming SlideShare
Loading in …5
×

Social engineering presentation

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to comment

Social engineering presentation

  1. 1. Social Engineering An attack vector most intricate to handle!
  2. 2. Introduction What is 'Social Engineering'? Social Engineering is probably most succinctly described by Harl in 'People Hacking': "…the art and science of getting people to comply with your wishes." “Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick a person into revealing sensitive information or getting them to do something that is against typical policies. By this method, social engineers exploit the natural tendency of a person to trust his or her word, rather than exploiting computer security holes. It is generally agreed upon that “users are the weak link” in security and this principle is what makes social engineering possible.” Unknown Author, "Social Engineering", Wikipedia
  3. 3. An example at a glance, “In 1994, a French hacker named Anthony Zboralski called the FBI office in Washington, pretending to be an FBI representative working at the U.S. embassy in Paris. He persuaded the person at the other end of the phone to explain how to connect to the FBI's phone conferencing system. Then he ran up a $250,000 phone bill in seven months.” Bruce Schneier “Secret and Lies”
  4. 4. How does Social Engineering attack cycle works?
  5. 5. 1. Information gathering There could be variety of techniques which is used by the aggressor to gather sensitive information about the target(s). Once these information are gathered, it can be used to build a relationship either with the target or someone who is important to the success of the attack. Information that might be gathered includes, but is not only limited to: •A birth date •A phone list •An organization’s organizational chart
  6. 6. 2. Developing Relationship An aggressor will first try to build up a good bonding with the target. He makes sure that he gains the trust of the target which he’ll later exploit. 3. Exploitation The target could then be manipulated by the ‘trusted’ attacker to reveal their sensitive information like password to carry out an action (eg. re-enter your username pass for reversing Facebook policies) this normally occurs. This action could be at the beginning or end of the attack of the next phase. 4.Execution Once the target has finished the task requested by the attacker, the cycle is complete.
  7. 7. General Attack vector Facts and figures
  8. 8. There are two types of Social Engineering attacks Technical attacks Non-technical attacks. “Technical attacks are those attacks that deceive the user into believing that the application in use is truly providing them with security which is not the fact always.”
  9. 9. The most Technical attacks Phishing Phishing is a new term of the century which is used to take over a private information from a user. Your natural response to this statement is, of course, "yea but I am not so simply fooled." And of course you aren't. This is why phishers use a technique called "social engineering". This is generally used for cybercrimes but sometimes it is also done through the telephone/mobile phone. The information which is obtained is then used to commit crimes-such as logging into your Facebook account and posting vulgar or illicit data on your wall or taking over full control of your bank account and then transfer money. In phishing, the aggressor never come face to face. The appearance and logos are almost same like the original one or sometimes same as the original which requests a user to “verify” the information and if not followed, it will lead to serious consequences. These kind of emails appear to have come from a legitimate business organization.
  10. 10. Example
  11. 11. Spam e-mails This is a mass e-mail system. Hundreds and thousands of e-mails are sent to the victim. This is tightly related with phishing attempt.
  12. 12. The non- technical attacks “Non technical attacks are those attacks that are purely perpetrated through the art of deception.”-peer to peer Support staff The attacker acts as a clean support crew to help users to fix any problem. During this process they ask for their credentials and after this procedure their account is compromised by the attacker. Hoaxing It is a trick to make the user believe that something false is real. Unlike a fraud or con, a hoax is perpetrated as a practical funny story, to cause humiliation or to provoke social change by making aware of something.
  13. 13. Authoritative Voice The attacker can call up to the organization’s computer help desk and pretend to have trouble accessing the system. He/she claims to be in a hurry and needs his password reset right away and also demands to know the password over the phone. If the aggressor adds little credibility to his story with information that has been picked up from other social engineering methods, the crew is more likely to believe in the attacker’s fake story and do as requested.
  14. 14. Countermeasures to prevent Social Engineering The question might arise in your mind. How can you fully protect against Social Engineering attack? Is there a way? The answer is almost ‘No’. For the simple reason that no matter whatever controls are implemented, there will always be the possibili1ty of the human exploitation being influenced by a social, political or sophisticated behavior. Nevertheless, as with any risk, there are ways in which we can diminish the risks by following some useful tricks. But one can never guarantee that he/she will never be a victim/target of Social Engineering attack. However, you can follow the following ways to protect against Social Engineering. Do never reveal information like:
  15. 15. Usernames Passwords ID numbers PIN numbers Server names System information Credit card numbers Schedules Sensitive Data
  16. 16. Summary The skilled application of Social Engineering can be a danger to the protection of any organization. As a security professional, it is vital to understand the significance of this hazard and the way in which it can be manifested. Only then can appropriate counter-measures be employed and sustain in order to guard an organization on a refular basis.
  17. 17. Thank you

×