1. Social Engineering
Managing the Human Element
Dr John McCarthy
Cyber Research Fellow Cranfield University,
UK Defence Academy & Vice President of Cyber Security,
ServiceTec Global Services
2. Social Engineering
Managing the
Human Element
Dr John McCarthy Ph.D. B.Sc. (hons) MBCS
Vice President of Cyber Security ServiceTec International
Inc./ServiceTec Research Fellow at Cranfield University / UK
Defence Academy
3. Partners
Cyber-Physical Systems Research Centre based at
Cranfield and sponsored by ServiceTec
University of Nebraska
Federal Aviation Authority
Joint Information Operations Warfare Centre,
Vulnerability Assessment Branch (JVAB) USA
5. What is Social Engineering
Social engineering is a methodology that allows an
attacker to bypass technical controls by attacking the
human element in an organisation.
Social engineering attacks are likely to increase, and it
is becoming increasingly important for organizations to
address this issue.
6. Phishing to Honeypots
In the context of cybersecurity we often think of
complex computer systems, sophisticated hackers and
hacking techniques.
All too often the human element in cybersecurity is
overlooked. Many criminal gangs utilize social
engineering techniques and the crossover from
traditional criminal activities into the cyber world is
increasingly common
7. Social Engineering Attacks Cost
In the past two years, 48% of large businesses have
suffered from socially engineered attacks at least 25
times, resulting in losses of between $25,000 and
$100,000 per incident
Attackers' primary motivation is stealing financial
information, Extracting trade secrets, or revenge
8. Who is the enemy?
Cyber terrorist
Disgruntled employees
Hacktivists
Kiddies
Cyber criminals
Foreign governments
Organised crime
10. Catch Me If You Can
Frank Abagnale, who,
before his 19th birthday,
successfully performed
cons worth millions of
dollars by posing as a Pan
American World Airways
pilot, a Georgia doctor,
and a Louisiana parish
prosecutor.
His primary crime was
check fraud; he became
so skilful that the FBI
eventually turned to him
for help in catching other
check forgers
12. Stereotypes
Dorothea Puente
At the age of sixty,
police discovered
Puente was killing off
her boarders and
collecting the insurance
money.
Seven bodies buried in
her back yard.
15. Phishing Attacks
Nigerian 419 email
scam
DHL delivery
Tax refund
An other bank notice
PayPal
Cracking websites of
companies or
organizations and
destroying their
reputation (twitter etc)
16. Socially Open to all……….
The primary tool used
for social engineering
attacks is the phishing
email
Followed by using social
networking sites that
disclose employees'
personal details
17. Targeted Malware
Targeted malware that is,
in some cases, just hours
old
Found a USB drive in the
car park, great! A
freebie!
Combating this type of
APT can be incredibly
difficult, because all it
takes is one employee to
open a seemingly
innocuous--yet really
malicious--attachment,
and the business can be
compromised
18. Common Attack Entry Points
Customer Service
Tech Support
Delivery Person
Tailgating
19. Information Gathering
Techniques
Research
Professional gangs can spend months gathering
information from the web and employees
Dumpster Diving
Poor disposal of confidential data
20. Traditional Sources
Websites
You can find information
about the company,
what they do, the
products and services
they provide, physical
locations, job openings,
contact numbers, bios
on the executives or
board of directors.
Public Servers
A company's publicly
reachable servers.
Fingerprinting servers for
their OS, application,
and IP information can
tell you a great deal
about their
infrastructure.
21. Traditional Sources
Social media is a technology that many companies
have recently embraced. User sites such as blogs, wikis,
and online videos may provide information about the
target company
A disgruntled employee that's blogging about his
company's problems may be susceptible to a
sympathetic ear from someone with similar opinions or
problems
Public data may be generated by entities inside and
outside the target company. This data can consist of
quarterly reports, government reports, analyst reports,
earnings posted for publicly traded companies, etc.
22. Non-Traditional
Industry experts or subject matter
experts can provide detailed
information about an area
without providing anything
regarding the target company
"When in Rome, do what the
Romans do" Engaging in activities
or frequenting places that
employees from the target
company also do/visit is an
excellent opportunity to elicit
information. Proximity to the
employees provides opportunities
for conversation, eavesdropping,
or possibly even covert cloning of
RFID cards
23. Influencing Others
Reciprocity, Obligation, Concession
Want a bar of chocolate?
Scarcity, Authority, Commitment and Consistency, Liking,
Consensus or Social Proof, Framing
In his book, "Influence: The Psychology of Persuasion", Dr.
Robert Cialdini states, "Social Proof - People will do things that
they see other people are doing. For example, in one
experiment, one or more confederates would look up into the
sky; bystanders would then look up into the sky to see what
they were seeing. At one point this experiment aborted, as so
many people were looking up that they stopped traffic."
Manipulation of Incentive
Financial Social Ideological
27. We cannot live in isolation
Social media has
become a necessary
part of business
Sharing of information
and the access to
information is now
expected
We need to understand
the risks
28. Cybersecurity Culture
Mitigation of social engineering begins with good
policy and awareness training
Most important of which is creating a cybersecurity
culture within an organization
This must start at the top and work down
29. Countermeasures
Establishing frameworks of trust on an
employee/personnel level (i.e., specify and train
personnel when/where/why/how sensitive information
should be handled)
Identifying which information is sensitive and evaluating
its exposure to social engineering and breakdowns in
security systems (building, computer system, etc.)
Establishing security protocols, policies, and procedures
for handling sensitive information
Training employees in security protocols relevant to
their position. (e.g., in situations such as tailgating, if a
person's identity cannot be verified, then employees
must be trained to politely refuse.)
30. Countermeasures
Performing unannounced, periodic tests of the security
framework
Reviewing the above steps regularly: no solutions to
information integrity are perfect
Using a waste management service that has dumpsters
with locks on them, with keys to them limited only to the
waste management company and the cleaning staff
Locating the dumpster either in view of employees
such that trying to access it carries a risk of being seen
or caught or behind a locked gate or fence where the
person must trespass before they can attempt to
access the dumpster
31. “
(As) the media characterizes social
engineering, hackers will call up and ask
for a password. I have never asked
anyone for their password
Kevin Mitnick
Email: john.mccarthy@servicetec.com
www.airportcybersecurity.com
Airport Cyber Security Podcast
”